Bug #782
closedStatic ARP is not applied at boot time
100%
Description
the problem is if u make changes under dhcp server and apply them then both the dhcp lease as well as arp table stop showing active IPs and dhcp lease, it starts showing all static ips as online and under arp table u can see all static ip in the table, this issue i have been seeing from 1.2.3 and to reproduce it do the following
- dhcp server needs to be configured to give out IP
- usually under arp table u only see computers that r online or connected and not all statically configured IP to MAC address and the status under dhcp lease u see only all statically configured ip to mac but only those hosts shows online which r actually online
- now go to dhcp server and make some minor changes or simply click save and apply them and then goto arp table and dhcp lease and ull see what i mean, those tables r not refreshed anymore to show active hosts etc untill a reboot
this is on 31st July nanobsd on alix
Updated by Jim Pingle over 14 years ago
- Category set to DHCP (IPv4)
I see that if static ARP is disabled, every time DHCP settings are saved it clears out the ARP table, which may explain some of what you are seeing.
It does update though, once hosts start talking through the router again they show up in the ARP table, and thus show as online.
This isn't really a bug per-se; It's rather harmless and only cosmetic. But it might be possible to improve this so that the ARP table is only cleared when static ARP is being disabled, and not every time it is run. It might not be worth the effort though.
Updated by Bipin Chandra over 14 years ago
static ARP is enabled for me and still i left it for 24 hours and all the communicating hosts never show as online or lets says all dhcp lease entry and arp show all ip etc online, it doesnt refresh.
it could just be cosmetic but at least the dhcp lease and arp tables r supposed to function back to normal after dhcp settings r saved rather than rebooting it just to see proper functionality of those 2 tables.
im reporting using nanobsd on alix and having static arp enabled or disabled, it doesn't refresh both ways and has been happenning since 1.2.3
Updated by Jim Pingle over 14 years ago
If static ARP is enabled, then only the hosts with static entries can talk to the router. Are you sure you need static ARP enabled?
It might be that static ARP isn't properly applied on reboot, and you aren't using it as intended.
Updated by Bipin Chandra over 14 years ago
yes i want only static entries to talk to the firewall although the clients still get a DHCP lease from the DHCP server, but they r not able to surf the internet etc.
regarding being applied or not no idea but one thing i know, the mac ids not listed, get a ip from dhcp but r never able to do anything else.
Updated by Jim Pingle over 14 years ago
With static ARP enabled, if the MAC is not listed, they shouldn't be able to even get an IP from DHCP. And they will not be able to route out to the internet if they aren't listed either. To let people get an IP from DHCP, you can put in an entry with their MAC address and leave the IP field blank.
If a MAC that isn't listed can ever get out to the Internet with static ARP enabled, that is the real bug.
Updated by Bipin Chandra over 14 years ago
so the 2 i see in this is as follows:
- even with static arp enabled and client mac not listed, new clients with not listed mac also get a dhcp lease
- after applying any dhcps erver settings, dhcp lease page and arp entry page dont refresh at all.
i have all the client mac ids with ips listed under dhcp server so they get the same ip everytime and only those macs r allowed.
Updated by Bipin Chandra over 14 years ago
the reason y i see clients get ip lease is mayb because Deny unknown clients is unticked
Updated by Jim Pingle over 14 years ago
So point 1 is the real bug, and point 2 is irrelevant, those won't update with static ARP enabled, since the ARP entries are always there, they will always show online.
As for Deny unknown clients, that really shouldn't matter if static ARP is on. I'll run some tests and see what I can reproduce.
Updated by Bipin Chandra over 14 years ago
the reason y im saying point 2 is also cosmetic bug or so is because static arp enabled or no, once rebooted, arp table and dhcp lease table show clients online and offline as they come and go so then y after a dhcp server change it stops updating the table as usual till a reboot?
Updated by Jim Pingle over 14 years ago
With static arp they should always show online, never offline, because they will always be in the ARP table. So if the actual bug gets fixed, point 2 is moot.
Updated by Jim Pingle over 14 years ago
- Subject changed from dhcp lease and arp table status bug to Static ARP is not applied at boot time
Confirmed that static arp is off at boot time. If you check static arp, then save, the interface shows static arp is applied. If you reboot, static arp is not configured on the interface.
Updated by Jim Pingle over 14 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 09f11c7196f0627bd54b174cfd7cf701797ad256.
Updated by Bipin Chandra over 14 years ago
after the patch, things have gone much worse, as soon as i go to dhcps erver and tick static arp and click save, every1 gets locked out, no1 can ping nor communicate witht he firewall inspite of all client mac and ip listed in static table and even on reboot every1 is still locked out till i boot into a odler snap and untick that setting and reboot to the snap with the applied patch.
what i wanted to know is that does the firewall ip and amc also needed to be in the static table?
Updated by Jim Pingle over 14 years ago
There shouldn't be any difference when saving from the GUI, but I'll look into it.
The firewall's MAC doesn't need to be listed.
Updated by Bipin Chandra over 14 years ago
its not the gui but its the patch itself, if static arp is enabled,e very1 is locked out, no1 can communicate with the firewall
Updated by Jim Pingle over 14 years ago
Yes, but it was always enabled in the GUI - only now it's enabled in the GUI and at boot time. Previously, it was only enabled when saved from the GUI.
What I was saying was that it shouldn't be any different in the GUI now than before, logically. I need to run some tests to find out what might have changed as a result of the difference in the code.
Updated by Jim Pingle over 14 years ago
- Status changed from Feedback to Resolved
It works fine, as intended, though I was incorrect on one point: You must specify IP addresses for clients listed in the DHCP static maps when using static ARP. You can't have entries with only a MAC address listed, or they will not be able to communicate with the firewall.
The static ARP entries require both a MAC address and an IP address or they won't be added by the OS when configuring static ARP.
There is input validation when adding a DHCP static map while static ARP is active which enforces this, and I just added input validation that will prevent you from enabling static arp if you have map entries without IP addresses, since this is not a valid configuration.
This should all work properly now - it was broken before, just not in the way you thought. You either need to disable static ARP, or define IP addresses for all of your static map entries.
Updated by Bipin Chandra over 14 years ago
all my entries have been with ip and mac and for me if i then enable static arp, every1 is locked out so for me its become totally useless enabling it now or else no1 can communicate with the firewall, cant even laod the web gui not to mention firewall becomes unpingable even.
Updated by Jim Pingle over 14 years ago
Then wait for the next update and try again to disable/enable the service. It works fine for me now in my VM setup. If I enable static ARP and the client doesn't have an entry, it gets nothing. If it has a static map entry with MAC and IP address, it works fine.
Updated by Bipin Chandra over 14 years ago
did u try rebooting with the static arp enabled and ur client machines ip and mac already in list and that too on the nanobsd?
Updated by Jim Pingle over 14 years ago
Yes, it works on reboot, and even on NanoBSD.
Updated by Bipin Chandra over 14 years ago
- File capture.pcap added
i tried the 5th august nanobsd and this doesnt work, as soon as i enable, every1 gets locked out but the lan clients get a dhcp lease and the lan client mac id and ip is listed in static arp entries but still they cant surf or even open the pfsense web gui, wireshark log attached.
Updated by Jim Pingle over 14 years ago
What would help more is:
- The output of "arp -a" before you enable
- The output of "arp -a" after you enable
- The MAC address of the workstations you are testing with
- A copy of your config.xml
Updated by Bipin Chandra over 14 years ago
- File config-firewall.pfsense-20100805161735.xml added
arp -a before enabling static arp
? (192.168.0.11) at 00:1b:11:0b:ef:9b on vr0 expires in 1134 seconds [ethernet]
firewall.pfsense (192.168.0.1) at 00:0d:b9:13:47:84 on vr0 permanent [ethernet]
? (192.168.0.23) at 00:1b:77:8f:ae:e1 on vr0 expires in 1134 seconds [ethernet]
arp -a after enabling static arp
firewall.pfsense (192.168.0.1) at 00:0d:b9:13:47:84 on vr0 permanent [ethernet]
MAC id of my client machine
00:1b:11:0b:ef:9b
NOTE: KINDLY DELETE THE FILES ONCE U HAVE SEEN THEM INCLUDING THE CAPTURE IN THE EARLIER POST
Updated by Jim Pingle over 14 years ago
- File deleted (
config-firewall.pfsense-20100805161735.xml)
Updated by Jim Pingle over 14 years ago
So for some reason your MAC/IP pairs are not being added to the ARP table when you enable static ARP.Although you still have entries without hostnames in that config, and the current GUI will not let you enable static ARP in that case. (Or not, my brain didn't process that properly, it's IPs that you need -- ignore that)
Updated by Jim Pingle over 14 years ago
- Status changed from Resolved to Feedback
I found another potential issue that could clobber the static ARP entries. Wait for the snapshot after next (it's in the middle of one now) or apply the patch in the commit and see if it helps.
Updated by Bipin Chandra over 14 years ago
i applied the patch and tried it and it works fine now but the core issue still remains, that is, client macs not listed in table still get a dhcp lease but r not able to communicate further with the firewall, like u said they r not supposed to even get a dhcp lease, but they do stil get it.
Updated by Jim Pingle over 14 years ago
If you check "deny unknown clients" it would prevent that. It's likely a byproduct of DHCP being broadcast, and not directed at the router.
Hosts receiving DHCP leases are not added to the ARP table when making a DHCP request, so it's not really a bug in the sense of the settings not being applied properly any longer.
Updated by Bipin Chandra over 14 years ago
ok then the rest works fine except the pppoe after 30th august which is preventing me from upgrading to the latest.
Updated by Chris Buechler over 14 years ago
- Status changed from Feedback to Resolved