DHCP-offers traveling Filtering bridge?



  • I have pfSense set up as a filtering bridge with a public C-class net on the "LAN"-interface. Last friday i started to get strange DHCP-offers, and after some troubleshooting i realised that the offers was coming from the WAN-interface (they disappeared when pulling the WAN-cable). SO.. How can this traffic travel over the bridge? Isn't it supposed to be firewalled? I have a default reject of all traffic i don't want to accept like so:

    
    TCP/UDP  	 *  	 *  	 AAA.BBB.164.0/24  	 *  	 * 
    
    

    I also tried replacing TCP/UDP with Any to block this, but no success. How do i stop the DHCP-broadcasts? Firewall also works fine otherwise, regular traffic like HTTP/SSH etc etc is blocked as it should be, except to selected hosts.



  • I have now done a lab. a pfsense box with same config as my firewall. On the LAN-side i connected a "client-computer". On the WAN-side i connected a computer acting as router. I also ran a DHCP-server on this computer.

    When i use the DHCP-client on the client-computer on the LAN-interface i get a DHCP-adress from the server on the WAN-interface. This is not right! How to block the DHCP?



  • Have you enabled the filtering bridge?
    "System" –> "Advanced" --> "Enable filtering bridge"

    Also have you tried removing all rules on both interfaces?
    There is per default an invisible "block all" rule in place.
    So if you delete all rules, everything should be blocked.



  • Ok, now i have checked the above. Filtering brigde is enabled. And all rules are removed on both WAN and LAN. I still see DHCP-ACK in the log of the DHCP-server on the WAN when i renew the lease on the DHCP-client on the LAN. Isnt this strange?



  • @sussox:

    Ok, now i have checked the above. Filtering brigde is enabled. And all rules are removed on both WAN and LAN. I still see DHCP-ACK in the log of the DHCP-server on the WAN when i renew the lease on the DHCP-client on the LAN. Isnt this strange?

    This is driving me crazy.. I have it running with a single rule, blocking ANY protocol from the LAN-net to the WAN. But still the DHCP travels the bridge!

    When i disable the bridge, the DHCP stops working (of course) but when using a filtred bridge with no rules (or a single a block all-rule, like above) DHCP still gets through.. Bug?


Log in to reply