Blocked udp 67 (DHCP) on wrong network?



  • Found this in my firewall logs and can't figure it out. I don't have any problems that I know of. I have 2 DHCP servers(Failover\Replicating) in vlan 10 and DHCP relay setup on my firewall. Everything get's IP's in all my vlans and native lan. I have no firewall rules that block any udp 67 traffic.

    What's weird is this says its blocked on my native lan which is 10.0.0.0/23 but those addresses are from my vlan10(10.0.10.0/23). I have noticed this in my snort logs as well(vlan traffic alerting in other vlan instances)

    Gateway is 10.0.10.1
    DHCP #2 is 10.0.10.5

    Thought it could be a snort GID but couldn't find it and I don't have snort blocking yet.

    Any help?


  • LAYER 8 Global Moderator

    Looks like your getting cross vlan traffic.  You have a switch port in multiple vlans not tagged, etc.. You have a dumb switch in the mix?  Your using one of the tp-link switches that doesn't allow you to remove vlan 1 from ports.. So yeah broadcast traffic is just dumb and sent out on every port, etc.

    If your switching setup was correct it would not be possible for pfsense interface to see traffic from a vlan that is not for it.  Be it tagged or untagged.  For pfsense to block traffic on its lan that is native interface then that traffic is hitting pfsense untagged..



  • @johnpoz:

    Looks like your getting cross vlan traffic.  You have a switch port in multiple vlans not tagged, etc.. You have a dumb switch in the mix?  Your using one of the tp-link switches that doesn't allow you to remove vlan 1 from ports.. So yeah broadcast traffic is just dumb and sent out on every port, etc.

    If your switching setup was correct it would not be possible for pfsense interface to see traffic from a vlan that is not for it.  Be it tagged or untagged.  For pfsense to block traffic on its lan that is native interface then that traffic is hitting pfsense untagged..

    That makes sense. I've got all Unifi switches. I do have a few dumb switches in the mix but they're all on untagged vlan specific ports, unless someone has made a loop between a trunk and untagged vlan port. I'll look these hosts up and find where they're at. Thanks's for the reply! Definitely the first place to start loking.



  • @johnpoz I think I replied to quickly earlier.

    So after thinking about this(been a busy day and couldn't think about it earlier) I having a hard time with it being an untagged port on a switch for a few reasons.

    1. This is my firewall default gateway sending the traffic. I know snort alerted but that traffic originated from the gateway?
    2. Source is 10.0.10.1 which is the vlan default gateway for vlan10 and not a host on my untagged 10.0.0.0 network.
    3. This traffic emerged on to my native untagged lan 10.0.0.1. Could the firewall have fumbled the traffic?
    4. Both source and destination ports are 67. Request for DHCP normally come from 0.0.0.0:68 to 255.255.255.255:67

    So my config is pfSense is a DHCP relay(two load balanced servers) for each network\vlan. My DHCP servers live on vlan 10. Any traffic\hots on any network requesting a DHCP offer should  broadcast to 255.255.255.255:67. The firewall sees this and forwards that traffic to my DHCP on vlan 10, those servers reply and so forth until the client gets it's address.

    Since this couldn't have come from any host(source IP cleared that up) I don't think the loop between untagged vlan and native lan could apply. If I'm missing something or my thinking is off somewhere then I'm up for any suggestions.

    Thanks again1


  • LAYER 8 Global Moderator

    "2) Source is 10.0.10.1 which is the vlan default gateway for vlan10 and not a host on my untagged 10.0.0.0 network.

    what do you mean deafult gateway for vlan 10.. So you have downstream router?  And lan is your transit network?  There should be no hosts on your transit network.. And no dhcp should pass L3 boundary unless you have dhcp relay setup… like your downstream router..

    Please draw your network..  A relay would be 67 to 67... Sorry I did not look that close into my bad.  I should of caught the 67 to 67 with IPs, etc.  Is a relay..

    Do you have clients on your lan.. I am going to guess an asymmetrical setup... Just because seems to be common issue around here ;)

    If you have a downstream L3, why are you sending relay to pfsense?  Pfsense can be dhcpd for network it does not have interface in... If you have downstream network pfsense would not have interface in that network.... Please draw your network..



  • @johnpoz:

    "2) Source is 10.0.10.1 which is the vlan default gateway for vlan10 and not a host on my untagged 10.0.0.0 network.

    what do you mean deafult gateway for vlan 10.. So you have downstream router?  And lan is your transit network?  There should be no hosts on your transit network.. And no dhcp should pass L3 boundary unless you have dhcp relay setup… like your downstream router..

    Please draw your network..  A relay would be 67 to 67... Sorry I did not look that close into my bad.  I should of caught the 67 to 67 with IPs, etc.  Is a relay..

    Do you have clients on your lan.. I am going to guess an asymmetrical setup... Just because seems to be common issue around here ;)

    If you have a downstream L3, why are you sending relay to pfsense?  Pfsense can be dhcpd for network it does not have interface in... If you have downstream network pfsense would not have interface in that network.... Please draw your network..

    No I don't have a downstream L3. pfSense is the core router on my network.

    And by default gateway I mean just that. 10.0.10.1 is the default gateway\route for any client on vlan 10. That is the pfSense interface address for that vlan and by default the only gateway\route for a client to use to reach the internet or any other network.

    I have a Netgate xg-2758 with the 2 10GB sfp+ in a lagg to my core switch. Keep in mind this isn't my whole network just my server closet. I have about 20 more switches with trunk ports to each switch, and each port on any given switch is untagged for the vlan that is needed on that port they are not all the same.

    My pfSense box is a DHCP relay for all networks. I do not want, nor do I use, DHCP in pfSense. It is for routing, IPS, and pfBlockerNG only. I have clients on every Network and vlan. See the attached Example.png for my network description. I didn't add any clients to the diagram except for the DHCP servers. All connections are 10G trunk ports. For my VM's they are tagged for their vlan in Hyper-V. I have no network problems and everything works as designed. Just these weird alerts in snort and drop rules happening in my firewall logs have me scratching my head.

    Thanks for clarifying the DHCP relay ports(67 to 67) that explains why the source and destination are both 67. Having said that brings me back to my original  question. Why would this traffic be on the native Lan? pfSense should know which interface to send DHCP relay to, Vlan 10, but instead it sent the traffic out the native Lan which is on the network 10.0.0.1. The settings are correct in pfSense(See DHCP_Relay.png).

    Also just for some context, this happens with other traffic on other vlans as well(See OtherVlan.png attachment). This was caught by snort, it's traffic that should be on my guest Vlan(20) but the snort alert is on the native lan again. The guest vlan is a WLAN only network and I have no untagged vlan 20 anywhere in my network. The only way a client would get this IP range is if was connected via the guest wifi.

    Hope this info helps.







  • LAYER 8 Global Moderator

    How is traffic being blocked inbound to pfsense interface from itself?

    Are you blocking outbound via a floating rule?



  • @johnpoz:

    How is traffic being blocked inbound to pfsense interface from itself?

    Are you blocking outbound via a floating rule?

    I have no floating rules.

    And I have no idea how it's being blocked from it itself.

    I guess inbound\outbound is confusing here. It's outbound from the local pfsense interface to the client(that in non existent on this interface). since none of this is coming from the internet and it's all internal traffic would inbound be the way to look at it? I guess it's coming in to the lan from pfsense, but since pfsense itself is a host on the lan shouldn't it just be inter lan\vlan traffic?

    The way I see it is there are 2 problems.

    1. DHCP relay traffic should be going to the defined DHCP servers on the correct vlan. Instead the traffic went out the native lan interface. Maybe this is a switching problem in pfsense as this shouldn't have happened.

    2. The firewall dropped traffic which I have no drop rule for. Notice the rule number in the log. I can't find that rule number, and it looks to be missing information. All of the other blocks have a rule description, this one just has some unknown number to me.

    Again my network works just fine and I have no "problems" (I know an alert could be a sign of a problem) that cause things not to work to my knowledge. These were just some interesting logs that I'm looking at to better understand exactly what is going on in my network.


  • LAYER 8 Global Moderator


Log in to reply