Rules to block DHCP servers from OPTX to WAN?
-
Hey all. I'm currently trying to set up pfSense as a edge firewall/gateway in a virtual environment, and I need a little bit of help making sure I can block DHCP servers on LAN, OPT1, OPT 2 and OPT3 interfaces from getting back up to my WAN network.
Basically, I have a VMware ESXi server at work, it's connected to our work network using DHCP. I have the WAN interface of pfSense connected to a VMware vSwitch which is on the work DHCP network. From there I have 4 LAN connections in pfSense, LAN for accessing the webGUI to configure things, and then 3 OPT interfaces, for Apple Mac, Linux and Windows VMs, each at 192.168.10.X, 192.168.20.X and 192.168.30.X.
I need to absolutely make sure that if a DHCP server is active on LAN, or OPT1-3 that it cannot communicate/give leases to any machines on the work network/my pfsense WAN, can anyone advise on any rules that would help me with this please?
-
Why would you think broadcast traffic would be forwarded across your segments? Do you have interfaces bridged?
So for example you got some dhcp client on your pfsense WAN network. He broadcasts his DHCPDISCOVER on 255.255.255.255 to udp 67, why would you think pfsense would even forward that traffic into any thing on your lan side networks? For you dhcp servers there to be able to answer too?
there is nothing to worry about unless your bridging say your wan inteface to a lan interface on pfsense.
-
In that scenario, just avoiding bridging does what you want, DHCP requests will not be routed. Sounds like you already have a setup that accomplishes what you're looking for.
