RE: [pfSense Support] DHCP Server - Enable Static ARP entries

[Wesley K. Joyce]

Hi Scott/List, I was actually the person who asked for this feature.  I
have been testing it lately because I am about to use it in a test lab
(finally).

What I have found is that ONLY the MAC addresses listed can communicate
to the router.  So if I have a PC that acquired an IP address from the
DHCP server that is not a static IP reservation, it cannot communicate
to the router.  (The PC in question acquired the IP address BEFORE I
turned on the static arp feature).  The 'arp -da' after turning off the
static arp feature does not fix the problem, only rebooting does.  I am
wondering if it is an 'ipfw' rule that does not get removed.  

I think it would be good to make this feature a bit more flexible.  My
thoughts are as follows

Option 1.  Only static DHCP entries can communicate to the router (the
behavior presently shown).
Option 2.  Static ARP entries only for DHCP reservations while allowing
other IP addresses (say those assigned from DHCP pool) to be useable.  

Some people might find Option 1 useful in a very controlled environment.
Option 2 would be useful in a situation like this.  My IT department
controls a wireless lab where we trust and configure the laptops.  We
would assign static DHCP reservations to these laptops and setup WPA2
between the laptops and AP.  In the firewall, we could give elevated
privileges to these laptops, which say live in the 192.168.100.64/26
range with appropriate firewall rules applied to that network.  The DHCP
server would give out addresses in the 192.168.100.128/26 which would
have a more restrictive firewall set applied to that network).  The
static arp mappings help assure that other people won't steal an IP
address that has elevated privileges (192.168.100.64/26. Yes I am aware
you can fake a MAC address).  

So I am proposing option 1 or 2 can be selected, each with different
behavior.  

I am not sure how you implemented option 1, but option 2 would appear to
only be a matter of using the 'arp' command to make static arp mappings
or to delete them.

What do you think?  I am willing to help code option 2.

 -Original Message-
 From: Scott Ullrich [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, February 21, 2006 11:54 AM
 To: Wesley K. Joyce
 Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP entries
 
 http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/
 should have it.
 
 That file was the only one that needs updating after the change.
 
 On 2/21/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:
 
 
  I would like to do some further testing of this feature.  Other than
the
  services_dhcp.php, what other files should I review to see exactly
what
 is
  going on?
 
   
   From: Scott Ullrich [mailto:[EMAIL PROTECTED]
  Sent: Mon 2/20/2006 9:45 PM
 
  To: support@pfsense.com
  Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP
entries
 
 
 
 
  Stored in ipfw.
 
  Do a ipfw show.
 
  Scott
 
 
  On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:
  
  
   Glad to help.  Out of curiosity, where does the pfsense/CP keep
the
 MAC
   address state information?
  

From: Scott Ullrich [mailto:[EMAIL PROTECTED]
   Sent: Mon 2/20/2006 5:02 PM
   To: support@pfsense.com
   Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP
entries
  
  
  
  
   On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:
I was testing the static ARP feature in the DHCP.  I see it
created
 the
static arp entries, which I confirmed by executing a 'arp -an'
from
 the
exec.php.  When I turn off static arp entries, the permanent arp
 entries
don't go away.
   
My immediate thought was all that needs to happen is an 'arp
-da',
 but I
suspect that my interfere with whatever is going on with the
Captive
   Portal?
   
On the other hand, arp entries could easily time out from the
arp
 cache
   way
before the idle or hard limit is reached in the CP.  Obviously
the
 arp
   table
would be rebuilt as frames are sent  So this seems to disprove
my
   previous
statement.
   
So pfsense gods, what is required to get the disabling of static
arp
   entries
to work without breaking anything else?
  
   arp -da will work okay.   I'll commit the fix, thanks for bringing
it
   to my attention.
  
  
 
-
   To unsubscribe, e-mail: [EMAIL PROTECTED]
   For additional commands, e-mail: [EMAIL PROTECTED]
  
  
  
  
 
 
-
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DHCP Server - Enable Static ARP entries

[Scott Ullrich]

On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:
 I was testing the static ARP feature in the DHCP.  I see it created the
 static arp entries, which I confirmed by executing a 'arp –an' from the
 exec.php.  When I turn off static arp entries, the permanent arp entries
 don't go away.

 My immediate thought was all that needs to happen is an 'arp –da', but I
 suspect that my interfere with whatever is going on with the Captive Portal?

 On the other hand, arp entries could easily time out from the arp cache way
 before the idle or hard limit is reached in the CP.  Obviously the arp table
 would be rebuilt as frames are sent.  So this seems to disprove my previous
 statement.

 So pfsense gods, what is required to get the disabling of static arp entries
 to work without breaking anything else?

arp -da will work okay.   I'll commit the fix, thanks for bringing it
to my attention.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] DHCP Server - Enable Static ARP entries

[Wesley K. Joyce]

Title: Re: [pfSense Support] DHCP Server - Enable Static ARP entries






Glad to help. Out of 
curiosity, where does the pfsense/CP keep the MAC address state 
information?


From: Scott Ullrich 
[mailto:[EMAIL PROTECTED]Sent: Mon 2/20/2006 5:02 PMTo: 
support@pfsense.comSubject: Re: [pfSense Support] DHCP Server - 
Enable Static ARP entries

On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] 
wrote: I was testing the static ARP feature in the DHCP. I see it 
created the static arp entries, which I confirmed by executing a 'arp 
an' from the exec.php. When I turn off static arp entries, the 
permanent arp entries don't go away. My immediate 
thought was all that needs to happen is an 'arp da', but I suspect that 
my interfere with whatever is going on with the Captive Portal? 
On the other hand, arp entries could easily time out from the arp cache 
way before the idle or hard limit is reached in the CP. Obviously 
the arp table would be rebuilt as frames are sent. So this seems 
to disprove my previous statement. So pfsense gods, what 
is required to get the disabling of static arp entries to work without 
breaking anything else?arp -da will work okay. I'll commit 
the fix, thanks for bringing itto my 
attention.-To 
unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, 
e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DHCP Server - Enable Static ARP entries

[Scott Ullrich]

Stored in ipfw.

Do a ipfw show.

Scott


On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:


 Glad to help.  Out of curiosity, where does the pfsense/CP keep the MAC
 address state information?

  
  From: Scott Ullrich [mailto:[EMAIL PROTECTED]
 Sent: Mon 2/20/2006 5:02 PM
 To: support@pfsense.com
 Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP entries




 On 2/20/06, Wesley K. Joyce [EMAIL PROTECTED] wrote:
  I was testing the static ARP feature in the DHCP.  I see it created the
  static arp entries, which I confirmed by executing a 'arp –an' from the
  exec.php.  When I turn off static arp entries, the permanent arp entries
  don't go away.
 
  My immediate thought was all that needs to happen is an 'arp –da', but I
  suspect that my interfere with whatever is going on with the Captive
 Portal?
 
  On the other hand, arp entries could easily time out from the arp cache
 way
  before the idle or hard limit is reached in the CP.  Obviously the arp
 table
  would be rebuilt as frames are sent.  So this seems to disprove my
 previous
  statement.
 
  So pfsense gods, what is required to get the disabling of static arp
 entries
  to work without breaking anything else?

 arp -da will work okay.   I'll commit the fix, thanks for bringing it
 to my attention.

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]