opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.36k stars 753 forks source link

DHCP - Allow multiple MAC addresses to be assigned the same IP address #6252

Closed schasj closed 1 year ago

schasj commented 1 year ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

I have 2 use cases for a single IP address being reserved/assigned to 2 different MAC addresses, both "belonging" to the same host/device.

1. I have a laptop with a crappy, but functioning, internal wireless interface. For better performance, I have added a USB wireless interface. The USB interface is preferred but may not always be inserted so the internal interface has to function in it's absence. I have a script that runs on the laptop every few minutes and shuts down the internal interface if the USB interface is present.

2. A few of my home automation devices can connect to either an AP or an extender associated with it. The extender alters the device's MAC address by replacing the first 3 bytes, thus creating the need for 2 MAC addresses to be assigned the desired IP address.

Describe the solution you like

1. I want both interfaces to have the same IP as only one of them will be up at a time and having 2 IP addresses unnecessarily complicates other parts of my network operations.

2. I want the end device to have the same IP address whether it connects directly to the AP or to its associated extender.

Describe alternatives you considered

1. For the time being, I have statically assigned the same IP to both interfaces but that negates a big advantage of using DHCP in the first place.

2. I have no suitable alternative because some of the devices are very difficult to physically get to so static assignments are highly undesirable. The devices are now connecting to only the AP, possibly missing out on a better connection through the extender.

Additional context I sought a solution via the forum, https://forum.opnsense.org/index.php?action=post;topic=31906.0;last_msg=154253

In that topic you'll see that I found that ISC DHCPD can be configured (https://serverfault.com/questions/578796/how-can-i-set-one-hostname-and-ip-for-multiple-macs-in-dhcpd-isc-dhcpd-4-1-1-p1) to behave as I desire but that the OPNsense GUI has no accommodation for it.

I did not try manually adding the entries cited in the above linked article because it seems very likely that it would have undesirable, potentially disastrous, effects.

Prior to switching to OPNsense a few months ago I was using iptables on a Linux box for my firewall and I also had dnsmasq on the same box for all of my DHCP needs. Assigning a single IP address to multiple MAC addresses worked flawlessly there. I briefly tried using the dnsmasq service in OPNsense but found that, for reasons I don't recall at the moment, I was unable to accomplish my goal so I went back to using ISC DHCP.

I have considered attempting a pull request to add the desired capability. I, for the near term anyway, have decided against the effort because a) my web programming skills are nearly non-existent, b) I'm quite new to both OPNsense and BSD, c) I'm struggling to get a simple app in C, a language I have a good deal of familiarity with, working with the sysctl API.

wolfspyre commented 1 year ago

This would be a welcome addition. I often have lamented the lack of this functionality in OPNsense!

alexdelprete commented 1 year ago

I'd love this feature, I have several devices with wifi+eth interfaces (only 1 active at the same time) and would love to be able to configure OPNsense DHCP server to assign the same IP to multiple MACs. It's something I used for years with dnsmasq, and it would be good to replicate that config via OPNsense UI.

AdSchellevis commented 1 year ago

Removing the unique constraint on IP address shouldn't be very difficult, I expect you only need to remove this line https://github.com/opnsense/core/blob/1ca149fdcc2e0cb0722fa203bdba42133cea0123/src/www/services_dhcp_edit.php#L151

The question is what the side affects are, it helps if more people test. Often these simple changes cause a lot of noise for others later one, which is why we should be careful and try to exclude unwanted behavior.

schasj commented 1 year ago

Thank you, @AdSchellevis! I actually commented out the whole if statement because I want/need the whole entry duplicated but, so far, it's working as desired. Your caution is well taken and I'll post back here if I run into any problems.

alexdelprete commented 1 year ago

I actually commented out the whole if statement

I don't know if that's the correct approach: we want to add additional MACs to the same IP, but we don't want same MACs/CIDs to different IPs.

What happens when you comment out only the IP check? Doesn't it allow you to add another MAC bind to the same IP? That is what we're looking for, right?

schasj commented 1 year ago

I don't know if that's the correct approach

I'm pretty sure it isn't but it got me where I want to go and it's only in my local installation so I see no harm.

What happens when you comment out only the IP check?

I get the error message from that if statement and I can't save the new entry.

An even better outcome, IMO, would be if I could add a 2nd MAC to the SAME entry thus creating a list of MACs. I just tried changing the original entry to 54:13:79:b6:e9:7a,9c:ef:d5:fb:be:7d as this is how it's done in dnsmasq.conf on my old (and decommissioned) Linux firewall box but the page won't accept it and I get the error "A valid MAC address must be specified." This is what I currently have:

image

alexdelprete commented 1 year ago

Yes, I agree, the mac input field should allow adding more MACs, comma separated...that would be the ideal solution.

Problem seems to be that ISC DHCP wants two separate records, instead of one with multiple MACs.

I'll wait for a proper solution...

fichtner commented 1 year ago

It wouldn’t be too hard to implement this, but having isc-dhcp EoL’ed with no real replacement option (only full rewrites so far) I’m questioning adding complexity here. E.g. a DHCP section for Dnsmasq was being discussed before. But still in early research phase.

alexdelprete commented 1 year ago

Dnsmasq replacing ISC DHCP would be awesome: it's very reliable, lightweight and widely used piece of software. And it's also an excellent DNS proxy.

Hope it will become the default DHCP+DNS service for OPNsense. :)

fichtner commented 1 year ago

It used to be main DNS, but full resolver makes more sense as a default so that will remain Unbound territory.

alexdelprete commented 1 year ago

Didn't know it was the default. Well, for DNS at least we have a choice...

schasj commented 1 year ago

Dnsmasq replacing ISC DHCP would be awesome: it's very reliable, lightweight and widely used piece of software.

I'd like this too. At one point I tried using the built-in dnsmasq service in place of isc-dhcp precisely because of the multiple MAC issue but I couldn't get it to accept the lines with multiple MACs that I had in my Linux dnsmasq.conf, for some reason that I can't recall now, so I went back to isc-dhcp. I can certainly try this again but now that the loooong winter is finally losing it's grip I'm preferring to be away from keyboards.

full resolver makes more sense as a default so that will remain Unbound territory.

I agree with this too. I'd not used Unbound before migrating to OPNsense (used dnsmasq for DNS as well as DHCP on my Linux f/w) and now that I am I like it better this way, especially because I also have a pi-hole as my internal DNS server.

OPNsense-bot commented 1 year ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

alexdelprete commented 1 year ago

a DHCP section for Dnsmasq was being discussed before. But still in early research phase.

Franco, what was the outcome of the discussion? not planned?

relume commented 1 year ago

Hello

I am not to be giving a tecnical statement but a "wish" statement:

We are testing to migrate our Sophos UTM 9.7 configuration (due to problems with virtio NIC drivers and/or vmxnet3 NIC drivers of UTM 9.7 on PROXMOX) and the availability of WireGuard on OPNsense to an OPNSense installation 23.7. So far configuration on OPNSense was OK. Now we are "sticking" at this problem as in our Sophos UTM 9 configuration we have many static DHCP definitions, where we have used at least two MAC addresses to the same IP (mostly for Laptops). In Sophos UTM 9.7 WebGUI it is possible to assigne as many MAC addresses to the same IP as you want.

As this is not possible in OPNsense, neither defining an additional record with the same IP but a different MAC-address (or having the possiblity to overwrite the warning in the WebGUI) seems that we have to stop at this point (temporarily) our aims to migrate to OPNsense. That "is to bad" because the starting testing on OPNsense where very encouraging.

Many thanks and best regards,

fichtner commented 1 year ago

@relume just to be sure you are talking about this error? "This Hostname, IP, MAC address or Client identifier already exists."

Cheers, Franco

relume commented 1 year ago

@franco

Yes this is correct.

If this error message ("This Hostname, IP, MAC address or Client identifier already exists.") could be changed to an (optional) warning message with the possibility to overwrite it by saving/applying a record entry with different MAC address but same IP address (ideally also with optional same Client identifier) would be a nice "workaround" in order the WebGUI can be used and "cli work" can be avoided to enter static mappings for same IPs.

best regards, André

fichtner commented 1 year ago

To be honest it looks like this is a bug report... Code in question: https://github.com/opnsense/core/blob/ae2b9e3e5eb735a4e7dbd112287c307757eac858/src/www/services_dhcp_edit.php#L149-L155

pfSense ticket https://redmine.pfsense.org/issues/8220 quote:

Also: This problem was introduced over 4 years ago when a contributor added the IP address check instead of removing "IP" from the input error text in https://github.com/pfsense/pfsense/commit/ce13cc5f8f661

I'll fix this now then :)

fichtner commented 1 year ago

@relume Hi André

8a216d6 should fix it then. You can try this on your install:

# opnsense-patch 8a216d6

And if there is a problem revert with the same command once again.

Cheers, Franco

relume commented 1 year ago

@fichtner hello Franco

Many thanks for this fast fix! It works perfect. And if an existing MAC address is attempted to entered twice/again the appropriate error message ("This MAC address already exists.") is also correct.

Have a nice day, André

fichtner commented 1 year ago

@relume splendid, thanks for testing!

schasj commented 1 year ago

Maybe update the tooltip text to indicate how to enter multiple MACs? I assume it's comma-separated as previously discussed.

image

fichtner commented 1 year ago

It’s very simple: just add another static lease.

Cheers, Franco

alexdelprete commented 1 year ago

It’s very simple: just add another static lease.

Cheers, Franco

So instead of multiple macs for the same IP we can add multiple static leases with same IP but different macs, correct?

Is this available in latest release?

Thanks Franco.

fichtner commented 1 year ago

@alexdelprete yes. It's in both 23.7.1 and 23.4.2 (if someone is looking for this on the business edition)

alexdelprete commented 1 year ago

@fichtner thanks a lot. Are you still considering dnsmasq as a replacement to ISC DHCP?

fichtner commented 1 year ago

We will likely replace dhcrelay with maintained alternatives for 24.1. Replacing DHCP itself comes later. Still not entirely sure what to do.

alexdelprete commented 1 year ago

We will likely replace dhcrelay with maintained alternatives for 24.1. Replacing DHCP itself comes later. Still not entirely sure what to do.

So you're not convinced about dnsmasq yet. What's not convincing, if I might ask?

fichtner commented 1 year ago

Lack of features already in production use, first and foremost HA. Also dhcrelay is a lot less code than dhcpd to handle.