Dhclient and rfc1918 blocking

  • After moving a vm install of pfsense I've been having a lot of trouble getting an IP address which prompted me to finally buy some proper hardware.
    I had to move it onto a desktop machine as my VM server is in the loft and it's been unusually hot in the UK of late, so had to be turned off.

    To that end I've got an apu2c4 from pcengines preinstalled by the nice folk at LiniTX which is a much better solution all round.

    I was still having some trouble getting an address, finally got one by changing the source MAC address and rebooting modem and firewall after disabling RFC1918 blocking on the WAN interface.

    Now, it could just be my ISP being fussy but the DHCP response packets are being sent from a 10.x.x.x/8 address.

    Does anyone know if the firewall rule put in place by the block rfc1918 setting on the interface will actually block these or is the dhclient somehow immune ?

    I'd rather not have rfc1918 coming in at all if I can avoid it.


  • LAYER 8 Global Moderator

    Pretty sure the rules in place that are hidden that allow dhcp are evaluated before the bogon or rfc1918 blocks on wan interface ;)  Or there would be many a people screaming that dhcp on the wan doesn't work.  Its very common for isp to use rfc1918 space for their dhcp servers.

    Keep in mind while those rules are common practice, they are really not all that meaningful in the big picture.  Keep in mind out of the box all unsolicited traffic is blocked.  Doesn't matter what IP it comes from ;)  Be it normal public, bogon or rfc1918 they are all blocked unless its in some answer to traffic you initiated..

    So those rules only would be of any use at all if you created a port forward.  So lets say you forwarded something to game server or http server behind pfsense.  Now while all the public internet would be allowed to talk to your port forward.  Those rules would keep bogon and rfc1918 from talking to your port forward that you opened to the public internet on purpose.

    So those rules block access to your port forwards from IPs that don't actually route on the public internet anyway.  So where would they be coming from?  The only place they you might be able to talk back to them would be from your ISP layer 2 network your connected too.  How many clients do you think that might be?  And what would they be doing that would be of any real issue, since you opened up those ports to the planet anyway..

    While they are common practice to block such traffic out of principle more than anything.. When it comes to real world they are pretty useless..  If you ask me they cause way more problems than any actual increase in security.  There are many users of pfsense that use rfc1918 on the wan side of pfsense vs actual public.  And the bogon list has its own issues of that is actually in there causing problems.  And to be honest as usable ipv4 space becomes less and less, they are freeing up those bogon's that use to not be viable and giving them out to be used on the public internet.

Log in to reply