This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

dhcp static mapping not working

version 9.353-4  on a sophos 220

we have dhcp scopes set  with the tick box   "Clients with static mappings only"

we have hosts defined in definitions and userss >network defintions 

the dhcp is giving out the ip addresses reserved for static hosts

so 2 problems

1. the rule static mappings only is not working

2. it is ignoring the static mappings also



This thread was automatically locked due to age.
  • Yes, the Static Host will cause the device to always be assigned the same IP.  However, if the IP is in the dynamic Range specified in the DHCP Server definition, there is a danger that the same IP will be assigned to another client as the Static assignments are not tracked - they are not seen as "reserved" by the server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • But how does it make sense that the dhcp server service hands out ips that is outside of the allocated range? Until today,I've never had a host get an address from dhcp that is assigned in a host definition and it happened twice in one day.

  • Hi  

    I agree with  here. Please read this article for Sophos UTM: DHCP Configuration and it clearly states:

    Static Mappings

    On the Network Services > DHCP > Static Mappings tab you can create static mappings between client and IP address for some or all clients. For that purpose, you need a configured DHCP server and, depending on the IP version of the DHCP server, the MAC address of the client's network card (with IPv4) or the DHCP Unique Identifier (DUID) of the client (with IPv6).

    Note - To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

    Hope this helps.

     

    Regards

    Jaydeep

  • Thank you for taking the time JayDeep. I appreciate it. If I could have your attention for a little longer...

     

    If I were to create a pool and check the "for static mappings only" setting and specify each mac in each host, does that guarantee with absolute certainty each host will receive an IP that is assigned in its definition or will it receive any IP from any of the pools including the "dynamic" lease pool.

     

    FWIW, first off, I would really like to see a warning (in red) when specifying an IP within the range given it is highly prone to cause serious issue through the whole network. In other words, don't allow it. Second, I would think logic dictates that it would be a doog idea to move to a more strandard approach of allowing "exlusions" from the pool. I understand this parameter is limited to ISC's BIND (if I'm not mistaken) but without the error preventing the config in the host definition, people cannad are easly mislead.

  • Hi

    If you create a DHCP Pool and check the option "for static mappings only" and also specify each mac-address for each host and select the DHCP scope in Host definition, you will get correct IP assignment for every device. Please note that it is required to select a DHCP scope in Host definition once you check the option "for static mappings only".

    Coming to the second point, I understand your requirement of having an exclusion list as traditional DHCP servers have but as of now, that option is now available. You may raise a feature request for that here. Hope this helps.

    Regards

    Jaydeep

  • In fact, plecavalier has more experience with ASG/UTM than I do, so this discussion has really been beneficial.

    When one clicks the [Make Static] button on the 'IPv4 Lease Table' tab, there should be a check that the IP to be used is outside the 'DHCP Range' listed.  Prior to that button existing, we just used the regular Host definition process, but that's probably more difficult.  Even then, a quick check to see if the assigned IP is in any DHCP range would seem to be easy.  For example, I just got the following:

    secure:/root # cc get_objects dhcp server|grep \'range
                            'range_end' => '172.16.31.110',
                            'range_start' => '172.16.31.101',
                            'range_end' => '192.168.66.254',
                            'range_start' => '192.168.66.100',
                            'range_end' => '10.100.100.63',
                            'range_start' => '10.100.100.40',
                            'range_end' => '172.16.2.199',
                            'range_start' => '172.16.2.100',

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks again for the detailed response JayDeep. I'm assuming you meant "that option if not available".

     

    I've had a bit of time to play with this now and 2 things come to mind...This is all based on the premise that static mappings and DHCP are best practice for a dynamic network environment.

    1. When creating a host with an assigned IP, the system should check if that IP is already assigned or not. In a large scale network even though you can search and sort host definitions, it is prone to human error and therefore proper rudemantory checks by the system during creation should be performed.

    1.1 one should not be able to create a host with an IP within a dynamic range

    1.2 one should not be able to create a host with an IP matching an existing static mapping

  • Please add your suggestion to Check the DHCP server's 'Range' when creating a Host with Static IP and vote for that.  Others that pass by here should add a comment and a vote.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I thought all was well after I changed my ways; I know create pool with the "for static mappings only" option set which I then assign to when creating a host definition with a mac address entry and IP defined. However, After a few weeks, I've come across the following entry in the DHCP Server log:

    2019:09:28-09:48:24 gw2 dhcpd: uid lease 192.168.1.155 for client 34:97:f6:36:2f:27 is duplicate on REF_DefaultInternal

    2019:09:28-09:48:24 gw2 dhcpd: DHCPREQUEST for 192.168.1.109 from 34:97:f6:36:2f:27 via eth0
     
    So how is it possible that 34:97:f6:36:2f:27 was assigned 1.155 while it clearly was defined 1.109 in its host definition? What's worse, the range for the static only pool is 50-198. So not only did it have the wrong address but it was handed an address within the static only pool. As you can see by the second entry, it dropped 1.155 in lieu of 109 which corrected the issue but how did it end up with 155 in the first place? Luckily 1.155 isn't defined anywhere so it did not cause a conflict but it easily could have.