Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP on OPT2 enabled responding to requests from LAN

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bws
      last edited by

      Hi,

      I have a bit of a unusual configuration, and it is resulting in strange DHCP behavior. I am hoping I just have something simple misconfigured and it is an easy fix.

      This is a sample of the log:
      DHCPDISCOVER from 00:0f:ff:11:51:75 via igb3
      DHCPOFFER on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
      Sending HUP signal to dns daemon(1206)
      DHCPREQUEST for 172.16.0.10 (172.16.0.1) from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb0: wrong network.
      DHCPNAK on 172.16.0.10 to 00:0f:ff:11:51:75 via igb0
      DHCPREQUEST for 172.16.0.10 (172.16.0.1) from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
      DHCPACK on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
      DHCPDISCOVER from 00:0f:ff:11:51:75 via igb0
      DHCPOFFER on 10.0.1.36 to 00:0f:ff:11:51:75 via igb0
      DHCPDISCOVER from 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3
      DHCPOFFER on 172.16.0.10 to 00:0f:ff:11:51:75 (C4-8AMP1-B) via igb3

      I do not understand why my device, which is physically on LAN (igb0) is ever talking to igb3 DHCP server, what did I do wrong?

      This is my physical diagram

      ONT <- (VLAN1)> Switch <-(VLAN1)->pfsense (WAN)
                                      ^–(VLAN4)----> pfsense (OPT2)

      C4-8AMP1-B <---(dumb switch)---> pfsense(LAN)

      LAN is set up to DHCP with gateway 10.0.1.1, and this device has a static rule to give it 10.0.1.36
      OPT2 is setup with gateway of 172.16.0.1 and is set to only give out a lease to that switch's MAC address, to 172.16.0.2, and there are a bunch of firewall rules to deny everything from OPT2 and everything to OPT2 other than http and https to only 172.16.0.2.

      The whole point of this exercise is to isolate the switch outside the firewall, since it is outside, but I still want to be able to manage it from the inside. If I just connected VLAN4 on the switch to LAN (which I did initially), then if someone roots my switch, they have full access to my LAN. So I came up with this idea.

      Now, if I turn off DHCP Server on OPT2, and set a static IP on my switch to 172.16.0.2, everything works. But I want to know if something else is wrong, or if I just missed a setting to get DHCP to work correctly.

      Thanks for your time on this one,

      bws

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "is ever talking to igb3 DHCP server, what did I do wrong?"

        You have it connected via layer 2.. There is no way for lan broadcasts for dhcp to get to your opt2 interface unless its connected somehow.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          bws
          last edited by

          The only connection, which is likely the issue, is the bridge I created in pfsense between LAN and OPT2, but there is a firewall rule to block everything other than http and https ports directed to that one IP address.

          But lets back up a step. Am I making this more complicated than it needs to be?

          with this physical connection: ONT <–-->Switch that supports VLANs<--->pfsense(WAN) <->pfsense (LAN) <--> my LAN (10.0.x.x)

          How should I connect with https to the switch? I'm happy to either set up a static IP on the switch or use DHCP.

          I thought the best, most secure way was to use the unused OPT2 port on the pfsense and connect that to a free port on the switch, using a different, unused VLAN id. Is this the best way? should I be doing something differently?

          If this is the best way, whats the gotcha that I missed in setting this up?

          Thanks again,

          bfs

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            The best way it to NOT configure bridges when they are clearly NOT wanted. Sigh.

            1 Reply Last reply Reply Quote 0
            • B
              bws
              last edited by

              Without a bridge, how do I route https from a computer on my LAN to the switch?

              -bws

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You do just that. You route it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  bws
                  last edited by

                  can you tell me how to do that? I cannot seem to find the right place to configure it

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Talking to an outside switch generally requires a management VLAN.

                    It is more a function of the switch and its capabilities than pfSense.

                    Set the management VLAN on the switch to an inside VLAN/IP scheme and get that VLAN to the switch somehow.

                    Be REALLY, REALLY careful to be sure that switch does not respond to admin/management requests on any other VLANs.

                    And be REALLY, REALLY careful that switch will not route requests from the WAN VLAN to the management VLAN. This can get tricky if it's layer 2+/layer 3 but, again, that's really a function of the switch, not pfSense.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "How should I connect with https to the switch?"

                      To what switch and from where?  Your smart switch?  If you want to manage this switch from your lan connect a vlan to your lan.  Why would you not just create a SVI on whatever vlan you want and connect that to your lan?

                      The whole point of a smart/managed switch is to created different layer 2's in the same physical switch.  Ie bunch of switches inside 1 physical switch..  Vlans can be tagged or untagged.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.