Firewall rule needed for DHCP ?

MadDog2K

Hi,

We're running a 2-node pfsense 1.2.2 cluster.
3 physical nic-ports in the server : 1x 'LAN',1x WAN,1x OPT1

OPT1 interface is used for sync
LAN interface is using VLAN's

I have 2 issues I've been wondering about :

1. On every 'LAN' interface (LAN + additional VLAN's) I have created a default rule '$LAN -> any' permit (as per the cluster howto).
   I've enabled DHCP relay on the various VLAN interfaces, and specified the IP of our internal DHCP-server.
   But, in order to get DHCP working I had to add the following rule on the subnet where the DHCP-server lives :

UDP  0.0.0.0  68  255.255.255.255  67  *    Permit DHCP

Otherwise, all DHCP requests from clients on the other VLAN would be blocked. Is this normal behaviour ?

2. I see various log entries showing a block :

Feb 21 20:53:05 LAN_VLAN41 192.168.128.228:3410 74.125.79.99:80 TCP

It shows that source 192.168.128.228 (one of our workstation subnets) attempted to contact HTTP-service on 74.125.79.99, but got blocked.
I just don't get why this get's blocked, since the only rule on LAN_VLAN41 interface is a 'permit any from 192.168.128.224/28 to any'.
Also… the rule that blocked it is the 'block drop in log quick all label "Default deny rule"' according to the WebUI

How is this possible ?

cmb

1. Yes, that's normal.

2. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F

MadDog2K

@cmb:

1. Yes, that's normal.

2. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F

Great, thanks :)