Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rogue DHCP - Is this possible to exploit?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 956 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      repne
      last edited by

      Perhaps a stupid question, but I guess it doesn't hurt to ask.

      Suppose I have a pfSense router with a LAN interface that has a static IP address of 192.168.1.1/24, and the WebUI is accessible from this network. I also have a WAN interface that is configured as a DHCP client and gets its IP address from the ISP or the "parent" DHCP server. Now suppose the ISP decides for some strange reason to reset the connection and program its DHCP server to offer my router an IP address of 192.168.1.1 which is the same as the one on the LAN.

      Does that make the WebUI accessible from the WAN?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Uhm. Having WAN and LAN on the same subnet will make your router completely broken…

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Don't use anything in the following ranges for local networks ever: 10.0.0.0/8, 192.168.0.0/24, 192.168.1.0/24.  Adhering to this simple rule will reduce your likelihood of conflicting with someone else by like 99.9%.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            No that does not make the webgui available via the wan.. Does not matter what IP you have on the wan.. Do you have a rule on your wan interface to allow access to 80/443 or whatever port you have your webgui listening on.  If not then no it would not be available no matter what the IP was.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              repne
              last edited by

              Thanks. Also protected, if you have Block Bogon/Private networks enabled on WAN.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.