Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 5885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

no possibility two add two static dhcp leases two one client - what's the workaround

Peter Mueller

Hi,

I set up several networks on my Sophos XG. I set up dhcp servers for each network. I furthermore use firewall rules with "match known users" activated. So network access is only possible for authenticated users with static dhcp leases. That's more or less a simple mac filter. 

Because of the fact, that you can only add one static dhcp lease for each device (god knows why this is still impossible with XG), I can only access one network with one client. However I have a client which needs to connect to at least two of my networks. The only option I see at the moment, is to disable "match known users" in one or more firewall rule for these networks. But this isn't satisfying.

If it is not possible to have two static dhcp leases for one device (mac address), how is it possible to have one devices connect to several networks without disabling "match known users". Is there any workaround?

 

Best

Peter 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    disabling match known users is not the issue, the issue being you can't have the same name in 2 DHCP servers on the XG, you can use the same MAC address, just not the same name.

    An unsatisfactory answer would be to use a seperate server as your DHCP server until XG catches up to the real world.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    I was under the impression, that you cannot add two static DHCP leases with the mac address. If that's not the case but the username is the issue, that would be a workaround for me.

    So I could add two static leases for the same mac address with different usernames. One username per network.

    This probably doesn't work for user with authentication client but should work for clientless users!?

    Best

    Peter

Reply
  • 0 in reply to rfcat_vk

    Hi,

    I was under the impression, that you cannot add two static DHCP leases with the mac address. If that's not the case but the username is the issue, that would be a workaround for me.

    So I could add two static leases for the same mac address with different usernames. One username per network.

    This probably doesn't work for user with authentication client but should work for clientless users!?

    Best

    Peter

Children
  • 0 in reply to Peter Mueller

    Hi Peter,

    I tried on my home system which has 1 VLAN as well as normal LAN and was able to add the same MAC but with different userid in the Static mappings.

    Ian

  • 0 in reply to rfcat_vk

    I tested it and it does work. thx

     

    It's just the error message you get if the device name already exists, which is a little misleading:

    "DHCP Configuration with the same hostname/MAC address/DUID address already exists, choose a different hostname/MAC address/DUID address"

     

    Best

  • 0 in reply to Peter Mueller

    I need to correct myself.

     

    It did work for a couple of hours but know I don't have internet access any more being connected to the second network.

    The device gets the correct IP address within the range of the second network. This IP address is bound to a clientless user.

    Using a fixed outside of the range of the dhcp does however work.  

     

    the log viewer shows these messages

     

  • 0 in reply to Peter Mueller

    Hi Peter,

    I am not quite sure I understand your answer? In the XG you can only assign static IP addresses outside of the DHCP range.

    Most of my devices with static IPs are clientless.

    Ian

  • 0 in reply to rfcat_vk

    The device pixel 2 xl is supposed to connect to 192.268.99.0 and 192.168.100.0

    On 99.0 it gets the IP 99.100 via static lease with username pixel2xl.

    On 100.0 it gets the IP 100.103 via static lease with username pixel2xl_v100.

    I also added two clientless users as authentification. For 99.100 pixel2xl and for 100.103 pixel2xl_v100.

    On 99.0 network I do have access.

    On 100.0 WiFi is connected but without internet access. The log file is attached to my last post.

    Both IP addresses are outside of the DHCP range which starts am 99.110 and 100.110.

     

    EDIT: After a lot testing different scenarios, it seems to me, like this could be a limitation of XG. Maybe if you add one device to two different networks, one can get an address via dhcp (static lease) and the second address needs to be a static one outside the dhcp range and set up in the device. I don't see any other explanation yet.