Mac Adress Control

[tyrell]

Cheers,

im trying to setup Mac Adress Control for a specific IP Pool.
But it always gives me following error when trying to save:

"If you specify a mac allow list, it must contain only valid partial MAC addresses."

This is my partial Mac Adress "64-62-66" Every device starting with this should get an IP from
that pool.
Am i doing something wrong or is this a bug?

[dseven]

Hint: clicking the little "i" button to the left of any setting should show some help text - in this case:

"Enter a list of partial MAC addresses to allow, comma-separated, no spaces, such as 00:00:00,01:E5:FF"

So use colon (:) as the separator...

[tyrell]

damn you are right.
that was the problem.
but its still doesnt work.
the devices still get an IP from the regular pool not from the additional pool.
even after dhcp server restart, deleting the dhcp lease and restarting the device.
also tried to deny the partial mac from the regular pool and have it allowed in the additional pool.
but nope.
any ideas?

[dseven]

I've never tried to do that, but I would guess that you need to apply some criteria to the other pool also - otherwise it will be available to all clients. You could explicitly block your "64:62:66" range?

Edit: I just re-read, and see that you already tried that .. hmmm.

[EricPerl]

I just ran a little test on my spare instance:
* Connected a new machine (PC2) that got IP in the existing pool
* Added the partial MAC address of PC1 to the existing pool
* Checked "deny unknown client" on the existing pool
* Renewed lease on PC2 -> failure (with a weird error message)
* Created a fallback pool on the LAN interface
* Renewed lease on PC2 -> success, obviously in the fallback pool

HTH

[tyrell]

thanks for testing.
but i dont wanna deny all unknow devices.
i just want a fixed pool of ips for a certain mac adress range

[EricPerl]

Isn't it what the above setup just achieved?
Specify the MAC address range, mark the pool as denied for unknown clients (clients in the address range are known).
Create another pool as fallback for clients that don't match the range.

I suspect you can create a chain of pools this way...

[tyrell]

maybe i just dont get it:
"(clients in the address range are known)"
the main pool any mac adress should be allowed.
thats important for new devices.
but if i have a deny unknow clients they wont get an IP right?

[EricPerl]

Is there really a "main" pool?
All I see are a sequence of pools with criteria for belonging to a pool.
As long as there's a pool to default to when the previous ones didn't work out, it seems to functionally work.

With that logic, the "main" pool could be the one that doesn't have allow or deny criteria set.

I didn't look for a way to re-order the pools. Maybe the creation order is the only one that counts.
I took a look at the ISC DHCP 4.4 man pages and I didn't see anything on this subject.

Looking at the config generated for my use case, I see a class defined with the matching rule on partial MAC address.
Then the first pool has:
* allow members of that class
* deny unknown-clients
* range
The 2nd pool only has a range.

I suspect the 2nd line on MAC address control would also define a class and generate a deny on members of that class.

In any case, given the config file, my outcome makes sense.
My 2nd PC did not meet the criteria for the first pool, so the 2nd pool was evaluated. In absence of criteria, it matched. Done.
Allow unknown clients is default.

"deny unknown clients" is a convenient shortcut.
Based on the man pages, known clients are declared with host statements, and I don't have any, so all clients are unknown.
But the allow rule is first (first match apparently wins), hence the match.

If you can't get your pool declarations to work with the above, I suggest you attach the dhcpd.conf to your reply.