Cannot override "default" rule set? blocking UDP broadcasts between interfaces

akula169 · Oct 30, 2008, 3:04 PM

I noticed this when I started having trouble getting my wireless clients to assign themselves DHCP addresses. I have a wireless access point on its own interface that is bridged with LAN. I have a rule for the AP's interface (rl2) to allow everything to everywhere. For some reason, some default rule is blocking the UDP broadcasts for BOOTP/DHCP.

1\. 277301 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000289 rule 587/0(match): block in on bridge0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000242 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]

I can't seem to find a way to disable the blocking. Is this a bug or a newly implemented "feature" in 1.2.1?

dvserg · Oct 30, 2008, 5:03 AM

May be look this ?
Interfaces: WAN
Block private networks
Block bogon networks

akula169 · Oct 30, 2008, 5:16 AM

yup. disabled both of those and no difference.

wallabybob · Oct 30, 2008, 11:36 AM

Under services -> DHCP Server do you have DHCP enabled on the LAN interface?

I have a configuration which sounds similar to yours: LAN, WLAN, DMZ, LAN and WLAN bridged. I have DHCP working on both LAN and WLAN.

I used 1.2.1 from its early days. I think it was sometime in August I upgraded to a pretty new build and then DHCP on the WLAN was broken (newly blocked by the firewall). I worked around it by adding a couple of firewall rules on the WLAN interface. I posted a note trying to provoke someone into explaining the rationale for the new DHCP behaviour but nobody took the bait.

Its now a few weeks since I upgraded, maybe its about time to do it again and see if I still need those rules I had to add in August. They were (both pass rules):

UDP * bootpc 255.255.255.255 bootps *
UDP * bootpc LAN address bootps *

where bootpc is alias for 68 and bootpc is alias for 67.

akula169 · Oct 30, 2008, 4:06 PM

Thanks - that did it. Although it did involve a good bit of fiddling - didn't really "take" until I brought the AP_Bridge interface down and back up.

I also had to add a rule for some other magic that OSX seems to like. 'domain' is an alias for port 5353

IGMP * * 224.0.0.251 * *
UDP * domain 224.0.0.251 domain *

Thanks for the heads-up. I was tearing my hair out yesterday.

I wonder why they decided to add such blocking to the default rules?

peter.riche · Dec 20, 2008, 7:03 PM

@wallabybob:

UDP * 68 255.255.255.255 67 *
UDP * 68 LAN address 67 *

confirmed! thanks a lot for avoiding one more week of madness!!

1.2-REALEASE works like a charm, but 1.2.1-RC2 and RC4 do have this bug… which was really cracking my head.

Thanks again.

sullrich · Dec 20, 2008, 9:49 PM

This is a "feature". I'll let CMB explain since he is the one that made the change.

cmb · Jan 2, 2009, 2:48 AM

It's not a bug, we just don't automatically allow DHCP traffic over bridges anymore. You have to add rules to pass that traffic just as you do with any other kind of traffic. Auto added rules are bad. And this auto added rule wasn't even intended to allow DHCP traffic over bridges, that was just a consequence. Allowing that traffic was a bug, this is a bug fix that you now have to add that rule.