Hi Scott/List, I was actually the person who asked for this feature. I have been testing it lately because I am about to use it in a test lab (finally).
What I have found is that ONLY the MAC addresses listed can communicate to the router. So if I have a PC that acquired an IP address from the DHCP server that is not a static IP reservation, it cannot communicate to the router. (The PC in question acquired the IP address BEFORE I turned on the static arp feature). The 'arp -da' after turning off the static arp feature does not fix the problem, only rebooting does. I am wondering if it is an 'ipfw' rule that does not get removed. I think it would be good to make this feature a bit more flexible. My thoughts are as follows Option 1. Only static DHCP entries can communicate to the router (the behavior presently shown). Option 2. Static ARP entries only for DHCP reservations while allowing other IP addresses (say those assigned from DHCP pool) to be useable. Some people might find Option 1 useful in a very controlled environment. Option 2 would be useful in a situation like this. My IT department controls a wireless lab where we trust and configure the laptops. We would assign static DHCP reservations to these laptops and setup WPA2 between the laptops and AP. In the firewall, we could give elevated privileges to these laptops, which say live in the 192.168.100.64/26 range with appropriate firewall rules applied to that network. The DHCP server would give out addresses in the 192.168.100.128/26 which would have a more restrictive firewall set applied to that network). The static arp mappings help assure that other people won't steal an IP address that has elevated privileges (192.168.100.64/26. Yes I am aware you can fake a MAC address). So I am proposing option 1 or 2 can be selected, each with different behavior. I am not sure how you implemented option 1, but option 2 would appear to only be a matter of using the 'arp' command to make static arp mappings or to delete them. What do you think? I am willing to help code option 2. > -----Original Message----- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 21, 2006 11:54 AM > To: Wesley K. Joyce > Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP entries > > http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-20-06/ > should have it. > > That file was the only one that needs updating after the change. > > On 2/21/06, Wesley K. Joyce <[EMAIL PROTECTED]> wrote: > > > > > > I would like to do some further testing of this feature. Other than the > > services_dhcp.php, what other files should I review to see exactly what > is > > going on? > > > > ________________________________ > > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > > Sent: Mon 2/20/2006 9:45 PM > > > > To: [email protected] > > Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP entries > > > > > > > > > > Stored in ipfw. > > > > Do a "ipfw show". > > > > Scott > > > > > > On 2/20/06, Wesley K. Joyce <[EMAIL PROTECTED]> wrote: > > > > > > > > > Glad to help. Out of curiosity, where does the pfsense/CP keep the > MAC > > > address state information? > > > > > > ________________________________ > > > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > > > Sent: Mon 2/20/2006 5:02 PM > > > To: [email protected] > > > Subject: Re: [pfSense Support] DHCP Server - Enable Static ARP entries > > > > > > > > > > > > > > > On 2/20/06, Wesley K. Joyce <[EMAIL PROTECTED]> wrote: > > > > I was testing the static ARP feature in the DHCP. I see it created > the > > > > static arp entries, which I confirmed by executing a 'arp -an' from > the > > > > exec.php. When I turn off static arp entries, the permanent arp > entries > > > > don't go away. > > > > > > > > My immediate thought was all that needs to happen is an 'arp -da', > but I > > > > suspect that my interfere with whatever is going on with the Captive > > > Portal? > > > > > > > > On the other hand, arp entries could easily time out from the arp > cache > > > way > > > > before the idle or hard limit is reached in the CP. Obviously the > arp > > > table > > > > would be rebuilt as frames are sent So this seems to disprove my > > > previous > > > > statement. > > > > > > > > So pfsense gods, what is required to get the disabling of static arp > > > entries > > > > to work without breaking anything else? > > > > > > arp -da will work okay. I'll commit the fix, thanks for bringing it > > > to my attention. > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
