dhcp static mapping not working

version 9.353-4  on a sophos 220

we have dhcp scopes set  with the tick box   "Clients with static mappings only"

we have hosts defined in definitions and userss >network defintions 

the dhcp is giving out the ip addresses reserved for static hosts

so 2 problems

1. the rule static mappings only is not working

2. it is ignoring the static mappings also

  • Neil, unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP.

    Cheers - Bob

  • In reply to BAlfson:

    Is there a way to view which static mappings are active?  I was expecting to see them in the lease table but I guess as the mappings are defined outside the scope, it doesn't display.

    I can see in the log that DHCP is provisioning the correct ip to MAC, but I would like it listed in a table somewhere as to which ones are active.

    Maybe it is somewhere else?

    Thanks

  • In reply to Aoffield:

    If you want to confirm, just search the DHCP Server log for the IP or the MAC.

    Cheers - Bob

  • In reply to BAlfson:

    I am getting these errors in my DHCP log files.

    2016:09:13-20:21:14 jh_home dhcpd: DHCPREQUEST for 10.254.254.166 from 34:23:87:e3:67:05 via eth0
    2016:09:13-20:21:14 jh_home dhcpd: DHCPACK on 10.254.254.166 to 34:23:87:e3:67:05 via eth0
    2016:09:13-20:21:14 jh_home dhcpd: Dynamic and static leases present for 10.254.254.166.
    2016:09:13-20:21:14 jh_home dhcpd: Remove host declaration REF_NetHosJennlaptop or remove 10.254.254.166
    2016:09:13-20:21:14 jh_home dhcpd: from the dynamic address pool for 10.254.254.0/24
    2016:09:13-20:21:14 jh_home dhcpd: uid lease 10.254.254.166 for client 34:23:87:e3:67:05 is duplicate on 10.254.254.0/24

    I use 10.254.254.2 - 10.254.254.254 for my DHCP pool.  I have created quite a few hosts by clicking on their DHCP lease and clicking on the "Make Static" button.  However, I am thinking that letting the static IP be part of the DHCP pool isn't what the UTM wants me to do (even though this is what the interface offers).  Do I need to change my DHCP Pool and then set static IPs for the "Hosts" that are outside of the Pool?

  • In reply to JeremyHines:

    hi 

    as Bob said above - 

    Neil, unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP.

    as strange as it seems this is the way it works 

    the clients still even talk to the dhcp sever , even thought they dont get their assigment from it 

    example we have a wireless dhcp for BYOD devices , we manage this using mac addresses,  this way we never need to change the password 

    so in effect all entries are  static 

    10.254.254.2 - 10.254.254.254     in this example   i would set  a minimal scope   10.254.254.2-  10.254.254.20   say  then you assign the static addresses starting at 10.254.254.21 >    

    in the definition you still specify the dhcp scope , even thought the static ip is outside the scope

    i can confirm  this works - i dont not use the "make static"

    hope this helps

    neil

  • In reply to BAlfson:

    Bob,

    I am bit lost here. statement from you seems to be correct when I look at the DHCP log in the UTM. However, my client gets DHCP address anyway with static mapping in the UTM (pl see attached screenshot), even though its within the DHCP scope range (192.168.100.4-253). "Clients with static mapping only" option is ticked in the DHCP advanced option in the UTM.

     

     

    UTM IP: 192.168.100.1

    Client IP: 192.168.100.17 (static mapping in UTM DHCP server)

     

    From DHCP client log:

    ash@lt31113 ~ $ cat /var/log/syslog | grep DHCP
    Jan 16 15:35:39 lt31113 NetworkManager[4170]: <info>  [1484541336.4381] Using DHCP client 'dhclient'
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x1cb41713)
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 15:35:45 lt31113 dnsmasq[6004]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    Jan 16 20:28:47 lt31113 NetworkManager[4065]: <info>  [1484558927.6273] Using DHCP client 'dhclient'
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x37eb193d)
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 20:28:53 lt31113 dnsmasq[6084]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

     

    From UTM log for the same client (which validate Bob's statement):

    2017:01:16-13:36:53 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-13:36:53 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-13:36:53 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-13:36:53 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-13:36:53 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-15:35:44 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-15:35:44 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-15:35:44 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0


    How my client is getting IP address from the UTM DHCP server? Its a mystery!

    By the way, the reason I bumped into this post, is I am now unable to add host with static mapping either within or outside the DHCP range. I get an error message something like "Definitions & Users → Network Definitions:
    Removing 1 invalid element(s) '0800271194d6' from the list." 0800271194d6 is the mac address of the client I am trying to add. I tried with another mac address, and still the similar error message.
  • In reply to ashabc:

    Ashabc, as neildonaldson repeated above, my first post here explains that "unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP."

    Your static assignment is inside the range of your DHCP server.

    Cheers - Bob

  • In reply to BAlfson:

    I've just been faced with this exact same problem. I've been using "reservations" in the maner described by @Ashabc for over 10 years dating back to Astaro and have never expereinced this issue. The whole point of static mapping is that you are reserving addresses *that are contained within the DHCP pool for speficic hosts* to avoid having to set static IPs on them. This makes absolutely no sense and I have a really hard time beleiving Sophos (and Astaro back in the day) confgiured the DHCP to act otherwise not to mention I've been doing it this way for many many years. So why all of a sudden am I expereincing this? I'm going ot call support and ask the same question. No offense but I fear the answers provided here cannot be true.

  • In reply to plecavalier:

    My company first began installing the ASG (UTM) in 2003.  I began to pick it up from our lead engineer in 2004.  The DHCP server has always functioned like this - dynamic and static ranges instead of "reservations" like the Windows DHCP server.  If you haven't been troubled by this in the past, it's likely because you have very few devices.  Like virtually all of the functions of the UTM, Astaro took an open source service, hardened it and integrated it - the fundamental functioning of the way it did DHCP was not altered.

    Cheers - Bob

  • In reply to BAlfson:

    I think we're getting caught up in terminology. I've been using utm since 99 and any "reservation" in the host definition simply by specifying the desired up would guarantee that address would go to that host as long as you entered the mac address. I even called Sophos this afternoon just to confirm. XG is different in that you cannot specify address from the pool but not the case for utm and it has always been that way. I have clients with 50+ nodes so it not because it's small networks.

  • In reply to plecavalier:

    Yes, the Static Host will cause the device to always be assigned the same IP.  However, if the IP is in the dynamic Range specified in the DHCP Server definition, there is a danger that the same IP will be assigned to another client as the Static assignments are not tracked - they are not seen as "reserved" by the server.

    Cheers - Bob

  • In reply to BAlfson:

    But how does it make sense that the dhcp server service hands out ips that is outside of the allocated range? Until today,I've never had a host get an address from dhcp that is assigned in a host definition and it happened twice in one day.

  • In reply to plecavalier:

    Hi  

    I agree with  here. Please read this article for Sophos UTM: DHCP Configuration and it clearly states:

    Static Mappings

    On the Network Services > DHCP > Static Mappings tab you can create static mappings between client and IP address for some or all clients. For that purpose, you need a configured DHCP server and, depending on the IP version of the DHCP server, the MAC address of the client's network card (with IPv4) or the DHCP Unique Identifier (DUID) of the client (with IPv6).

    Note - To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

    Hope this helps.

     

  • In reply to Jaydeep:

    Thank you for taking the time JayDeep. I appreciate it. If I could have your attention for a little longer...

     

    If I were to create a pool and check the "for static mappings only" setting and specify each mac in each host, does that guarantee with absolute certainty each host will receive an IP that is assigned in its definition or will it receive any IP from any of the pools including the "dynamic" lease pool.

     

    FWIW, first off, I would really like to see a warning (in red) when specifying an IP within the range given it is highly prone to cause serious issue through the whole network. In other words, don't allow it. Second, I would think logic dictates that it would be a doog idea to move to a more strandard approach of allowing "exlusions" from the pool. I understand this parameter is limited to ISC's BIND (if I'm not mistaken) but without the error preventing the config in the host definition, people cannad are easly mislead.

  • In reply to plecavalier:

    Hi

    If you create a DHCP Pool and check the option "for static mappings only" and also specify each mac-address for each host and select the DHCP scope in Host definition, you will get correct IP assignment for every device. Please note that it is required to select a DHCP scope in Host definition once you check the option "for static mappings only".

    Coming to the second point, I understand your requirement of having an exclusion list as traditional DHCP servers have but as of now, that option is now available. You may raise a feature request for that here. Hope this helps.