DHCP on OPT2 enabled responding to requests from LAN

bws

Hi,

I have a bit of a unusual configuration, and it is resulting in strange DHCP behavior. I am hoping I just have something simple misconfigured and it is an easy fix.

This is a sample of the log:
DHCPDISCOVER from 00:0f:ff:11:51:75 via igb3
DHCPOFFER on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
Sending HUP signal to dns daemon(1206)
DHCPREQUEST for 172.16.0.10 (172.16.0.1) from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb0: wrong network.
DHCPNAK on 172.16.0.10 to 00:0f:ff:11:51:75 via igb0
DHCPREQUEST for 172.16.0.10 (172.16.0.1) from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
DHCPACK on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
DHCPDISCOVER from 00:0f:ff:11:51:75 via igb0
DHCPOFFER on 10.0.1.36 to 00:0f:ff:11:51:75 via igb0
DHCPDISCOVER from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
DHCPOFFER on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3

I do not understand why my device, which is physically on LAN (igb0) is ever talking to igb3 DHCP server, what did I do wrong?

This is my physical diagram

ONT <- (VLAN1)> Switch <-(VLAN1)->pfsense (WAN)
                                ^–(VLAN4)----> pfsense (OPT2)

C4-8AMP1-B <---(dumb switch)---> pfsense(LAN)

LAN is set up to DHCP with gateway 10.0.1.1, and this device has a static rule to give it 10.0.1.36
OPT2 is setup with gateway of 172.16.0.1 and is set to only give out a lease to that switch's MAC address, to 172.16.0.2, and there are a bunch of firewall rules to deny everything from OPT2 and everything to OPT2 other than http and https to only 172.16.0.2.

The whole point of this exercise is to isolate the switch outside the firewall, since it is outside, but I still want to be able to manage it from the inside. If I just connected VLAN4 on the switch to LAN (which I did initially), then if someone roots my switch, they have full access to my LAN. So I came up with this idea.

Now, if I turn off DHCP Server on OPT2, and set a static IP on my switch to 172.16.0.2, everything works. But I want to know if something else is wrong, or if I just missed a setting to get DHCP to work correctly.

Thanks for your time on this one,

bws

johnpoz

"is ever talking to igb3 DHCP server, what did I do wrong?"

You have it connected via layer 2.. There is no way for lan broadcasts for dhcp to get to your opt2 interface unless its connected somehow.

bws

The only connection, which is likely the issue, is the bridge I created in pfsense between LAN and OPT2, but there is a firewall rule to block everything other than http and https ports directed to that one IP address.

But lets back up a step. Am I making this more complicated than it needs to be?

with this physical connection: ONT <–-->Switch that supports VLANs<--->pfsense(WAN) <->pfsense (LAN) <--> my LAN (10.0.x.x)

How should I connect with https to the switch? I'm happy to either set up a static IP on the switch or use DHCP.

I thought the best, most secure way was to use the unused OPT2 port on the pfsense and connect that to a free port on the switch, using a different, unused VLAN id. Is this the best way? should I be doing something differently?

If this is the best way, whats the gotcha that I missed in setting this up?

Thanks again,

bfs

doktornotor

The best way it to NOT configure bridges when they are clearly NOT wanted. Sigh.

bws

Without a bridge, how do I route https from a computer on my LAN to the switch?

-bws

Derelict

You do just that. You route it.

bws

can you tell me how to do that? I cannot seem to find the right place to configure it

Derelict

Talking to an outside switch generally requires a management VLAN.

It is more a function of the switch and its capabilities than pfSense.

Set the management VLAN on the switch to an inside VLAN/IP scheme and get that VLAN to the switch somehow.

Be REALLY, REALLY careful to be sure that switch does not respond to admin/management requests on any other VLANs.

And be REALLY, REALLY careful that switch will not route requests from the WAN VLAN to the management VLAN. This can get tricky if it's layer 2+/layer 3 but, again, that's really a function of the switch, not pfSense.

johnpoz

"How should I connect with https to the switch?"

To what switch and from where?  Your smart switch?  If you want to manage this switch from your lan connect a vlan to your lan.  Why would you not just create a SVI on whatever vlan you want and connect that to your lan?

The whole point of a smart/managed switch is to created different layer 2's in the same physical switch.  Ie bunch of switches inside 1 physical switch..  Vlans can be tagged or untagged.