DHCP offers getting relayed between interfaces in default NAT configuration?
-
I'm a pfSense newb, so I apologize in advance for any silly mistakes. I am running pfSense 2.3.1 on a small two-interface PC to test out its behavior. The WAN interface is connected to my existing home network (192.168.88.0/24) which has its own DHCP server. The LAN interface is configured as a NAT network 192.168.1.0/24, the pfSense DHCP server is running to hand out IP addresses in the 192.168.1.100-150 range.
Here's the unexpected part. When I boot up a server connected on the LAN network, the server receives TWO DHCP offer responses from both 192.168.1 and 192.168.88 DHCP servers! That means pfSense is not only forwarding the DHCP request out the WAN interface, it is also forwarding the offer response back from the WAN interface to the LAN, which I was not expecting at all. Normally I would only expect to see behavior like that when the two interfaces (LAN and WAN) are bridged together, or else some kind of DHCP relay is running between the subnets. But I double-checked that pfSense DHCP relay is disabled (it apparently can't be enabled when the DHCP server is running, which is good) so at least that isn't the problem.
The only thing I can think of is that somehow the raw firewall rules are somehow passing broadcast traffic through the two interfaces for some reason? That doesn't make sense to me; I would not have expected that behavior for a simple NAT configuration with nearly all default settings. I haven't touched the default firewall rules.
I was hoping someone might know something off the top of their head that I've set up wrong. Obviously if DHCP traffic is making it through the NAT, it currently isn't behaving much like a firewall and I wonder what other traffic is also crossing between the two networks. Thanks for any pointers!
-
"TWO DHCP offer responses from both 192.168.1 and 192.168.88 DHCP servers! That means pfSense is not only forwarding the DHCP request out the WAN interface"
No what it means is you have a loop.. Pfsense will not let you run relay on interface if the dhcp server is running on that interface, so its not possible that your doing a relay and running dhcp.
So how do you have these devices connected via a wire? Do you have them going into a common switch that might not have vlans setup correctly. Any sort of wifi involved?
-
No what it means is you have a loop.. Pfsense will not let you run relay on interface if the dhcp server is running on that interface, so its not possible that your doing a relay and running dhcp.
I agree, I observed that these settings were mutually exclusive.
So how do you have these devices connected via a wire? Do you have them going into a common switch that might not have vlans setup correctly. Any sort of wifi involved?
Ugh, you nailed it. I didn't realize that my father had moved a Sonos zone player device into my test room (office), and that device has a proprietary wireless connection to other zone players in the house… and of course, I have another one in another room on the home network. That was causing a loop!
Thanks for the pointer!
-
ROFL, Sonos strikes back again. These things should be shipped with giant warning labels "Proudly causing network loops. Since 2002".
