Any Reason to Allow Cable Modem Access to LAN via WAN?

beremonavabi

The usual subnet for my home network is 192.168.20.0/24. My cable modem (Arris SB8200) is connected to the WAN port of my pfSense box. I added a Firewall rule to allow outgoing traffic from devices on that subnet going to 192.168.100.1 (the cable modem's IP for its status page), so I have no problem checking that. In the process of doing that, I examined the firewall log and found the cable modem trying to access the LAN via the WAN port and being blocked (correctly, since I've got the rule to block private networks from coming in from the WAN):

5 Matched Firewall Log Entries. (Maximum 50)
Action	Time	Interface	Rule		Source	Destination	Protocol
Apr 30 10:40:51	WAN	Block ULA networks from WAN block fc00::/7 (12000)	  192.168.100.1:67	  192.168.100.11:68	UDP
Apr 30 10:40:51	WAN	Block ULA networks from WAN block fc00::/7 (12000)	  192.168.100.1:67	  255.255.255.255:68	UDP
Apr 30 10:40:51	WAN	Block ULA networks from WAN block fc00::/7 (12000)	  192.168.100.1:67	  255.255.255.255:68	UDP
Apr 30 10:40:51	WAN	Block ULA networks from WAN block fc00::/7 (12000)	  192.168.100.1:67	  255.255.255.255:68	UDP
Apr 30 10:40:51	WAN	Block ULA networks from WAN block fc00::/7 (12000)	  192.168.100.1:67	  255.255.255.255:68	UDP

I'm pretty sure that means it's trying to set up a DHCP lease. I don't understand why or if I should allow it.
![20170430 -- pfSense Cable Modem Firewall.PNG](/public/imported_attachments/1/20170430 – pfSense Cable Modem Firewall.PNG)
![20170430 -- pfSense Cable Modem Firewall.PNG_thumb](/public/imported_attachments/1/20170430 -- pfSense Cable Modem Firewall.PNG_thumb)

johnpoz

All traffic is blocked into the wan unless you allow it.. Blocking rfc1918 just adds more noise possible ;) Are you forwarding 68 to something? If not its NOISE!!

67 to 68 would be an offer or an ack.. So prob just noise left from from pfsense getting a 192.168.100 address before your cable modem had actual wan connection.

beremonavabi

No. Nothing forwarded. I can't come up with any reason I'd need to let the cable modem access the pfSense box from the WAN side. And, if you say it's just noise, that's fine with me.

On thing I did find is a reference or two saying that cable modems will act as a DHCP server when computers are connected directly to it, and that they will (or at least can) issue the 192.168.100.11 address I have sitting at the top of the firewall log. We lost internet connection at about the time of those log entries, so maybe that's related to why it sent out the DHCP traffic.

wbond

FYI, under Interfaces -> WAN (if WAN is your cable modem interface) -> DHCP Client Configuration you can set the option "reject leases from:" to prevent pfSense from accepting an IP address from the cable modem itself.

beremonavabi

Thanks. I didn't know that. But, since the traffic's being blocked anyway, I'll leave it for now.