DHCP requests across firewall
-
I'm not in a position where I'm able to be taking screenshots and cropping them left and right.
So take more comfortable position. Or get some working tools. Or hire a full time screenshotter if too much work for you. ROFL. :o ::)
-
As to cropping them? Huh?? what OS are you on? Windows 7 and above comes with free snipping tool that allows for simple cropping.. Same with linux has multiple screentaking tools. I use faststone capture – best little piece of software ever ;) Shoot even if took a screenshot with my phone allows for cropping.. Clearly your shot of your 1 freaking rule was cropped!!
Again without info its impossible to help you!
-
There's NetB.
As for the relay, it's configured correctly. You've said how to do it 5 times.
-
And there you go - why and the F would you be blocking bogon on your own segment?
0.0.0.0/8 is listed in bogon.. What is the source of the broadcasts in dhcp discover. Clicking the little X in the firewall log wold of told you it was blocked by bogon
-
And there you go - why and the F would you be blocking bogon on your own segment?
Could have been worse. He might have blocked the RFC1918 as well. Nice waste of time, this… ::)
-
That's kind of funny, I distinctly mentioned the bogon block in another post.
Anyways, I'll try that tonight. Makes sense though. Sorry for all this and thank you greatly!
-
Do you not having it logging the blocking of bogon?
Here I turned on and - yup blocking.
Yes you did mention it
"right below block bogon networks."Picture is with 100,000 words!!! This is basic stuff it should of worked click click with normal set of rules, etc. Even for a DMZ and yours is just a plain jane segment. And who and the hell blocks bogon from their own private segment? What do you think would be using bogon on your own network, which would never really work anyway.. And if your going to block it - why would you not log it?
I missed that or this would of been over much sooner..
Should prob put in ticket, if you enable relay they should prob do the same sort of rules when you enable dhcp server - this would be in front of bogon and allow it to work while still blocking bogon if you wanted, etc.
-
Yeah, I apologize for my own incompetence. XD I've never had a problem blocking bogons so I overlooked it. I realize the stress this has caused, my sincerest apologies.
-
prob put in ticket, if you enable relay they should prob do the same sort of rules when you enable dhcp server - this would be in front of bogon and allow it to work while still blocking bogon if you wanted, etc.
No need, already done: https://redmine.pfsense.org/issues/4558
-
I'm on 2.1.5, by the way
-
It's the same issue everywhere, 2.1.x or not. You just won't get any fix on 2.1.x
-
Yet more information that could of been provided - why are you not current 2.2.2 if just setting this up? I would assume this was new setup trying to get a network to work with dhcp sounds like new install to me.
Yeah from that bug report looks like will be fixed in 2.2.3 that should help out the next guy with this sort of problem.
-
This was a newly set up windows dhcp server, so I was trying to transfer the DHCP load from pfSense to the windows server. Also, I didn't think the version would make much difference since this was a logistical problem. So is there no point in blocking bogons on internal networks? One of the guides I watched said it wouldn't make a difference, turns out it does!
-
look at the table of what is in bogon - why would any of those networks be on your local network? To be honest I don't really see much point in blocking them on the wan either ;) Default rule is block on wan. So blocking bogon would just be for ports that you have opened. And bogon are not even routeable on the internet, etc.
They seem to cause way more problems then they are worth in blocking any sort of risk. that 0.0.0.0/8 for example your seeing. And there are some other networks in the ipv6 bogon that really legit for link local addressing.
As to your version of pfsense - its good idea to stay current. They add nice stuff in every update, for example the listings of the rule that blocked in the logs ;) 2.2 has full resolver vs just forwarder for dns, etc.
As to dhcp load - I highly doubt that is a problem for pfsense.. But sure dhcp is better to run off your windows AD then pfsense.
While generally speaking yes if not a valid address shouldn't be allowed - but without real easy way to edit the list you can run into stuff that may or may not be "valid" And the way they have it added to the rules there is really no way to put stuff in front of it, etc.
If you were really worried about blocking bogons, I would prob just grab the list and put in a alias and use that in a normal rule vs how they have bogon implemented in pfsense.
-
I tried 2.2 when that came out, but I was getting weird errors, so I just decided to wait a little while.
As for dhcp load, yeah that was the wrong word XD More.. Functionality? I just want to be authoritative over my domain (DNS, DHCP, etc.). Plus, windows AD is incredibly fun and interesting! Haha, I'm well aware of pfSense's power, it truly is a masterpiece!
-
I agree if your running an AD then dns and dhcp should be by your AD not your router ;)
As to it being fun, that would be a matter of opinion. While it has always been interesting, not sure I would use the word fun to describe MS products ;) I have been admin of windows networks since before there was "domains" back when it was only 3.11 for "workgroups" and then went to NT 3.51 as server from OS2, etc.
As to your issues with 2.2 - where you blocking bogon on your lan interfaces? ;)
You really should move away from 2.1 and go to 2.2, unless you were in some critical production setup there is no reason not to be current.
-
Ha ha. In reality, most likely. But my problem was hardware, I believe. I'm going to try again and go into more depth soon. As for my current setup, when I try to switch between WAPs on each subnet, it only gives me a lease from the first subnet I joined and I also am unable to access the web. Is this a windows thing?
-
What do you mean it gives you IP from the first subnet? Why would you have Wireless on both segments? Wireless should be its own segment.
-
Wireless device A connects to WAP on NetA and gets an IP from NetA scope. Wireless device A then switches to WAP on NetB but doesn't get a new IP from the NetB scope, it keeps the old NetA address.
One on each subnet so I can administer them differently (Content filtering and whatnot)
Its own segment? Is this good practice or absolutely necessary for this to work?
Also: I tried enabling Name Protection on the entire IPv4 region of the DHCP server, doesn't seem to have worked.
-
So you just move to new wireless network, is this a different ssid? Did you release the IP to get a new one?
I have never in all my years of working with IT and networking ever seen anyone put bridged wireless on 2 different segments like your doing.. Its completely pointless!!
Your wireless should be on its own segment plain and simple, or bridged to 1 of them.. It sure and the hell does not need to be on both. Name protection?? Why do you think you need that??
