This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dhcp static mapping not working

version 9.353-4  on a sophos 220

we have dhcp scopes set  with the tick box   "Clients with static mappings only"

we have hosts defined in definitions and userss >network defintions 

the dhcp is giving out the ip addresses reserved for static hosts

so 2 problems

1. the rule static mappings only is not working

2. it is ignoring the static mappings also



This thread was automatically locked due to age.
Parents
  • Neil, unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I am bit lost here. statement from you seems to be correct when I look at the DHCP log in the UTM. However, my client gets DHCP address anyway with static mapping in the UTM (pl see attached screenshot), even though its within the DHCP scope range (192.168.100.4-253). "Clients with static mapping only" option is ticked in the DHCP advanced option in the UTM.

     

     

    UTM IP: 192.168.100.1

    Client IP: 192.168.100.17 (static mapping in UTM DHCP server)

     

    From DHCP client log:

    ash@lt31113 ~ $ cat /var/log/syslog | grep DHCP
    Jan 16 15:35:39 lt31113 NetworkManager[4170]: <info>  [1484541336.4381] Using DHCP client 'dhclient'
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x1cb41713)
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 15:35:45 lt31113 dnsmasq[6004]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    Jan 16 20:28:47 lt31113 NetworkManager[4065]: <info>  [1484558927.6273] Using DHCP client 'dhclient'
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x37eb193d)
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 20:28:53 lt31113 dnsmasq[6084]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

     

    From UTM log for the same client (which validate Bob's statement):

    2017:01:16-13:36:53 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-13:36:53 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-13:36:53 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-13:36:53 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-13:36:53 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-15:35:44 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-15:35:44 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-15:35:44 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0


    How my client is getting IP address from the UTM DHCP server? Its a mystery!

    By the way, the reason I bumped into this post, is I am now unable to add host with static mapping either within or outside the DHCP range. I get an error message something like "Definitions & Users → Network Definitions:
    Removing 1 invalid element(s) '0800271194d6' from the list." 0800271194d6 is the mac address of the client I am trying to add. I tried with another mac address, and still the similar error message.
  • Ashabc, as neildonaldson repeated above, my first post here explains that "unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP."

    Your static assignment is inside the range of your DHCP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Ashabc, as neildonaldson repeated above, my first post here explains that "unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP."

    Your static assignment is inside the range of your DHCP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • I've just been faced with this exact same problem. I've been using "reservations" in the maner described by @Ashabc for over 10 years dating back to Astaro and have never expereinced this issue. The whole point of static mapping is that you are reserving addresses *that are contained within the DHCP pool for speficic hosts* to avoid having to set static IPs on them. This makes absolutely no sense and I have a really hard time beleiving Sophos (and Astaro back in the day) confgiured the DHCP to act otherwise not to mention I've been doing it this way for many many years. So why all of a sudden am I expereincing this? I'm going ot call support and ask the same question. No offense but I fear the answers provided here cannot be true.

  • My company first began installing the ASG (UTM) in 2003.  I began to pick it up from our lead engineer in 2004.  The DHCP server has always functioned like this - dynamic and static ranges instead of "reservations" like the Windows DHCP server.  If you haven't been troubled by this in the past, it's likely because you have very few devices.  Like virtually all of the functions of the UTM, Astaro took an open source service, hardened it and integrated it - the fundamental functioning of the way it did DHCP was not altered.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think we're getting caught up in terminology. I've been using utm since 99 and any "reservation" in the host definition simply by specifying the desired up would guarantee that address would go to that host as long as you entered the mac address. I even called Sophos this afternoon just to confirm. XG is different in that you cannot specify address from the pool but not the case for utm and it has always been that way. I have clients with 50+ nodes so it not because it's small networks.

  • Yes, the Static Host will cause the device to always be assigned the same IP.  However, if the IP is in the dynamic Range specified in the DHCP Server definition, there is a danger that the same IP will be assigned to another client as the Static assignments are not tracked - they are not seen as "reserved" by the server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • But how does it make sense that the dhcp server service hands out ips that is outside of the allocated range? Until today,I've never had a host get an address from dhcp that is assigned in a host definition and it happened twice in one day.

  • Hi  

    I agree with  here. Please read this article for Sophos UTM: DHCP Configuration and it clearly states:

    Static Mappings

    On the Network Services > DHCP > Static Mappings tab you can create static mappings between client and IP address for some or all clients. For that purpose, you need a configured DHCP server and, depending on the IP version of the DHCP server, the MAC address of the client's network card (with IPv4) or the DHCP Unique Identifier (DUID) of the client (with IPv6).

    Note - To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

    Hope this helps.

     

    Regards

    Jaydeep

  • Thank you for taking the time JayDeep. I appreciate it. If I could have your attention for a little longer...

     

    If I were to create a pool and check the "for static mappings only" setting and specify each mac in each host, does that guarantee with absolute certainty each host will receive an IP that is assigned in its definition or will it receive any IP from any of the pools including the "dynamic" lease pool.

     

    FWIW, first off, I would really like to see a warning (in red) when specifying an IP within the range given it is highly prone to cause serious issue through the whole network. In other words, don't allow it. Second, I would think logic dictates that it would be a doog idea to move to a more strandard approach of allowing "exlusions" from the pool. I understand this parameter is limited to ISC's BIND (if I'm not mistaken) but without the error preventing the config in the host definition, people cannad are easly mislead.

  • Hi

    If you create a DHCP Pool and check the option "for static mappings only" and also specify each mac-address for each host and select the DHCP scope in Host definition, you will get correct IP assignment for every device. Please note that it is required to select a DHCP scope in Host definition once you check the option "for static mappings only".

    Coming to the second point, I understand your requirement of having an exclusion list as traditional DHCP servers have but as of now, that option is now available. You may raise a feature request for that here. Hope this helps.

    Regards

    Jaydeep

  • In fact, plecavalier has more experience with ASG/UTM than I do, so this discussion has really been beneficial.

    When one clicks the [Make Static] button on the 'IPv4 Lease Table' tab, there should be a check that the IP to be used is outside the 'DHCP Range' listed.  Prior to that button existing, we just used the regular Host definition process, but that's probably more difficult.  Even then, a quick check to see if the assigned IP is in any DHCP range would seem to be easy.  For example, I just got the following:

    secure:/root # cc get_objects dhcp server|grep \'range
                            'range_end' => '172.16.31.110',
                            'range_start' => '172.16.31.101',
                            'range_end' => '192.168.66.254',
                            'range_start' => '192.168.66.100',
                            'range_end' => '10.100.100.63',
                            'range_start' => '10.100.100.40',
                            'range_end' => '172.16.2.199',
                            'range_start' => '172.16.2.100',

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks again for the detailed response JayDeep. I'm assuming you meant "that option if not available".

     

    I've had a bit of time to play with this now and 2 things come to mind...This is all based on the premise that static mappings and DHCP are best practice for a dynamic network environment.

    1. When creating a host with an assigned IP, the system should check if that IP is already assigned or not. In a large scale network even though you can search and sort host definitions, it is prone to human error and therefore proper rudemantory checks by the system during creation should be performed.

    1.1 one should not be able to create a host with an IP within a dynamic range

    1.2 one should not be able to create a host with an IP matching an existing static mapping