Disable fw logging of DHCP broadcast



  • Hey all,

    I've tried searching the forums a bit, but still can't find a solution to this annoyance.

    The problem is the firewall is blocking private networks (10/8…) on the WAN port as it should, but the firewall logs are being flooded with my ISP's DHCP broadcasts like this:

    Last 50 firewall log entries:
      If   Source               Destination       Proto
    WAN 10.152.36.1:67 255.255.255.255:68 UDP
    WAN 10.152.36.1:67 255.255.255.255:68 UDP
    ... and so on

    I've tried creating a new rule to block this specific IP address and did not enabled logging, but it still appears on the log. Any ideas how to stop logging these entires??



  • Setup an Alias for the following Networks and name it something easy like "Private Networks"

    10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8

    Now create a Firewall rule on the WAN interface which blocks the above Alias

    Go to Interfaces/WAN in the web gui and uncheck "Block private networks"

    This essentially does everything the checkbox does without the logging.  You could enable logging in the above rule you created and then add another block rule on top of it using the 255.255.255.255 address as the Destination address with Port 68.  This way only the broadcasts are no longer logged but you will still be notified when other private addresses are hitting your pfsense box.

    ![Picture 1.png](/public/imported_attachments/1/Picture 1.png)
    ![Picture 1.png_thumb](/public/imported_attachments/1/Picture 1.png_thumb)
    ![Picture 2.png](/public/imported_attachments/1/Picture 2.png)
    ![Picture 2.png_thumb](/public/imported_attachments/1/Picture 2.png_thumb)



  • That did it! Thank you.



  • Thank you onhel! I had been meaning to give this a shot for a while but wasn't too sure. Anyway, just followed your advice and now all that rouge DHCP broadcast noise I had been getting from my ISP's subnet is now history (at least as far as my logs are concerned)!

    Just 1 question… you mentioned that creating a replacement rule for the built-in deny (private addresses) rule "essentially does everything the checkbox does". Hate to ask a dumb question but do you happen to know what (if anything) a correctly configured replacement rule can't do if filling in for the system deny rule? Just curious because it appears it's working exactly the same except now I can actually add rules above it which you already know was impossible with the system rule checkboxed.

    Thanks again!



  • Your Welcome  ;D

    As far as a I know, there should be no functionality difference between the manual rule and the system check box.



  • Thanks for this also!



  • Thanks as well!



  • I want to get rid of a lot of log noise and it looks like this:

    block Mar 14 18:11:15 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:15 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:10 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:10 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:06 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:06 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:02 WAN 0.0.0.0:68 255.255.255.255:67 UDP
    block Mar 14 18:11:02 WAN 0.0.0.0:68 255.255.255.255:67 UDP

    Thought this was an easy one when I first read this thread, but no…

    I have tried the suggestions mentioned in this thread but it is not working, and in my case the traffic is not coming from my ISP. (it's the customers DHCP broadcasts and we reside in an /21 subnet)



  • What you are seeing are the initial DHCP requests.
    Your rule should look something like this:

    block, UDP, source: any, sourceport: any, destination: any, destinationport: 67

    Also make sure that your block rule is the top most rule.



  • Not something like that, but more exactly like that! Thanx!

    Now it works  :)

    I tried all sorts of combinations with 0.0.0.0 and 255.255.255.255 as source and destination and vise versa as well as the ports 67/68.  ::)

    Summary:
    To stop these "WAN 0.0.0.0:68 255.255.255.255:67 UDP" messages from filling up my log files, I had to:

    1. Make a firewall block rule for WAN with the Private Network alias (as mentioned by onhel)
    2. Go to Interfaces/WAN in the web gui and uncheck "Block private networks" and "Block bogon networks" (This differ from the screenshot above)
    3. Create a top most rule on WAN: Block, UDP, source: any, sourceport: any, destination: any, destinationport: 67

    @GruensFroeschli:

    Your rule should look something like this:

    block, UDP, source: any, sourceport: any, destination: any, destinationport: 67

    Also make sure that your block rule is the top most rule.


Log in to reply