DHCP Discover/Offer/Request/Ack packets not being blocked



  • Hi,

    I'm learning pfSense through tinkering and there's something I can't figure out.

    I have the following setup:

    +-----------------+
    |                 |
    |       Veon      |
    |  192.168.1.100  |
    |                 |
    +--------+--------+
             |
             |
             |
             | 192.168.1.1 (WAN)
       +-----+-----+
       |           |
       |  pfSense  |
       |           |
       +-----+-----+
             | 10.0.0.1 (LAN)
             |
             |
             |
     +-------+------+
     |              |
     |     Vito     |
     |  10.0.0.100  |
     |              |
     +--------------+
    
    

    I'm using "Veon" to access the pfSense web interface. I enabled a DHCP server on the LAN interface, then I sent a DHCP request from "Vito"… and, successfully received a DHCP response. Which was surprising because I expected I would need to create a firewall rule to allow DHCP traffic. Then I created a rule to specifically block DHCP traffic and cleared the state table. I did another DHCP request, and... it worked again. I double checked this with tcpdump, the traffic is not being blocked. What am I missing?

    The blanket firewall rule is on the "LAN" interface:

    
    Protocol   Source   Port   Destination   Port  Action
    IPv4+6     UDP      *      *             *     Block
    
    

    I've tried several different versions before this shotgun rule, nothing has worked.


  • LAYER 8 Global Moderator

    when you enable dhcp server, there are hidden rules to allow for dhcp.. This is to protect the user from themselves ;)  Users are normally quite stupid ;)

    user: I enabled dhcp - but its not working!!!  Freaking pfsense sucks..  is there a bug??
    admin: Did you create the rules to allow for dhcp??
    user: Dohhh!!  What ports and protocols does dhcp use?

    Its taken as a given that if you enable dhcpd on an interface - that you would actually like the discover packets to reach the dhcp server..  You can always look at the rules with

    https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    example from my lan interface
    pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on em1 inet proto udp from any port = bootpc to 192.168.9.253 port = bootps keep state label "allow access to DHCP server"
    pass out quick on em1 inet proto udp from 192.168.9.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"



  • Ah, it makes perfect sense from usability point of view, and now I know how to view the ALL of the rules. Fantastic, thank you! :D


  • LAYER 8 Global Moderator

    There is a specific order to how the rules are evaluated as well.. So take that in mind

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order


Log in to reply