Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP Discover/Offer/Request/Ack packets not being blocked

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Matt-Deacalion
      last edited by

      Hi,

      I'm learning pfSense through tinkering and there's something I can't figure out.

      I have the following setup:

      +-----------------+
|                 |
|       Veon      |
|  192.168.1.100  |
|                 |
+--------+--------+
         |
         |
         |
         | 192.168.1.1 (WAN)
   +-----+-----+
   |           |
   |  pfSense  |
   |           |
   +-----+-----+
         | 10.0.0.1 (LAN)
         |
         |
         |
 +-------+------+
 |              |
 |     Vito     |
 |  10.0.0.100  |
 |              |
 +--------------+

      I'm using "Veon" to access the pfSense web interface. I enabled a DHCP server on the LAN interface, then I sent a DHCP request from "Vito"… and, successfully received a DHCP response. Which was surprising because I expected I would need to create a firewall rule to allow DHCP traffic. Then I created a rule to specifically block DHCP traffic and cleared the state table. I did another DHCP request, and... it worked again. I double checked this with tcpdump, the traffic is not being blocked. What am I missing?

      The blanket firewall rule is on the "LAN" interface:

      
Protocol   Source   Port   Destination   Port  Action
IPv4+6     UDP      *      *             *     Block

      I've tried several different versions before this shotgun rule, nothing has worked.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        when you enable dhcp server, there are hidden rules to allow for dhcp.. This is to protect the user from themselves ;)  Users are normally quite stupid ;)

        user: I enabled dhcp - but its not working!!!  Freaking pfsense sucks..  is there a bug??
        admin: Did you create the rules to allow for dhcp??
        user: Dohhh!!  What ports and protocols does dhcp use?

        Its taken as a given that if you enable dhcpd on an interface - that you would actually like the discover packets to reach the dhcp server..  You can always look at the rules with

        https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

        example from my lan interface
        pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
        pass in quick on em1 inet proto udp from any port = bootpc to 192.168.9.253 port = bootps keep state label "allow access to DHCP server"
        pass out quick on em1 inet proto udp from 192.168.9.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          Matt-Deacalion
          last edited by

          Ah, it makes perfect sense from usability point of view, and now I know how to view the ALL of the rules. Fantastic, thank you! :D

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            There is a specific order to how the rules are evaluated as well.. So take that in mind

            https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.