LAN DHCP clients receiving IP Address from WAN

soster

Hi Everyone,

Hopefully this has a simple fix. I am using our pfSense as both firewall and router. I have one WAN, one LAN and one OPT interface. I have the pfSense configured to act as the DHCP server on the LAN interface, but I have client computers getting DHCP addresses from our ISP. Our WAN interface gets its address via DHCP, but it appears it is forwarding the DHCP broadcasts through to the LAN interface. I set up a rule on the WAN interface:

Block WAN IPv4 UDP Source:WAN net Port Range-Other:67 Other:68 Dest:LAN net Port Range-Other:67 Other:68

Even with this rule in place, I still have LAN computers with WAN IP addresses.

Anyone have any idea of why this rule is not blocking them from getting DHCP addresses from our ISP?

Cheers!

fakircz

Do you have the "block RFC1918 networks" (don't remember the exact text) checkbox enabled on the WAN interface? If not (and your WAN IP is not a private one), try enabling it. It will prevent any traffic originating in private IP ranges from passing through the WAN input firewall.

soster

Hi fakircz,
I have had that rule enabled since I set the firewall up, along with the "Block bogon networks" rule. I think I have figured out the problem. When our old domain controlled died, my employer had someone else set up the replacement DC, without talking to me. When he created the domain on the new DC, he used the same domain name as our website, which is hosted elsewhere. Now, when I run "nslookup" against any of our computers, it returns the public IP of our website, instead of the LAN address assigned by our pfSense DHCP. We're exploring trying to change the domain name on the new DC to match the old domain name, without losing what we've already setup.

fakircz

Oh my… :) Every AD beginner guide mentions not to do that, unless you have a good reason (for example, we use a split DNS for certain subdomains to avoid SSL certificate issues... but that's a bit off topic).

However, I don't believe it has anything to do with your original problem. This is just a broken DNS. But if I understood you correctly, your client computers actually get addresses not from the LAN DHCP server, but from the WAN DHCP server (ISP's). Right?

If that's the case, there must be some kind of "short circuit" connection between your LAN and WAN, bypassing the router. Is your pfSense box the only physical connection between LAN and WAN? Or there are VLANs involved? I'm asking because DHCP by its nature isn't routable, it can't cross subnets, unless there's a DHCP relay agent on the router/switch. So unless you enabled the DHCP relay instead of the DHCP server, there's no way for the DHCP packets across the pfSense from WAN to LAN interface.

kpa

Under normal circumstance what you're observing shouldn't be possible. Either you are leaking traffic between WAN and LAN somewhere outside pfSense or you have an addon package that causes it. UDP broadcasts are not routed either so the only way to have WAN DHCP visible on the LAN is trough the use of the dhcp-relay if we assume that it's not trough a misconfiguration of hardware or software.