rogue DHCP detection -> dhcpcd if_sendraw: Permission denied
-
Hi,
I'm using a small script to detect rogue DHCP-Servers on different networks/interfaces:
dhcpcd -t 3 -K -T -4 -L vmx0.100
-> the DHCP-Server on the vlan has to block DHCP-Requests sent by the pfsense interface MAC-Address.
-t 3 - 3 seconds timeout
-K - even if interface is not up
-T - testmode - important!
-4 - only ipv4
-L - without ip4allThis worked for years on several pfsense instances on several Interfaces. But now, after i added new Interfaces and changed some infrastructure stuff, it won't work:
With -d for debug, the result is:
dhcpcd-6.11.5 starting DUID 00:01:00:01:22:ce:8a:f0:00:0c:29:ce:71:6c vmx0.17: IAID 29:67:ec:6c vmx0.17: delaying IPv4 for 0.2 seconds vmx0.17: soliciting a DHCP lease vmx0.17: sending DISCOVER (xid 0xe3d4b705), next in 4.3 seconds **vmx0.17: if_sendraw: Permission denied** timed out dhcpcd exited
When i'm tested this without specified Interface, it gave me errors because of duplicated IAID, so i changed these in /usr/local/etc/dhcpcd.conf
interface vmx0.100 iaid 29:67:ec:6a interface vmx0.101 iaid 29:67:ec:6c interface vmx0.102 iaid 29:67:ec:6d
But this didn't help.
The error "if_sendraw: Permission denied" happens on 2 of 5 Interfaces and i have no clue why. I also stopped services to check if it will then work.
What else could i check?
-
Ok, i found something: It's the CaptivePortal.
i think its some sort of ipfw rule, wich blocks outgoing dhcp requests.
I've found a workaround:Bad:
edit "/usr/local/www/services_captiveportal_mac_edit.php"
comment the following line out:$input_errors[] = sprintf(gettext("The MAC address %s belongs to a local interface. It cannot be used here."), $_POST['mac']);
then i was able to add the local MAC-Address.
But maybe this not allowed without purpose...Better:
So i switched to dhcping-ng: https://github.com/pchytla/dhcping-ngI compiled this on an other freebsd11 system and copied to the pfsense machine
/root/dhcping-ng -i vmx0.X -c 5 -w 2 -h aa:aa:aa:aa:aa:aa
With the parameter -h i changed the source MAC-Address, so i also added this MAC-Adress in the CaptivPortal to the MACs section as Pass Action.
I see this only as an workaround. I would like to be able sending what i want from the firewall-host
Here the working Rouge-DHCP-Detection script. Added to the crontable executing every 5 minutes.
#!/bin/sh res1="`/root/dhcping-ng -i vmx0.9 -c 5 -h aa:aa:aa:aa:aa:aa 2>/dev/null`" res1found="`echo $resnew | grep 'Recived Resonse from'`" [ -n "${res1found}" ] && printf "Rogue DHCP detected! - Guest-Network\n\n$res1\n" # for testing and finding # ./dhcping-ng -v -i -c 100 vmx0.