Reject WAN DHCP Subnet from cable modem

Reseau360

Hi guys,

[sorry for my english, it's my second language]

Second post regarding problems with my ISP Cable Modem.

In the beginning of July, i started having problems with WAN DHCP adresses.

Each week, pfSense was going Offline after it failed to renew => DHCP WAN address

I tried to configure the WAN Interface => reject subnet DHCP address => 192.168.100.X/24

Also tried to add => rules => block => WAN => IPv4 => UDP => source => any => destination => any => port 67/68

After 2 weeks trying to fix this, i decided to switch back to my Watchguard XTM-26 and the problem disappeared.

This week, i had to install a new business network environment, so i decided to test again, but same problems again, haven't figured out what the hell is going on.

So i've setup a VMWare environment to test further.

I'm trying to reject DHCP WAN subnet => 192.168.1.X/24 => doesn't seem to work => still having an address from 192.168.1.0/24, when i'm not supposed to.

I guess i''m missing something here, any inputs would be appreciated regarding Cable Modem WAN DHCP addresses. [trying to reject bad WAN DHCP address]

Thanks guys.

johnpoz

so when you set an interface to be dhcp, pfsense auto puts in rule to allow dhcp which would before any rules you create in gui.  So no your firewall rule would never work.

Only time cable modem would hand out 192.168.100 is if has no wan connection.  As to blocking this.. Post up what you did.

So I would suggest you sniff on the your wan watch the dhcp packets..  The reject is the IP address or network of the dhcp server, not the IP in the scope.  Is quite possible then when your cable modem hands out dhcp for 192.168.100 that is using a different source IP?

stan-qaz

Try going to the Interfaces, WAN page and set it to reject the cable modem's internal IP address there.

http://172.16.0.1/interfaces.php?if=wan  (use your pfSense's IP here)

Reject leases from 

192.168.100.1

If there is a certain upstream DHCP server that should be ignored, place the IP address or subnet of the DHCP server to be ignored here. This is useful for rejecting leases from cable modems that offer private IPs when they lose upstream sync.

Reseau360

Ok,

I've tried the above solution, but it doesn't seem to work.

Here's my setup

Internal Lab Network - Windows Server 2012 R2 - DHCP Subnet - 10.X.X.X/24 [Range 10.X.X-50 to 75] ========> pfSense WAN DHCP Rejecting 10.X.X.52 ==========> LAN VMNet Host Only 10.12.12.X/24

Even if i try to reject => 10.X.X.52 …... I still get the IP Address i'm trying to reject !

Am I missing something here ?

Print Screen attached

Derelict

You reject from the DHCP Server IP address. What is the IP address of the DHCP Server? Put that there.

The purpose of that setting is to refuse leases offered by cable modems when the connection is down. When the connection is up the DHCP server offering the lease will not be the cable modem, but something upstream of it.

Reseau360

So here's more details regarding my test lab [i've put the wrong IP Addresses but the configuration remain the same]

Cable Modem ===> Firewall ===> Switch L3 ===> VMWare Esxi ===> Nothing here that can offer IP Addresses, nothing upstream either ==== > W2012R2 - Static IP : 10.115.115.254/24 DHCP Server Range 10.115.115.50 to 75 ===> WAN pfSense ===> LAN pfSense VM Host-only 10.12.12.X/24 ===> Windows 7 VM

So, even if i put the DHCP Server Address 10.115.115.254, i still get an IP Address from 10.115.115.50 to 75.

There's nothing upstream, so it simulate the problem i was having.

If my ISP doesn't offer an IP Address or goes offline, my cable modem should kick in and offer me => 192.168.100.X .

So basicaly in my test lab, if i've configure to reject an IP Address from the DHCP server, i shouldn't get an IP Address at all, so i shouldn't get an IP Address from 10.115.115.50 to 75 …..  right ?