Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: narubby_star on September 23, 2025, 06:45:41 PM

Title: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: narubby_star on September 23, 2025, 06:45:41 PM
Despite its confusing name (*), I found 

Services > ISC DHCPv4 > Static ARP > Enable Static ARP entries (*checked*)

quite practical in stricter environments/subnets to prevent unknown clients (no static DHCP mapping entry) from communicating with the firewall in any way incl. reaching out to WAN.
Now with upcoming migration away from ISC, I am asking: Is there an equivalent setting in dnsmasq?

---

(*) It does not only cause a static ARP table formed by DHCP mappings, nor prevents ARP requests to get firewall's MAC from IP - It actually completely blocks unknown clients.
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: meyergru on September 23, 2025, 08:15:46 PM
The help text says this will be active also if the actual DHCP service is not enabled. I doubt that it is a builtin feature of ISC DHCP, so it should probably be implemented outside of DHCP servers, independent of if they are DNSmasq, ISC DHCP or Kea.

However, the separation step could (and should) be done before and independent of ISC DHCP deprecation, if at all. If you want to keep this feature in the future, you should probably do a feature request on Github - otherwise it might get forgotten that this exists.
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: Monviech (Cedrik) on September 23, 2025, 09:13:01 PM
not necessary to do a feature request

in

Interfaces: Neighbors

you can do static arp entries.
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: meyergru on September 23, 2025, 09:16:30 PM
Ah, good to know. I never used that feature... so that would be redundant.
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: Monviech (Cedrik) on September 23, 2025, 09:27:26 PM
I personally let vital network features that are supposed to work automatically do their automatic job. Whenever you mess with these things cause you think you know better it causes pain at some point, aka lots of troubleshooting cause you shoot your own foot.

Thats why I dont use that feature either xD
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: meyergru on September 23, 2025, 09:52:42 PM
+1
Title: Re: Equivalent of ISC DHCP setting "Enable Static ARP entries" for dnsmasq?
Post by: narubby_star on September 23, 2025, 10:09:06 PM
Thanks for the info. I guess Interfaces > Neighbors is just to maintain the ARP table in the original sense?
"Enable Static ARP entries" actually does a lot more than that, as described above.
In certain subnet,  I'd like to keep this setting's workflow of restricting a client (no WAN), as long as it hasn't been registered as static dhcp mapping yet.
And I agree with @meyergru that its scope would be better suited outside specific DHCP service. Is there e.g. an alias referencing "static DHCP client IPs of a subnet" or so, to manually craft a blocking rule - or will this feature be abandoned?
Text only | Text with Images