Trouble understanding ISC DHCP Static Mappings

[bogardon]

Hi,

My goal is to enable "Deny unknown clients" by adding all known clients to my DHCP Static Mapping list.

When creating a static mapping the help text for "IP address" says:

> If an IPv4 address is entered, the address must be within the interface subnet.
> If no IPv4 address is given, one will be dynamically allocated from the pool.

I took this to mean that if no ip address is given, one will be assigned by DHCP per usual, except now that it will always be the same. However, after adding this static lease with no ip, the leases table is still showing both a dynamic (with ip) and static lease (without ip). I tried deleting the dynamic lease and rebooting that machine, but the dynamic lease always comes back and the static lease remains without an ip. Why is this?

I then tried configuring the static lease with the client's current ip from the dynamic lease. This causes errors in the DHCP log since it sees the same ip for two different leases. I guess this is expected?

Finally, I tried configuring the static lease with an ip OUTSIDE of the dhcp range. This seems to work, but now I have to be careful not to assign the same IP as another device that has a truly statically defined ip, i.e. configured on its NIC. Is this the intended use case?

[Patrick M. Hausen]

For a static mapping

- you must enter an IP address
- that IP address must be part of the same subnet but outside the dynamic pool range

Finally, I tried configuring the static lease with an ip OUTSIDE of the dhcp range. This seems to work, but now I have to be careful not to assign the same IP as another device that has a truly statically defined ip, i.e. configured on its NIC. Is this the intended use case?

Yes it is. It's the administrator's responsibility to keep track of the statically configured IP addresses in their network.

[bogardon]

Thank you Patrick. I believe you responded to several other posts about this same issue, so thank you for helping again :)

For a static mapping

- you must enter an IP address
- that IP address must be part of the same subnet but outside the dynamic pool range

Why does the help text mention the option of leaving the ip blank? Is there a reason to do this?

[meyergru]

In case you leave the IP empty, the client will get an IP from the pool. You would use that if you want to "Deny unknown clients".

[bogardon]

In case you leave the IP empty, the client will get an IP from the pool. You would use that if you want to "Deny unknown clients".

Does that mean the assigned IP is not actually static at all? Or will it always get the same IP? I think what confuses me is seeing TWO leases for the same client, one static and one dynamic. Is that not confusing to anyone?

[meyergru]

That is only a residue of the fact that you had no static reservation initially, such that the dynamic reservation is still in place. It fades out only after the lease time has expired. Alas, the GUI does not clean up the dynamic lease when you make it static. There are other artifacts, namely that the static reservation name will only be take into Unbound DNS after it has been restarted manually.

Hopefully, this will all get better once the new DNSmasq has been introduced, which supposedly handles DHCP and DNS better.

For the time being, the only remedy to corrrect such problems, that I know of involves a lot of manual edits of several files and restarts of daemons.

And yes, theoretically, it does man that the reservation is not static - unless you count in that once you get a lease, it will be prolonged after half the lease time has expired, such that it usually stays the same when the client is always on (or if the lease time is long enough).

[bogardon]

I had tried to resolve the duplicate static/dynamic lease entries by deleting the dynamic lease entry and restarting the WiFi on that client. I thought that this would populate the static lease entry with an IP, but what it actually did was just bring back the dynamic lease entry. I have to double check this, but that's what I remember happening.

I don't actually care about specifying an IP. I just want to know which mac addresses are connected and to specify a hostname in case that client doesn't provide one. Oh, and also to deny unknown clients.

[franco]

First things first: static mappings are static, but if you want to provide a static IP address that is optional. However, the value of specifying a host name without an IP makes the static lease unusable from a DNS standpoint on the firewall. In this case only a dynamic lease can be registered as DNS. If the client accepts the hostname is also questionable.

AS an administrator you keep a list of all statically assigned devices and optionally handle a dynamic pool of dynamic devices. You can also use DHCP to assist with static assignments, but the approach doesn't change, e.g. 192.168.0.1-192.168.0.99 static "pool", 192.168.0.100-192.168.0.199 dynamic pool,192.168.0.200 - 192.168.0.254 strategic reserve ;)

Nowadays you can also use Neighbor configuration for static ARP setups so you are not directly tied to the static mappings especially without IP addresses set (and it has an API), but I see that we need to move the static ARP setting to the interface configuration eventually.


Cheers,
Franco

[bogardon]

First things first: static mappings are static, but if you want to provide a static IP address that is optional. However, the value of specifying a host name without an IP makes the static lease unusable from a DNS standpoint on the firewall. In this case only a dynamic lease can be registered as DNS. If the client accepts the hostname is also questionable.

In what way is it unusable? I created static leases without ip for all my clients, enabled dns registrations for both static and dynamic leases in unbound, and I'm able to resolve my custom hostnames (even if different from what the client reported) without issues. What does it mean for the client to "accept" the hostname?

I'm more concerned with the aesthetic issue of duplicate entries in the leases table: one dynamic with the ip and one static without the ip. Why can't these entries be merged?

To re-emphasize, it doesn't matter to me which clients get which IPs - what matters is that I can give them a hostname (in case they don't provide one) and a  description of what that device is.

AS an administrator you keep a list of all statically assigned devices and optionally handle a dynamic pool of dynamic devices. You can also use DHCP to assist with static assignments, but the approach doesn't change, e.g. 192.168.0.1-192.168.0.99 static "pool", 192.168.0.100-192.168.0.199 dynamic pool,192.168.0.200 - 192.168.0.254 strategic reserve ;)

I like this organization :)

[franco]

> enabled dns registrations for [...] dynamic leases in unbound

Yes, that is what I said.

> I'm more concerned with the aesthetic issue of duplicate entries in the leases table: one dynamic with the ip and one static without the ip. Why can't these entries be merged?

I don't think they cannot be merged? ;)

> what matters is that I can give them a hostname (in case they don't provide one) and a  description of what that device is.

I think this was already achieved here. If we just talk optics of merging the entries with the same MAC address I'd say why not raise a feature request.


Cheers,
Franco

[bogardon]

I filed https://github.com/opnsense/core/issues/8586 and referenced the old issue and also this discussion. Thanks!

[bogardon]

I just found out that opnsense will default to dnsmasq for dhcp sometime later this year. I'm hoping it has a more sensible semantics for static dhcp reservations and maybe even fix the dns registration flakiness that i experience from time to time.