Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    rogue DHCP detection -> dhcpcd if_sendraw: Permission denied

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 324 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moeller
      last edited by

      Hi,

      I'm using a small script to detect rogue DHCP-Servers on different networks/interfaces:

      dhcpcd -t 3 -K -T -4 -L vmx0.100
      

      -> the DHCP-Server on the vlan has to block DHCP-Requests sent by the pfsense interface MAC-Address.

      -t 3 - 3 seconds timeout
      -K - even if interface is not up
      -T - testmode - important!
      -4 - only ipv4
      -L - without ip4all

      This worked for years on several pfsense instances on several Interfaces. But now, after i added new Interfaces and changed some infrastructure stuff, it won't work:

      With -d for debug, the result is:

      dhcpcd-6.11.5 starting
      DUID 00:01:00:01:22:ce:8a:f0:00:0c:29:ce:71:6c
      vmx0.17: IAID 29:67:ec:6c
      vmx0.17: delaying IPv4 for 0.2 seconds
      vmx0.17: soliciting a DHCP lease
      vmx0.17: sending DISCOVER (xid 0xe3d4b705), next in 4.3 seconds
      **vmx0.17: if_sendraw: Permission denied**
      timed out
      dhcpcd exited
      

      When i'm tested this without specified Interface, it gave me errors because of duplicated IAID, so i changed these in /usr/local/etc/dhcpcd.conf

      interface vmx0.100
      iaid 29:67:ec:6a
      interface vmx0.101
      iaid 29:67:ec:6c
      interface vmx0.102
      iaid 29:67:ec:6d
      

      But this didn't help.

      The error "if_sendraw: Permission denied" happens on 2 of 5 Interfaces and i have no clue why. I also stopped services to check if it will then work.

      What else could i check?

      1 Reply Last reply Reply Quote 0
      • M
        moeller
        last edited by

        Ok, i found something: It's the CaptivePortal.

        i think its some sort of ipfw rule, wich blocks outgoing dhcp requests.
        I've found a workaround:

        Bad:
        edit "/usr/local/www/services_captiveportal_mac_edit.php"
        comment the following line out:

        $input_errors[] = sprintf(gettext("The MAC address %s belongs to a local interface. It cannot be used here."), $_POST['mac']);
        

        then i was able to add the local MAC-Address.
        But maybe this not allowed without purpose...

        Better:
        So i switched to dhcping-ng: https://github.com/pchytla/dhcping-ng

        I compiled this on an other freebsd11 system and copied to the pfsense machine

        /root/dhcping-ng -i vmx0.X -c 5 -w 2 -h aa:aa:aa:aa:aa:aa
        

        With the parameter -h i changed the source MAC-Address, so i also added this MAC-Adress in the CaptivPortal to the MACs section as Pass Action.

        I see this only as an workaround. I would like to be able sending what i want from the firewall-host

        Here the working Rouge-DHCP-Detection script. Added to the crontable executing every 5 minutes.

        #!/bin/sh
        
        res1="`/root/dhcping-ng -i vmx0.9 -c 5 -h aa:aa:aa:aa:aa:aa 2>/dev/null`"
        res1found="`echo $resnew | grep 'Recived Resonse from'`"
        [ -n "${res1found}" ] && printf "Rogue DHCP detected! - Guest-Network\n\n$res1\n"
        
        # for testing and finding
        # ./dhcping-ng -v -i -c 100 vmx0.
        
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.