DHCP requests across firewall
-
So not sure the lack of the hidden rules gotten over looked since they put them in when you enable dhcp or a feature ;)
This was the same story with DHCPv6 relay… Stuff that's not so often used gets overlooked.
-
Firewall rule added to both net A and B is attached as a .png. The rule has been moved to the top of all rules and is right below block bogon networks.
Also, I had DHCP running on the interface in question, but then I change it's IP before activating the relay. Would that be the problem? Would I need to activate DHCP with the new IP?
 -
Awesome screenshot. We STILL do NOT know WHICH interface you did put that on. Grrrrrrrrrrrrrrrr. Enough time wasted here. Good luck. >:( >:( >:(
Would I need to activate DHCP with the new IP?
What? Not really sure what you mean by "activate"?
-
I think I've said which interfaces I put that rule on three times. If you look at the quote and the previous commments, Net A and B.
I don't think I'd be putting it on WAN. Since WAN has nothing to do with this.
Sorry, I mean turn on pfSense's DHCP server to get the rules readded with the new IP.
-
I assume it'd be way too much work to post the logs of what exactly you get blocked where, right? Especially since you have not been able to get an absolutely trivial thing working for multiple days and since we've been praying for information repeatedly. So far we got one screenshot without context and some generic "oh noes, it won't work" and "it's blocked" moaning.
Good luck.
Sorry, I mean turn on pfSense's DHCP server to get the rules readded with the new IP.
Why the heck would you be doing that when you already have another DHCP server on your network!? (Plus it's impossible to have both the relay and DHCP server enabled at the same time.) Plus, there are no rules there for the relay. I already linked the bug.
-
I'm not in a position where I'm able to be taking screenshots and cropping them left and right. If you would simply read the comments I've posted, then you wouldn't need to pray.
Also, I don't think I've been moaning. I believe I've been more than compliant with your requests, even though I'm in a high stress environment.
-
No those rules go away as soon as you disable dhcp server and turn on the relay.
I don't think the any rule includes broadcast maybe but that would seem very strange?? If your still seeing it blocked in your firewall. Could you please just post ALL your rules for netb WTF could you be hiding.. Here are mine on my dmz.. For all I know you have something specifically blocking right above that.. Without a full picture its very difficult to help you. In your firewall log if you click the red X it will tell you what rule blocked, etc..
As to posting your relay settings posting - please post that as well. It would not be the first time user said X when it was really Y.. Pics or it didn't happen if you will ;)
-
I'm not in a position where I'm able to be taking screenshots and cropping them left and right.
So take more comfortable position. Or get some working tools. Or hire a full time screenshotter if too much work for you. ROFL. :o ::)
-
As to cropping them? Huh?? what OS are you on? Windows 7 and above comes with free snipping tool that allows for simple cropping.. Same with linux has multiple screentaking tools. I use faststone capture – best little piece of software ever ;) Shoot even if took a screenshot with my phone allows for cropping.. Clearly your shot of your 1 freaking rule was cropped!!
Again without info its impossible to help you!
-
There's NetB.
As for the relay, it's configured correctly. You've said how to do it 5 times.
-
And there you go - why and the F would you be blocking bogon on your own segment?
0.0.0.0/8 is listed in bogon.. What is the source of the broadcasts in dhcp discover. Clicking the little X in the firewall log wold of told you it was blocked by bogon
-
And there you go - why and the F would you be blocking bogon on your own segment?
Could have been worse. He might have blocked the RFC1918 as well. Nice waste of time, this… ::)
-
That's kind of funny, I distinctly mentioned the bogon block in another post.
Anyways, I'll try that tonight. Makes sense though. Sorry for all this and thank you greatly!
-
Do you not having it logging the blocking of bogon?
Here I turned on and - yup blocking.
Yes you did mention it
"right below block bogon networks."Picture is with 100,000 words!!! This is basic stuff it should of worked click click with normal set of rules, etc. Even for a DMZ and yours is just a plain jane segment. And who and the hell blocks bogon from their own private segment? What do you think would be using bogon on your own network, which would never really work anyway.. And if your going to block it - why would you not log it?
I missed that or this would of been over much sooner..
Should prob put in ticket, if you enable relay they should prob do the same sort of rules when you enable dhcp server - this would be in front of bogon and allow it to work while still blocking bogon if you wanted, etc.
-
Yeah, I apologize for my own incompetence. XD I've never had a problem blocking bogons so I overlooked it. I realize the stress this has caused, my sincerest apologies.
-
prob put in ticket, if you enable relay they should prob do the same sort of rules when you enable dhcp server - this would be in front of bogon and allow it to work while still blocking bogon if you wanted, etc.
No need, already done: https://redmine.pfsense.org/issues/4558
-
I'm on 2.1.5, by the way
-
It's the same issue everywhere, 2.1.x or not. You just won't get any fix on 2.1.x
-
Yet more information that could of been provided - why are you not current 2.2.2 if just setting this up? I would assume this was new setup trying to get a network to work with dhcp sounds like new install to me.
Yeah from that bug report looks like will be fixed in 2.2.3 that should help out the next guy with this sort of problem.
-
This was a newly set up windows dhcp server, so I was trying to transfer the DHCP load from pfSense to the windows server. Also, I didn't think the version would make much difference since this was a logistical problem. So is there no point in blocking bogons on internal networks? One of the guides I watched said it wouldn't make a difference, turns out it does!
