DHCP management in IPFire is a bit confusing due to the fact that part of it is under the Network menu (where it is documented somewhat) and part of it is under the Firewall menu (where the link to the page “Blue Access” can only be found, currently, by searching for it!). Further adding to this confusion is the fact that one must first “enable” the client in the Firewall->Blue Access page, then optionally add it to the fixed leases on the Network->DHCP Server page.
Would it make sense for fixed leases to automatically enable clients? Or, else, perhaps the two pages could be integrated somehow so all of these operations can be managed in one place. There is an enable checkbox on the fixed leases page, but after trying multiple times to get this to work, I found the only way to generate the MAC address rule in the iptables was to manually enable the client(s) from the Blue Access page.
At very least, a wiki page update would be helpful, but I do not want to make these changes unless this is compatible with the project’s overall plans. For now, the documentation page for Blue Access really should have a link from the Firewall page. New users, especially, may not know exactly how to find it easily.
Basically the two places are distinct.
- “Blue Access” manages the ‘physical’ connection.
On a wired network this just the allowance to connect a device to the ethernet infrastructure. This is a more or less easy job and can be identified by the cable.
For a wireless network there must just another mechanism, you cannot ‘see the cable’. Thus one must allow the access by means of the MAC address.
- “DHCP fixed leases” manage the association of a MAC to an IP address. This not necessary! A device can communicate with a legal ‘static’ IP in the BLUE network, also. Whether this is a good idea is just another question.
A side effect of the fixed leases definition to the blue access definition may be helpful. But this demands a configuration, where every device must be activated separate.
The actual design of IPFire isn’t such restrictive.
My installation is configured as follows:
- Access to blue is allowed for all IPs belonging to the net blue0 ( 192.168.20.0/24 ).
- All known devices have a fixed leases definition.
- For new devices there is a set of 4 dynamic IPs ( 192.168.20.160 … 192.168.20.163 ). This allows a smooth transition for new devices from unknown to accepted state without the necessity to act in the moment of appearance of the new device.
Defining the dynamic leases set as empty, allows exclusive access for well-known devices.
DHCP fixed leases are necessary for configurations where wireless devices need fixed addresses. Some examples: Wireless printer that must have a known address, wireless tablet which needs a backup so must be addressable from a backup server, and there are others.
It sounds like you don’t need fixed leases, which is fine for your situation. But not everyone has the same requirements. It could be that manually fixing the addresses of all wireless devices would be another solution here. My thinking was that taking advantage of the dhcp facility available in ipfire was another way of approaching the issue. My intention was to sort of improve that existing facility.
Okay, my post was despite of the length a bit inexact.
Surely, fixed leases are necessary in many configurations ( I use them also, exclusively ).
But they are not required for a working IPFire configuration, while “Blue Access” is necessary.
Thus it would be nice enhancement for those systems using fixed leases, but the “Blue Access” config can not be canceled. A combination of fixed leases definition and access to blue0 can enlarge complexity both in WUI usage and implementation.