version 9.353-4 on a sophos 220
we have dhcp scopes set with the tick box "Clients with static mappings only"
we have hosts defined in definitions and userss >network defintions
the dhcp is giving out the ip addresses reserved for static hosts
so 2 problems
1. the rule static mappings only is not working
2. it is ignoring the static mappings also
Yes, the Static Host will cause the device to always be assigned the same IP. However, if the IP is in the dynamic Range specified in the DHCP Server definition, there is a danger that the same IP will be assigned to another client as the Static assignments are not tracked - they are not seen as "reserved" by the server.
Cheers - Bob
But how does it make sense that the dhcp server service hands out ips that is outside of the allocated range? Until today,I've never had a host get an address from dhcp that is assigned in a host definition and it happened twice in one day.
Hi plecavalier
I agree with BAlfson here. Please read this article for Sophos UTM: DHCP Configuration and it clearly states:
On the Network Services > DHCP > Static Mappings tab you can create static mappings between client and IP address for some or all clients. For that purpose, you need a configured DHCP server and, depending on the IP version of the DHCP server, the MAC address of the client's network card (with IPv4) or the DHCP Unique Identifier (DUID) of the client (with IPv6).
Note - To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.
Hope this helps.
Regards
Jaydeep
Thank you for taking the time JayDeep. I appreciate it. If I could have your attention for a little longer...
If I were to create a pool and check the "for static mappings only" setting and specify each mac in each host, does that guarantee with absolute certainty each host will receive an IP that is assigned in its definition or will it receive any IP from any of the pools including the "dynamic" lease pool.
FWIW, first off, I would really like to see a warning (in red) when specifying an IP within the range given it is highly prone to cause serious issue through the whole network. In other words, don't allow it. Second, I would think logic dictates that it would be a doog idea to move to a more strandard approach of allowing "exlusions" from the pool. I understand this parameter is limited to ISC's BIND (if I'm not mistaken) but without the error preventing the config in the host definition, people cannad are easly mislead.
Hi plecavalier
If you create a DHCP Pool and check the option "for static mappings only" and also specify each mac-address for each host and select the DHCP scope in Host definition, you will get correct IP assignment for every device. Please note that it is required to select a DHCP scope in Host definition once you check the option "for static mappings only".
Coming to the second point, I understand your requirement of having an exclusion list as traditional DHCP servers have but as of now, that option is now available. You may raise a feature request for that here. Hope this helps.
Regards
Jaydeep
In fact, plecavalier has more experience with ASG/UTM than I do, so this discussion has really been beneficial.
When one clicks the [Make Static] button on the 'IPv4 Lease Table' tab, there should be a check that the IP to be used is outside the 'DHCP Range' listed. Prior to that button existing, we just used the regular Host definition process, but that's probably more difficult. Even then, a quick check to see if the assigned IP is in any DHCP range would seem to be easy. For example, I just got the following:
secure:/root # cc get_objects dhcp server|grep \'range
'range_end' => '172.16.31.110',
'range_start' => '172.16.31.101',
'range_end' => '192.168.66.254',
'range_start' => '192.168.66.100',
'range_end' => '10.100.100.63',
'range_start' => '10.100.100.40',
'range_end' => '172.16.2.199',
'range_start' => '172.16.2.100',
Cheers - Bob
Thanks again for the detailed response JayDeep. I'm assuming you meant "that option if not available".
I've had a bit of time to play with this now and 2 things come to mind...This is all based on the premise that static mappings and DHCP are best practice for a dynamic network environment.
1. When creating a host with an assigned IP, the system should check if that IP is already assigned or not. In a large scale network even though you can search and sort host definitions, it is prone to human error and therefore proper rudemantory checks by the system during creation should be performed.
1.1 one should not be able to create a host with an IP within a dynamic range
1.2 one should not be able to create a host with an IP matching an existing static mapping
Please add your suggestion to Check the DHCP server's 'Range' when creating a Host with Static IP and vote for that. Others that pass by here should add a comment and a vote.
Cheers - Bob
Done. I also created Perform checks when creating host definitions
I thought all was well after I changed my ways; I know create pool with the "for static mappings only" option set which I then assign to when creating a host definition with a mac address entry and IP defined. However, After a few weeks, I've come across the following entry in the DHCP Server log:
2019:09:28-09:48:24 gw2 dhcpd: uid lease 192.168.1.155 for client 34:97:f6:36:2f:27 is duplicate on REF_DefaultInternal
