This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dhcp static mapping not working

version 9.353-4  on a sophos 220

we have dhcp scopes set  with the tick box   "Clients with static mappings only"

we have hosts defined in definitions and userss >network defintions 

the dhcp is giving out the ip addresses reserved for static hosts

so 2 problems

1. the rule static mappings only is not working

2. it is ignoring the static mappings also



This thread was automatically locked due to age.
Parents
  • Neil, unlike with Windows Server, the UTM's DHCP server does not make "reservations." You must make static assignments outside of the "Range" assigned dynamically by DHCP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I am bit lost here. statement from you seems to be correct when I look at the DHCP log in the UTM. However, my client gets DHCP address anyway with static mapping in the UTM (pl see attached screenshot), even though its within the DHCP scope range (192.168.100.4-253). "Clients with static mapping only" option is ticked in the DHCP advanced option in the UTM.

     

     

    UTM IP: 192.168.100.1

    Client IP: 192.168.100.17 (static mapping in UTM DHCP server)

     

    From DHCP client log:

    ash@lt31113 ~ $ cat /var/log/syslog | grep DHCP
    Jan 16 15:35:39 lt31113 NetworkManager[4170]: <info>  [1484541336.4381] Using DHCP client 'dhclient'
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x1cb41713)
    Jan 16 15:35:45 lt31113 dhclient[5994]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 15:35:45 lt31113 dnsmasq[6004]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    Jan 16 20:28:47 lt31113 NetworkManager[4065]: <info>  [1484558927.6273] Using DHCP client 'dhclient'
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPREQUEST of 192.168.100.7 on wlp4s0 to 255.255.255.255 port 67 (xid=0x37eb193d)
    Jan 16 20:28:53 lt31113 dhclient[6074]: DHCPACK of 192.168.100.7 from 192.168.100.1
    Jan 16 20:28:53 lt31113 dnsmasq[6084]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

     

    From UTM log for the same client (which validate Bob's statement):

    2017:01:16-13:36:53 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-13:36:53 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-13:36:53 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-13:36:53 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-13:36:53 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: Dynamic and static leases present for 192.168.100.7.
    2017:01:16-15:35:44 utm dhcpd: Remove host declaration REF_NetHosBobbyiph4 or remove 192.168.100.7
    2017:01:16-15:35:44 utm dhcpd: from the dynamic address pool for 192.168.100.0/24
    2017:01:16-15:35:44 utm dhcpd: DHCPREQUEST for 192.168.100.7 from e4:b3:18:90:36:7f via eth0
    2017:01:16-15:35:44 utm dhcpd: DHCPACK on 192.168.100.7 to e4:b3:18:90:36:7f via eth0


    How my client is getting IP address from the UTM DHCP server? Its a mystery!

    By the way, the reason I bumped into this post, is I am now unable to add host with static mapping either within or outside the DHCP range. I get an error message something like "Definitions & Users → Network Definitions:
    Removing 1 invalid element(s) '0800271194d6' from the list." 0800271194d6 is the mac address of the client I am trying to add. I tried with another mac address, and still the similar error message.
  • Hi  

    I agree with  here. Please read this article for Sophos UTM: DHCP Configuration and it clearly states:

    Static Mappings

    On the Network Services > DHCP > Static Mappings tab you can create static mappings between client and IP address for some or all clients. For that purpose, you need a configured DHCP server and, depending on the IP version of the DHCP server, the MAC address of the client's network card (with IPv4) or the DHCP Unique Identifier (DUID) of the client (with IPv6).

    Note - To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

    Hope this helps.

     

    Regards

    Jaydeep

  • Thank you for taking the time JayDeep. I appreciate it. If I could have your attention for a little longer...

     

    If I were to create a pool and check the "for static mappings only" setting and specify each mac in each host, does that guarantee with absolute certainty each host will receive an IP that is assigned in its definition or will it receive any IP from any of the pools including the "dynamic" lease pool.

     

    FWIW, first off, I would really like to see a warning (in red) when specifying an IP within the range given it is highly prone to cause serious issue through the whole network. In other words, don't allow it. Second, I would think logic dictates that it would be a doog idea to move to a more strandard approach of allowing "exlusions" from the pool. I understand this parameter is limited to ISC's BIND (if I'm not mistaken) but without the error preventing the config in the host definition, people cannad are easly mislead.

  • Hi

    If you create a DHCP Pool and check the option "for static mappings only" and also specify each mac-address for each host and select the DHCP scope in Host definition, you will get correct IP assignment for every device. Please note that it is required to select a DHCP scope in Host definition once you check the option "for static mappings only".

    Coming to the second point, I understand your requirement of having an exclusion list as traditional DHCP servers have but as of now, that option is now available. You may raise a feature request for that here. Hope this helps.

    Regards

    Jaydeep

  • In fact, plecavalier has more experience with ASG/UTM than I do, so this discussion has really been beneficial.

    When one clicks the [Make Static] button on the 'IPv4 Lease Table' tab, there should be a check that the IP to be used is outside the 'DHCP Range' listed.  Prior to that button existing, we just used the regular Host definition process, but that's probably more difficult.  Even then, a quick check to see if the assigned IP is in any DHCP range would seem to be easy.  For example, I just got the following:

    secure:/root # cc get_objects dhcp server|grep \'range
                            'range_end' => '172.16.31.110',
                            'range_start' => '172.16.31.101',
                            'range_end' => '192.168.66.254',
                            'range_start' => '192.168.66.100',
                            'range_end' => '10.100.100.63',
                            'range_start' => '10.100.100.40',
                            'range_end' => '172.16.2.199',
                            'range_start' => '172.16.2.100',

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks again for the detailed response JayDeep. I'm assuming you meant "that option if not available".

     

    I've had a bit of time to play with this now and 2 things come to mind...This is all based on the premise that static mappings and DHCP are best practice for a dynamic network environment.

    1. When creating a host with an assigned IP, the system should check if that IP is already assigned or not. In a large scale network even though you can search and sort host definitions, it is prone to human error and therefore proper rudemantory checks by the system during creation should be performed.

    1.1 one should not be able to create a host with an IP within a dynamic range

    1.2 one should not be able to create a host with an IP matching an existing static mapping

  • Please add your suggestion to Check the DHCP server's 'Range' when creating a Host with Static IP and vote for that.  Others that pass by here should add a comment and a vote.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I thought all was well after I changed my ways; I know create pool with the "for static mappings only" option set which I then assign to when creating a host definition with a mac address entry and IP defined. However, After a few weeks, I've come across the following entry in the DHCP Server log:

    2019:09:28-09:48:24 gw2 dhcpd: uid lease 192.168.1.155 for client 34:97:f6:36:2f:27 is duplicate on REF_DefaultInternal

    2019:09:28-09:48:24 gw2 dhcpd: DHCPREQUEST for 192.168.1.109 from 34:97:f6:36:2f:27 via eth0
     
    So how is it possible that 34:97:f6:36:2f:27 was assigned 1.155 while it clearly was defined 1.109 in its host definition? What's worse, the range for the static only pool is 50-198. So not only did it have the wrong address but it was handed an address within the static only pool. As you can see by the second entry, it dropped 1.155 in lieu of 109 which corrected the issue but how did it end up with 155 in the first place? Luckily 1.155 isn't defined anywhere so it did not cause a conflict but it easily could have.
  • Here's another one. Host is assigned 1.101 in the the static only pool range and somehow grabbed 1.159

     

    2019:09:28-09:57:55 gw2 dhcpd: Dynamic and static leases present for 192.168.1.101.
    2019:09:28-09:57:55 gw2 dhcpd: Remove host declaration REF_NetHosPiwcwks101 or remove 192.168.1.101
    2019:09:28-09:57:55 gw2 dhcpd: from the dynamic address pool for REF_DefaultInternal
    2019:09:28-09:57:55 gw2 dhcpd: uid lease 192.168.1.159 for client 34:97:f6:36:26:24 is duplicate on REF_DefaultInternal
    2019:09:28-09:57:55 gw2 dhcpd: DHCPREQUEST for 192.168.1.101 from 34:97:f6:36:26:24 via eth0
    2019:09:28-09:57:55 gw2 dhcpd: DHCPACK on 192.168.1.101 to 34:97:f6:36:26:24 via eth0

     

    Again 1.101 is not in the dynamic pool range

    ranges on int. Internal:

    50-198 set to static mappings only

    200-249 dynamic

     

    Why did 34:97:f6:36:26:24 have 1.159?

  • 2019:09:28-09:57:55 gw2 dhcpd: Dynamic and static leases present for 192.168.1.101.

    Some other device still has .1.101 leased.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 2019:09:28-09:57:55 gw2 dhcpd: Dynamic and static leases present for 192.168.1.101.

    Some other device still has .1.101 leased.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data