rogue DHCP detection -> dhcpcd if_sendraw: Permission denied



  • Hi,

    I'm using a small script to detect rogue DHCP-Servers on different networks/interfaces:

    dhcpcd -t 3 -K -T -4 -L vmx0.100
    

    -> the DHCP-Server on the vlan has to block DHCP-Requests sent by the pfsense interface MAC-Address.

    -t 3 - 3 seconds timeout
    -K - even if interface is not up
    -T - testmode - important!
    -4 - only ipv4
    -L - without ip4all

    This worked for years on several pfsense instances on several Interfaces. But now, after i added new Interfaces and changed some infrastructure stuff, it won't work:

    With -d for debug, the result is:

    dhcpcd-6.11.5 starting
    DUID 00:01:00:01:22:ce:8a:f0:00:0c:29:ce:71:6c
    vmx0.17: IAID 29:67:ec:6c
    vmx0.17: delaying IPv4 for 0.2 seconds
    vmx0.17: soliciting a DHCP lease
    vmx0.17: sending DISCOVER (xid 0xe3d4b705), next in 4.3 seconds
    **vmx0.17: if_sendraw: Permission denied**
    timed out
    dhcpcd exited
    

    When i'm tested this without specified Interface, it gave me errors because of duplicated IAID, so i changed these in /usr/local/etc/dhcpcd.conf

    interface vmx0.100
    iaid 29:67:ec:6a
    interface vmx0.101
    iaid 29:67:ec:6c
    interface vmx0.102
    iaid 29:67:ec:6d
    

    But this didn't help.

    The error "if_sendraw: Permission denied" happens on 2 of 5 Interfaces and i have no clue why. I also stopped services to check if it will then work.

    What else could i check?



  • Ok, i found something: It's the CaptivePortal.

    i think its some sort of ipfw rule, wich blocks outgoing dhcp requests.
    I've found a workaround:

    Bad:
    edit "/usr/local/www/services_captiveportal_mac_edit.php"
    comment the following line out:

    $input_errors[] = sprintf(gettext("The MAC address %s belongs to a local interface. It cannot be used here."), $_POST['mac']);
    

    then i was able to add the local MAC-Address.
    But maybe this not allowed without purpose...

    Better:
    So i switched to dhcping-ng: https://github.com/pchytla/dhcping-ng

    I compiled this on an other freebsd11 system and copied to the pfsense machine

    /root/dhcping-ng -i vmx0.X -c 5 -w 2 -h aa:aa:aa:aa:aa:aa
    

    With the parameter -h i changed the source MAC-Address, so i also added this MAC-Adress in the CaptivPortal to the MACs section as Pass Action.

    I see this only as an workaround. I would like to be able sending what i want from the firewall-host

    Here the working Rouge-DHCP-Detection script. Added to the crontable executing every 5 minutes.

    #!/bin/sh
    
    res1="`/root/dhcping-ng -i vmx0.9 -c 5 -h aa:aa:aa:aa:aa:aa 2>/dev/null`"
    res1found="`echo $resnew | grep 'Recived Resonse from'`"
    [ -n "${res1found}" ] && printf "Rogue DHCP detected! - Guest-Network\n\n$res1\n"
    
    # for testing and finding
    # ./dhcping-ng -v -i -c 100 vmx0.