Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP traffic does not appear in firewall logs

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 422 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haxx
      last edited by

      I have logging enabled on all my firewall rules and checked all the options for firewall log on the setting page.

      I connected a laptop to PFSense and it obtained an IP address via DHCP.

      The firewall logs do not contain any DHCP entries for the requests and responses on port 67 and 68. A packet capture does sho the traffic.

      Is there a way to get the DHCP entries in the Pfsense firewall logs?

      Also any rules I set on port 67 and 68 seem to have no effect. How can I get control of those ports so I can restrict and monitor DHCP connections?

      Thanks

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        there are hidden rules for dhcp and other essential stuff to prevent people from locking himself out

        you can see it with

        pfctl -sr | grep "DHCP server"

        idk if you can change anything of that, but you can set restriction on the dhcp server tab and see what's happening under Status / System Logs / DHCP.
        what kind of restriction do you want to apply with a firewall rule ?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 1
        • H
          haxx
          last edited by haxx

          I just want to see - everything (all network traffic) - in the logs and have control over all the rules. For example, locking down the rules to ensure only the correct router can be used can prevent the result of arp spoofing. I do that on my host do it can only connect to the correct router. I’ll take a look at that. Thanks

          1 Reply Last reply Reply Quote 0
          • H
            haxx
            last edited by haxx

            Solved the logging issue. I did not yet test connectivity.

            I added specific rules for port 67 and 68 on the LAN interface for that specific network except have to allow outbound on 68 to anywhere because it’s broadcast. That caused the traffic to appear in the logs.

            I do not understand why the catch-all deny rule didn’t show the traffic. I had it set to capture any port, protocol, source, destination and log it.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.