Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default VPN breaks things, but I can't fix it.

    Specifically Netflix and Amazon Prime.

    So I have a VPN, which the aforementioned services cannot tolerate. UT is doing DHCP on my network, and every host has a static entry. Except some hosts don't seem to care about that and pull an entry from the DHCP pool (apple devices specifically, and I have another thread about that, but that's not the issue).

    I have a Roku, and its smart enough to get the same address (static) every time from UT. In fact, so is every other host on my network, except the apples.

    So I have played with rules, and couldn't get anything to work right, until I specifically created the rules attached in the pictures.

    vpnrules.jpg

    All of the hosts I want to use the VPN are being explicitly told to do so, and everything else does not. The Roku specifically falls in the "everything else" category, but neither service will work on the Roku, erroring out with the same error message that I get when I tell UT to route the Roku through the VPN.

    Not sure what else I can try at this point, but I am still learning UT, so I'm open to suggestions. Thanks.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,678

    Default

    This might be caused by something in iOS called MAC Address Randomization, where iOS uses a different MAC address from time to time as a privacy feature. This can defeat the "static" IP entries for the DHCP service in Untangle (or any other DHCP server). You'll have a very hard time getting an iOS MAC address to stay with one device for more than few days, and therefore have a very hard time giving them a static address.

    Windows 10 laptops can do this, too, but it's off by default. Android has been able to do this since Android 5, but it was deeply flawed and mostly kept turned off. Supposed Android P will be re-introducing the feature (but per-network, so you should see a consistent address within your network).

    The short version is, if you care about this stuff, you need to be authenticating users via 802.1x or a captive portal. Even device types where DHCP reservations work now, there is progress being made towards breaking this in the next few life-cycle generations, meaning 3 to 5 years before it's more broken than not everywhere.

    Note: If you'll google this, you'll see a lot of stuff published in 2014 when Apple first introduced the feature for iOS 8, where the random MAC is only used when probing for new networks. My understanding is it now resets the MAC every time you reset the phone... but I've seen conflicting info about this and don't have a recent Apple device to check it with.

    In this case, your best option might be to offer a separate SSID for your special devices, where devices in that SSID gets addresses in the same subnet, but the subnet is divided among smaller DHCP scopes. I'm not sure Untangle can do all that by itself, though. At least, probably not through the point-and-click UI.
    Last edited by jcoehoorn; 01-04-2019 at 10:02 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  3. #3
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    Thanks.

    I'm not in any way blaming UT, because I actually have no idea what is going on, but I just came from pfsense, and never had this issue, ever.

    I've had every device in my home that "lives" there full time assigned a static IP via DHCP for going on a decade, Apple devices included. And on my Ubiquiti wifi network, all the Apple devices are showing up using the same MAC addresses that they've always had, but they are grabbing IPs from a very small pool that is reserved for clients that come and go (visitors).

    And last night the Roku did it too, but kept its MAC address the same as its always been.

    I remain confused.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,346

    Default

    https://9to5mac.com/2014/09/26/more-...hen-it-doesnt/

    From what I can see, the "feature" only randomizes iOS mac addresses in the case the phone is locked, and it lacks a SIM card.

    I haven't observed this behavior in Untangle, in any network I've ever supported. DNSMasq is a very well supported product, it doesn't behave this way. I have no explanation, unless there's a rogue DHCP server on the network.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Aug 2011
    Posts
    80

    Default

    There is 100% for sure not a rogue dhcp server on the network.

    I'm handing out 192.168.0.150-165 as assignable addresses for guests. Everything else is statically assigned, in the dhcp server settings, to known MAC addresses.

    The devices in question (right now an Apple phone, an iPad, and a Roku) are getting addresses from the 150-165 range. Incidentally, they are getting different addresses, ie, one day the iPad is .153 and the next day its .163.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,678

    Default

    Quote Originally Posted by tucansam View Post
    Incidentally, they are getting different addresses, ie, one day the iPad is .153 and the next day its .163.
    Depending on DHCP server lease times and other options, that might be perfectly normal. If I had a device that was offline beyond the end of it's lease, it'd expect it to get a completely different address next time.

    If you want consistent addresses in a dhcp scope, you need leases to last several days at least. The college where I work uses 8 days, but I've been thinking lately even that is not long enough for my situation. Systems will generally try to renew their address at the halfway point before the lease expires. A student who gets a lease just less than 4 days before leaving for Spring break, which could be a Monday morning, would have that lease expire during the middle of the break. I may need to go as high as 15 days to keep consistent addresses across Spring break or Thanksgiving break. Most people aren't worried about week long absences, but even overnight will often require a lease time over 50,000 (in seconds). I think Untangle is just 3600 (1 hour) by default.

    You might also try increasing the address range to include your static assignments, and just adding some extra "dummy" static reservation rules so any extra addresses in that part of the scope are not used.
    Last edited by jcoehoorn; 01-05-2019 at 08:33 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.1.1 to protect 500Mbits for ~400 residential college students and associated staff and faculty

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    dnsmasq will actually always use the same address as the previous time for a given MAC.
    Even when the lease has been expired for a long time and the MAC has not been present.
    The only time it doesn't if that if it has to use that address for another MAC. The smaller your pool obviously the more likely that is to happen.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2