DHCP Server - pfSense Hangout September 2016
1 like•3,075 views
The document provides an overview of DHCP server configuration and usage on pfSense. It discusses what DHCP is, when to use a DHCP server on pfSense, how to configure DHCP pools and address assignment behavior, static mappings, and viewing DHCP leases. The document also covers additional options for DHCP like DNS, NTP, TFTP, and network booting configuration, as well as a pool usage graph for monitoring DHCP usage.
DHCP Server - pfSense Hangout September 2016
- 1. DHCP Server September 2016 Hangout Jim Pingle
- 2. About this Hangout ● Project News ● Focusing on IPv4 only this time ● What is DHCP? ● Should you use DHCP Server on pfSense? ● What is a DHCP Pool? ● Default DHCP Server Behavior on pfSense ● Address Assignment Behavior ● DHCP Server Configuration ● Working with Multiple Address Pools ● Static Mappings ● Viewing Leases ● Pool Usage Graph
- 3. Project News ● 2.3.2_1 Security/Errata release – OpenSSL patches for recent issues – Package updates for PHP, libxml, others – Fixes for misc other bugs ● 2.4 ALPHA snapshots available – Based on FreeBSD 11 – Still several missing features / actively under development ● 2.3.3 snapshots also available ● uFW is now called SG-1000, can be preordered from our store ● Check out the PC Gamer article that talks about pfSense: – http://www.pcgamer.com/what-its-like-to-have-the-fastest-internet-speeds-in-the -country/ ● 24x7 Enterprise-level support is coming soon!
- 4. What is DHCP? ● Dynamic Host Configuration Protocol ● Assigns addresses to clients automatically – Client sends a UDP broadcast message from 0.0.0.0:68 to 255.255.255.255:67 – Server responds with an address offer, etc. ● Much easier than setting IP addresses manually ● Common default on many firewall and gateway devices, and on some ISP deployments such as Cable networks ● The server can maintain control of addresses via mechanisms such as static mappings and pool access controls ● To act as a DHCP server, an interface on pfSense must be configured with a static IP address in the subnet containing the addresses to serve – Must be directly connected at layer 2 to the subnet
- 5. Use DHCP on pfSense? ● Standard deployments – Yes – Normal clients, normal types of pools/ranges, options, and so on ● Even very large deployments are OK so long as the hardware is capable and the required options are possible in the GUI ● Does the local network employ Active Directory? – You can use pfSense for DHCP, but it is not ideal. – Use DHCP and DNS on AD for better integration & service discovery ● Serving DHCP for not-directly-connected networks? – No. pfSense cannot serve DHCP for remote networks, it must be directly connected at layer 2 and have an address in the subnet. ● Complex class matching, groups, etc? No
- 6. What is a DHCP Pool? ● A DHCP pool is a range of addresses from which dynamic assignments for clients can be made ● Example: 192.168.1.100 – 192.168.1.199 ● In that example, a client requesting a DHCP address could receive any available IP address between .100 and .199 (inclusive) ● There can be multiple pools, on the same interface or separate interfaces, though they are represented differently in the pfSense GUI ● Pools should be sized large enough to hold more than enough clients for the local network to sustain – Best practice is to design for more than you need ● For example, align the subnet such that a /23 or /22 could be used in place of a /24 without renumbering – Depending on the design, renumbering at a later date to gain additional address space may be difficult or impractical
- 7. Default DHCP Server Behavior ● In a default configuration, pfSense will… – Serve addresses from the default LAN subnet, 192.168.1.0/24 – Serve addresses from the range 192.168.1.100 to 192.168.1.199 – Give clients the firewall LAN IP address as the Gateway – Give clients the firewall LAN IP address as a DNS server ● DNS Resolver is enabled by default
- 8. Address Assignment Behavior ● New client asks for an address (DHCPDISCOVER) – Server checks for a static mapping, uses it if one is present – Server checks for old lease that is still valid, offers that if possible – Server checks for an old IP address the client used which is still available ● If the client is not permitted to use it, the old lease is freed – Server checks all pools for the network the client is in, and ... ● Server checks permissions, such as MAC address controls or if it is a known client ● Server tries to locate an available address in the pool ● If an unallocated address is available, it is offered to the client ● If an address is available, but it has been assigned previously, the server keeps looking to prevent reassignment ● If an unused but previously allocated address is available, the server will attempt to reclaim the address by considering it abandoned. The server checks using ICMP echo (ping) to ensure it is available, and if it is not in use, then it is allocated to the client. ● Former client asks for an existing IP address (DHCPREQUEST), server can – allow - If the address is available (not in use, part of the pool, etc) – deny - If the address is not available (wrong network, in use, not its static mapping, etc) – ignore - If the address is not managed by DHCP and is outside the pool but in the correct network ● No set pattern to pool assignment usage. May generally be in ascending order, but not guaranteed. ● Server will send an ICMP ping to an address to verify it is free before allocating
- 9. DHCP Configuration: General ● Services > DHCP Server, only will have tabs for static IP address interfaces ● Enable – Activates the DHCP server on this interface ● Deny Unknown Clients – When active, clients need mapping entries to define clients as "known" to the firewall – Mapping entries may leave the IP address field blank to define them in this manner ● Ignore Denied Clients – Rather than sending clients a rejection message, ignore them entirely. This does not work w/failover ● Range – The start and ending addresses for the client pool, inclusive – Subnet, mask, and available range are printed but do not account for addresses used by the firewall or other devices.
- 10. MAC Address Controls ● Uses full or partial MAC addresses to control if clients can be allocated addresses from a given pool ● MAC Allow – MACs listed here will be allowed to pull addresses from this pool, but no other clients can. ● MAC Deny – MACs listed here will not be able to pull addresses from this pool, but all others can. ● Only one or the other option is necessary, not both due to how it works
- 11. Working with Additional Pools ● Several ways to use them: – As more space with no restrictions ● Ex: Extra space because original pool is full ● Ex: Leaving a gap in the middle of a larger range – Restricted use either by MAC address or unknown clients ● Ex: Main pool for known clients, second pool for unknown ● Ex: Game console devices use addresses in second pool only – To give different settings to a group of devices ● Ex: Phones from a specific OEM receive a different gateway ● From the main DHCP settings tab for an interface, click + Add Pool ● Configure the desired range, enter a description, etc ● Use MAC address controls to designate who is allowed, or coordiate known/unknown clients options as needed – Remember: Allow MACs restrict to ONLY those in Allow list. Deny MACs allow all others except those in the list. Generally only one or the other is used on each pool ● Set other options as desired.
- 12. Configuration: Servers ● Clients are automatically assigned DNS servers based on several criteria: – If DNS servers are defined in the DHCP settings, they are always used, otherwise... – If the DNS Resolver or DNS Forwarder are enabled, the IP address of the firewall is given to clients, otherwise... – If DNS servers are defined under System > General Setup, those are given to clients, otherwise… – If none of the above are defined, then DNS servers are not provided to DHCP clients ● WINS Servers – Uncommon in modern networks, but may still be in use with some older Windows networks – Was an alternative to DNS and NetBIOS for locating client hostnames and network browsing
- 13. Configuration: Other Options ● Gateway – Generally left blank unless this firewall is not the default gateway, or in HA setups – In an HA setup utilizing CARP, this should be set to a CARP VIP on this interface ● Domain Name – The domain name given to clients, which is used as their DNS suffix – Clients will use this for short name lookups in most cases – This is not used for DNS Resolver/DNS Forwarder integration ● Domain Search List – Gives a list of search domains to clients that they can use for short name lookups – DHCP option 119 – Does NOT work on Windows! – Works on OSX, Linux, and some other operating systems
- 14. Configuration: Other Options ● Default Lease Time – Lease duration given to clients that do not ask for a specific time – Keep this equal to or greater than Captive Portal hard timeouts ● If a client obtains a lease shorter than the timeout, the IP address could be reused and the portal login would be invalid. ● Max Lease Time – For clients that request a lease time, limit it to at most this value – Keep this equal to or greater than Captive Portal hard timeouts ● Failover Peer – When an HA setup is in place, this needs to be filled in with the other node’s IP address in this subnet, otherwise leave it blank – Refer to the previous HA hangout or book for details
- 15. Configuration: Other Options ● Static ARP – Disables dynamic ARP requests, so the firewall can only communicate with hosts defined using static ARP entries – Makes ARP entries in the firewall ARP table tying an static mapping IP addresses to a specific MAC address – Used for security to: ● Prevent the firewall from talking to unknown devices ● Prevent hosts on the local network from using any IP address except their mapping – Very secure but difficult to manage, since each MAC/IP address pairing must be added to the firewall and maintained ● As a compromise, L2 port security options on switches are generally easier to setup and operate, if available. – Static Mappings may be individually set to static ARP instead of using this global option ● Time format change – By default, DHCP records lease times in UTC. Checking this will display the times in the locally configured zone. ● Statistics Graph – When set, a graph of pool usage for each interface is created and maintained – Visible under Status > Monitoring
- 16. Dynamic DNS ● Used to trigger client registration in a DNS server which supports dynamic updates ● DDNS Domain – The domain name client hostnames will register under – e.g. dyn.example.com ● Primary DDNS Address – IP Address of the DNS server where updates are sent ● DNS Domain Key – The name of the domain key used for registration (often the same as the domain name) ● DNS Domain Key Secret (HMAC-MD5) – The secret “password” used to update the records on the DNS server
- 17. NTP, TFTP, LDAP ● NTP Server 1 & 2 – Network Time Protocol servers to supply for client use ● TFTP Server – Specifies a TFTP server upon request by the client – Commonly used by VoIP handsets – Behavior varies by client – Option 66 ● LDAP – Provides an LDAP URI to clients – Used by OS X, possibly others – Option 95
- 18. Network Booting ● Enable – Toggles whether or not these settings are sent to clients ● Next Server – The IP address of the server containing the boot files ● BIOS Filename – The default boot file for traditional BIOS style booting ● UEFI 32-bit filename / UEFI 64-bit filename – Filenames for booting 32-bit or 64-bit systems that support UEFI ● Root Path – A storage path to the root device – Ex: iscsi:(servername):(protocol):(port):(LUN):targetname
- 19. Additional DHCP Options ● Numbered options for custom values which do not have a dedicated GUI option, or for clients that require a different format ● Several types, must match specification and client expectations! – Text – String – Boolean – Unsigned/Signed 8/16/32-bit integers – IP Address or Host ● List of option number assignments and their types: – http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xml – https://tools.ietf.org/html/rfc2132 ● Random Examples: – 121 (Classless routes) – Text, in hex – 74 (IRC Server) – IP Address – 26 (MTU) – 16 bit unsigned integer (Linux clients)
- 20. Static Mappings ● Creates an entry to do one of the following: – Map a static IP address to a specific MAC address (both IP address and MAC filled in) – Create a static ARP entry (IP and MAC address filled in, and either the static ARP set here or on the DHCP server) – List a MAC address as known (MAC address filled in, “deny unknown clients” set) ● Static Mappings cannot exist inside the range/pools – Fixed host entries express a preference, not a reservation – The daemon would still assign a fixed address to a dynamic client if the pool usage demanded it and the static client was offline ● Cannot have the same MAC or IP address twice, as it would cause ambiguous or undefined behavior
- 21. Static Mappings ● MAC Address – The full client MAC address, in colon separated format: 01:23:45:67:89:ab ● Client Identifier – Usually left blank, it is an additional matching parameter sent by the client ● IP Address – The static IP address assigned to the client matching this entry – Can be left blank to define client as “known” for DHCP purposes ● Hostname – The hostname (not fully qualified) assigned to this client – Clients will use this as their name, and the name is also used in DNS if integration is enabled ● For DNS Resolver and DNS Forwarder integration, the domain name of the firewall is appended, not DHCP domain name ● Description – A free-form description for reference
- 22. Static Mappings ● Static ARP entry – When checked, a static ARP entry is made for this mapping, even if the DHCP server is disabled – Entry must have both a MAC address and IP Address set – A Static ARP mapping on its own (without the whole interface being static arp) ● Will prevent other MACs from using that IP address ● Does not limit that MAC address from using other IP addresses ● Other options are the same as main pool – Values on mappings will override values from the pool – Values left blank will fall through and use values from the pool – Not all options are possible on static mappings (e.g. no numbered custom options)
- 23. DHCP Lease Status ● Status > DHCP Leases ● Sortable list, click column headers to sort ● Offline vs Online status is keyed off ARP table presence – A device can be on/active but show “offline” if it has not recently communicated to or through the firewall ● Lease status: – Active – Within the lease lifetime as requested by the client – Expired – The lease time has expired and the client has not requested it again ● Pool utilization count – Shows usage of each pool with leases. Unused pools will not show in the list. ● Show all configured vs show active – Default view shows only active leases, show all will also display expired leases ● Links at the end of each lease row to: – Add static mapping – Add WOL mapping / Send WOL packet – Delete lease - only possible for offline or expired leases ● Failover status, normal/normal, etc, See HA hangout
- 24. Pool Usage Graph ● Status > Monitoring – Pick DHCP for an axis, then interface for Graph ● Must be enabled on the DHCP server settings ● Graph shows pool usage vs total size ● Currently does not support multiple pools per interface
- 25. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc