Clients getting IP address from wrong subnet

[cfranz]

After searching I've found a number of people having this problem but they all seem to involve VLANs and/or L3 switching.  I have one OpnSense box with four /16 subnets e.g. 172.16.1.x, .17.1.x, .18.1.x, and .19.1.x.  Each subnet resides on its own network port and all go to the same switch, a Cisco 3750 that isn't doing anything esoteric, no L3 or trunking.  Each subnet has DHCPv4 running with IP reservations and all but one (e.g. 172.16.1.x which is my "main LAN" subnet) is set to deny any clients not already configured with one; it's basically easier than maintaining a separate IPAM database that isn't compatible and must be updated separately, but allows the one subnet to hand out an IP if a guest device needs one (the available range is arbitrarily limited to 2).

My issue is that I will sometimes have devices with an IP reservation and static ARP on subnet 1 that are somehow getting an IP from subnet 2 instead despite the fact that subnet 2 is set to only acknowledge clients already assigned an IP.  Firewall rules on the first subnet are typical for a LAN with allow default-lan-to-any and access from subnet 2 to DNS for domain resolution.  For some reason I can prevent it by setting subnet 1 to deny unknown clients as well but then I have no actual DHCP on my LAN, and in any event that's not where the incorrect IP is coming from so that shouldn't even make a difference.  I could shut the DHCP server down on subnet 2 if I have to but that's a workaround, not a solution.  Subnet 2 is my IP camera network and so I want to know when it's doing something it shouldn't.

Doesn't "Deny unknown clients" mean just that?

EDIT changed IP example

[Patrick M. Hausen]

Do you use the "native", i.e. untagged VLAN on the port connected to your switch? Don't. Run all VLANs tagged and your problems will likely go away. Set the "native vlan" for that port on the Cisco to an unused one, e.g. 1001.