[ previous ] [ next ] [ threads ]
 From:  Melvin <melvin at sleepydragon dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] short dhcp lease and long captive portal timeout?
 Date:  Fri, 26 Oct 2007 18:55:59 -0400
Rönnblom Janåke /Teknous wrote:
> Hi!
> Let med describe a scenario and then perhaps somebody tell me if this is the
> expected result?
> I have a short dhcp lease time for 300 seconds and an idle timeout in the
> captive portal for 900 seconds. It is possible for a client to connect, login
> and then turn off the computer without logging out. Now the dhcp will expire
> and a new client can get the same ip address. However this user is prohibited
> to connect the captive portal until the first clients captive portal session
> expires! The first clients mac address is still locked in the 20000+ firewall
> rules which blockes the second client.
> The "fix" would be to allow longer dhcpd lease times and/or shorter idle
> timeout. However I like short lease times and longer idle timeout values...
I can't imagine generating the traffic involved with a lease that will 
renew every 2.5 minutes if the network is of any size.  Yes, the 
scenario you describe is certainly possible, and the most reasonable way 
to resolve it is to make sure that the timeout is equal or shorter than 
the possible lease renewal.  Since by default DHCP clients should start 
requesting renewals at half the lease life, I'd make your DHCP setting 
at 1800 seconds (30 minutes) instead.  You may still run into the 
problem anyway since some machines may release the DHCP lease on 
shutdown, so if they shut the machine down they could still release the 
IP in < 15 minutes.  If possible increasing the size of the DHCP pool 
would reduce the likelihood of the same IP being reissued.  That doesn't 
allow you to restrict maximum clients by controlling the IP pool however.


  Do not meddle in the affairs of wizards,
  for they are subtle and quick to anger.
                      -- Gildor Inglorion