Block DHCP through WAN Interface
-
@BDMcGrew said in Block DHCP through WAN Interface:
Seems like the DHCP from pfS passing back out the WAN interface and effecting the rest of my network.
This can only happen if the LAN is bridged to the WAN. Is this the case at ll?
DHCP traffic would otherwise stay within a subnet.
-
Not sure. Would you tell me where to look? While I do use a lot of pfsS, I'k no expert; I use a very limited subset of features. So I'll say, possible?
--
-brian -
@BDMcGrew Check the DHCP server settings. It is enabled per interface.
What @viragomann means is, your VM networks are presumably not separated/isolated, via separate wires or VLANs. DHCP works via broadcast.
-
@BDMcGrew if your seeing dhcp like that you do not have isolation at layer 2 as you should.. And your config with static IPs was flawed from the get go. And firewall ruiles wouldn't do any good. Unless you had specifically setup a bridge in pfsense - which you would clearly know you did, and should understand that dhcp would/could pass through the bridge.
-
Ok, got it!
Yes, the VLANS outside this virtual networks are not isolated from it neither physically or logically. The external VLANS can (and should) be able to reach into the virtual network. However, I use pfS to prevent the virtual networks from reaching back out into the physical VLANS.
The firewall rule I have in place to prevent the virtual from getting out to the physical does work and tested to be fine, save for the few ports it needs to reach. However, it still passes DHCP from the internal pfS LAN out through the WAN interface to the external VLANS and the firewall rule doesn't seem to stop it. I would have thought that a generic block-all policy with only 3 exceptions for DNS and RDP would prevent that?
I do not have DHCP running on the WAN interface, only on the LAN interface.
Thanks!
--
-brian -
@BDMcGrew DHCP doesn’t pass through a router. Your networks are connected. Try disconnecting them and connect one at a time.
-
@BDMcGrew Do you not understand the difference between layer 2 and 3?
dhcp does not pass layer 2 boundaries... If you see dhcp on your wan from your lan network or from you wan network to your lan network - then those networks are not isolated at layer 2.. As mentioned dhcp would not pass through a layer 3 router/firewall.. So either you setup a specific bridge on pfsense between wan and lan.. Or your wan and lan are not on different layer 2 networks.
If your not isolated at layer 2 between your wan and lan - nothing in pfsense you could do to prevent these networks from seeing each others broadcast and multicast traffic - ie dhcp.
-
Ah, and the light just came on! You're right!
When I set up the LAN side of the network in ESXi on the VDS, I forgot to make it a private VLAN and left it at none. So yeah, Layer 2 was the magic word here.
Soon as I made it a private VLAN, all is good now!
Thanks... Sometimes you just have to talk through these things with people who know more than you ; -)
-
@BDMcGrew said in Block DHCP through WAN Interface:
Sometimes you just have to talk through these things
Exactly!! Couldn't agree more.. It can be very helpful just walking through what your doing with someone else - sometimes you run into blind spots on what your looking for, and just don't see it - until you walk through it with someone else. That doesn't have your "blinders" on ;)
So your all sorted now?
Just explaining your setup to someone else, can force you to see the setup in a different light - and make what is the issue jump out at you ;) Some times they don't even have to know more than you, or even what your talking about... But working through the steps to explain it to someone else.. Even if what your doing is dumbing it down to explain it someone that doesn't understand any of it can be very insightful in what you over looked.
-
Yes sir, thank you!
Soon as I made the network on the LAN side of pfS a Private VLAN in the VMware Virtual Distributed Switch, all the problems go away. I no longer see that private subnet (that's supposed to be private) on the rest of the network.
Again, thank you!
