DHCP Lease Times for Static IP Addresses

Also, how is your DHCP set up for that segment? Do you have a Use Interface IP as Gateway checked? Is your subnet mask set properly?

I'm thinking that somehow the XG is answering the initial broadcast in such a way that the device is attempting to renew at the wrong address. The XG has an ACL, I now see, but DHCP is not one of the checkboxes that allow you to allow or disallow access. But it could be a DHCP server setting for that segment that's slightly wrong but that basically works for more sophisticated clients.

(You don't happen to be using v19? There are a lot more rabbit holes to go down with v19's additional potential flags.)

The term ACL is general for restrictions based on a list, and it occurs in many contexts. There are Windows network ACLs and a host of other kinds of things. The only ACL that I know of on Sophos is the matrix of checkboxes they have (which it labels ACL) which basically says what system services can be accessed from what zones. So you can have your administrative web interface on your internal network, but not on the WAN, and similarly with DNS, etc. But DHCP isn't one of the options in that page.

So my guess is that they're using a global ACL and that page only shows some of the options. And that as you configure a DHCP server -- which you do for each segment, not just once for the whole box -- the XG says, "Hmmm... they want a DHCP server running on this IP address so I'll add some ports used by DHCP to the ACL." Which is why I ask, in another answer, below, how you set up your DHCP server that serves that segment. It could just be a corruption whereby DHCP needs to be taken down and back up on that segment. (Or even the firewall rebooted.) Or it could be that your device still has some memory of the old IP addresses and it takes a while to flush it or you have to do a hard reset on the light to get it back to factory.

Good luck! (And don't forget to set your DHCP lease time back to something reasonable when you're done.)

Alright, I was afraid that it would come to questions about this.  Yes, I have the 'use interface as gateway' checked.  This was my first stab at VLANS and it took me about a week to acquire enough understanding to actually get it working.  The AP is physically connected to a managed (well semi-managed) switch.  The AP has 3 VLANs and the default VLAN.  The switch is set up with the same VLANs so that all the traffic coming from the AP's, through the switch and on to the firewall is tagged.  This particular VLAN has its own DHCP as well as the physical port that it is layered on.

On the hardware, I have 5 ports.  Port 5 is my WAN.  Port 2 is my IoT and the physical port has a DHCP range of 10.10.20.1 - 254.  The VLAN for my IoT has a DHCP range of 10.30.20.1 - 254.

The AP's are physically wired to the managed switch.  Both AP's and the switch are on the 10.10.10.x segment and have a trunk to Port 1.  That same trunk has the WLAN VLAN and the physical LAN (10.40.10.1 and 10.10.10.1 respectively).

I've been concerned that there was something going on with all this VLAN business that was not right.  It really took me several days to get it all to work correctly.  What I'll say is that everything receives IP addresses like they should and the network is segmented as I expected it to be.

I am not on version 19.  My version is SFVH (SFOS 18.5.3 MR-3-Build408).

I will dig around in the ACL stuff to see what I can see.

And you have Sophos DHCP service set up for each VLAN, separately, right?

I do something similar: I have a Sophos AP and it has three SSIDs: my high-trust one is bridged together with two ports to create my LAN. The other two are on VLANs. In addition, I have another port that is dedicated to VOIP. So I have four DHCP servers configured -- and the VLAN ones use the VLAN as the interface. And I do have Use Interface IP As Gateway checked (but Accept Client Request via Relay is NOT checked).

The subnet mask is appropriately set. Pretty much probably what you have. And I, too, use static assignments for everything that's supposed to be on the subnet. The only time the dynamic range should be used is either on the Guest network or for a new device, to make it easier for me to get its MAC and give it a static address.

I'm using v19 and there is a section at the bottom that lets you set a boatload of potential DHCP flags. Most of them are to tell the DHCP clients about old-school services that no one uses anymore. There are settings to tell them the NTP clock offset, or things about DHCP renewals and leases that might be helpful to you. Don't move to v19 until you're ready of course. (I was running the EAPs and I like the improvements.)

The only thing explicitly labeled ACL that I can see is in Administration > Device Access, but as I mentioned it does not have DHCP as one of its checkboxes, so I think there's a broader ACL of which Device Access exposes most of them. And the only thing I have turned on for all the VLANS is DNS, but your problem isn't DNS. Dynamic Routing is off for every zone.

I really think it boils down to either: a) there's something slightly misconfigured such that your device thinks the reply to its initial broadcast is coming from a port that's not actually running a DHCP server and so connectivity is refused by the "ACL" which has a Deny unless a DHCP server is running there, or b) there some other setting somewhere such that your device is being rejected from contacting the DHCP server via a unicast (as opposed to broadcast) packet. Good luck!

(Again, there's the slight chance that your devices are remembering something from the previous DHCP server and you need to hard recycle them to factory settings or something so they learn what they need to learn about the new DHCP setup.)

Yes, each physical port has a DHCP of its own as well as each VLAN for a total of 7 DHCP servers.  I originally had 5 SSID's, but I have reduced it to 3.  I consolidated my cameras and IoT into one and eliminated the one I had set up for work stuff since the Meraki handles all that now.

We are kindred spirits on the static/dynamic thing.  Dynamic is only for new stuff in order to easily get the MAC address.

I can also see a whole bunch of DHCP options but I do not know what any of that stuff is for.  Maybe for another time in my life......

My device access is likely set the same as yours except that I have not created any zones specifically for my VLANs yet.  I want to so that I can more tightly control what those devices can do, but I have to get everything working right before I go trying to break it.  I am using LAN, WAN, DMZ (for the work Meraki), and VPN zones.  All the VLANs currently run on the LAN zone until I get it all working properly.  Then I'll move the VLANs to their own zone and start monkeying with tighter controls.

I think your assessment is correct here.  I finally got the device that I was packet capturing to drop off the network - it took like 5 hours which was very odd.  There was nothing interesting in the packet capture, it just stopped picking up packets to capture and that was it.  I ended up with 179 pages of packets which I think is way too much, but it is probably the device talking to the cloud to provide status, the cloud saying 'ok, got it' and then the violation message.  I got one of those every time the lease expired, but the device stayed connected for a very long time.  There was also a recurring message from the device to DHCP and back where the packet type was ARP - NDP request.  The first message is always from the device to DHCP and the status is Consumed.  The return message status is always Generated.  Not real sure what any of that means, but I thought it was noteworthy.

I am working on setting the old AP up to test it and I am setting up virgin devices - one on the new AP and one on the old AP just for fun.

Fingers crossed.

By the way, thanks a ton for your input.  Not many folks left who like to fool with amateurs on this kind of stuff and you have certainly got me farther than I likely would have on my own. 

Don,

I have the same issue with my NEW Netgear WAX206. I also have them set up in AP mode and I also have an issue with renewing my leases. My logs show the same issue with ports 67 and 68.

I was using an Asus Router with Merlin Firmware as an access point and recently changed to the Netgear. With the Asus, I had no issues. I think it has something to do with the Netgear firmware, but I have no idea how to pinpoint it.

I also had some AP 740x and AP 100C and never had issues with them.  

I am NOT using VLANs

It isn't good to hear that you are experiencing the same thing, but I'm glad that I'm not alone.  I have 2 WAX620s that do this and a WAC510 that does not.  I moved everything to an old nighthawk r8000 and it also does not have this issue.  Netgear support assures me that they are working on it, but i'll believe it when i  see it.  Do you have a support ticket open with them?

In the meantime, it would be great to figure out a way to not have the leases renew.  I'm no network expert, but it seems silly to me that a static address needs to renew its lease.

I'm still fiddling with the XG to see if there is a way around that, but I am not confident.  Let me know if you come up with anything and I'll do the same.

If you set the devices to an IP address outside the DHCP range then set them a static addressing then you don't need to worry about the DHCP timing.

Ian

That's exactly what I have done and the lease still expires. DHCP starts at 100 and all these devices are in the 20 - 50 range with static addresses.

I thought that the lease was permanent when it was static, but it appears to expire.  Is there some setting that I am missing that is causing it to expire?

The lease will only expire from the device you are assigning the address to, sounds like the device does not accept the manual static configuration.

Ian