Today, I will discuss how to assign a fixed IP + MAC ADDRESS within the DHCP (Dynamic Host Configuration Protocol) range on PFSense. This goes beyond the basic function of distributing IPs on the network, offering a more secure and administratively controlled approach. I will demonstrate how to “bind” a MAC ADDRESS with an IP and prevent IP assignment to unregistered MAC ADDRESSES.
Firstly, navigate to the DHCP configuration page (Services > DHCP Server). In the “General Options” section, specifically on the “LAN” tab, enable the “Enable” option to activate DHCP service. Subsequently, enable the “Deny unknown clients” option – this is the key step. Now, the DHCP service recognizes any host not registered as an “unknown” host, and it will refrain from assigning an IP.
Next, modify the range in the “General Options” section. Here, you can choose any IP and set it as the start and end of the range. This leaves the remaining IPs in the range available for fixing them with MAC ADDRESSES. It’s crucial to configure this, as leaving the range open (e.g., 192.168.56.1 to 192.168.56.100) will not allow fixing any IP + MAC within that interval.
Note: I prefer fixing IPs within the LAN IP range to avoid wasting an address. Remember that the IP defined in the range becomes unavailable for regular use in the network. The essential configurations are complete; just fill in other relevant fields (DNS, GATEWAY, WINS, DOMAIN NAME, etc.) with your network’s information.
Now, let’s test if the initial configuration is functioning. So far, we’ve essentially “locked” the DHCP, preventing any host from receiving an IP unless it’s registered in the “DHCP Static Mappings” list.
In the image above, I executed the ‘dhclient’ command (similar to ipconfig /renew) to request an IP on the network. Shortly after, you can see that my HOST is broadcasting a “DISCOVER” on the network using UDP protocol on port 67 (DHCP Protocol uses UDP ports 67 and 68). A few seconds later, a message indicating that no DHCP server responded to the request with an “OFFER” is displayed – meaning DHCP is active, but since my MAC ADDRESS isn’t registered, no IP is offered.
Now, let’s examine the same dump from the moment the host requests an IP, but this time from the server side.
In the image above, we can see a series of REQUESTs from my host’s MAC, but the DHCP service ignores all of them. It’s interesting to note that the REQUESTs come from the host’s UDP port 68 to the DHCP service’s UDP port 67. Essentially, the host sends a REQUEST from its UDP port 68 to the network’s broadcast address on UDP port 67. This means you will have only one active DHCP server on the network listening on port 67, so any REQUEST a host sends on the broadcast network, the active DHCP service will respond.
Returning to the DHCP configuration screen, scroll down to the “DHCP Static Mappings for this Interface” option and click “ADD” to add our host to the list.
Now, complete the required information as shown below.
You should now have something similar to the image below. Your first host is registered, and the next time it requests an IP, the defined IP will be offered. Let’s see how this happens.
Using the same process as before, I will again request an IP on the network with the ‘dhclient’ command. Now, we can see that the IP 192.168.56.100 has been successfully assigned, as configured earlier.
In another instance, I will delve into the DHCP protocol, specifically the DHCP process (DISCOVER, OFFER, REQUEST, and ACK). This process occurs in the screenshot below, a sort of “conversation” between the HOST and DHCP.
The same process occurs on the server side. Utilizing the same dump as before when the HOST requests an IP, we can now observe that DHCP responds to the request and assigns the previously reserved IP.
There you have it – your “static” DHCP configuration is ready. Now, register the rest of your network’s HOSTs. To visually observe the DHCP HOST list, navigate to the option (Status > DHCP Leases) as shown in the image below.
Leave a Reply