4. rogue DHCP detection -> dhcpcd if_sendraw: Permission denied

rogue DHCP detection -> dhcpcd if_sendraw: Permission denied

  • M

    Hi,

    I'm using a small script to detect rogue DHCP-Servers on different networks/interfaces:

    dhcpcd -t 3 -K -T -4 -L vmx0.100

    -> the DHCP-Server on the vlan has to block DHCP-Requests sent by the pfsense interface MAC-Address.

    -t 3 - 3 seconds timeout
    -K - even if interface is not up
    -T - testmode - important!
    -4 - only ipv4
    -L - without ip4all

    This worked for years on several pfsense instances on several Interfaces. But now, after i added new Interfaces and changed some infrastructure stuff, it won't work:

    With -d for debug, the result is:

    dhcpcd-6.11.5 starting
DUID 00:01:00:01:22:ce:8a:f0:00:0c:29:ce:71:6c
vmx0.17: IAID 29:67:ec:6c
vmx0.17: delaying IPv4 for 0.2 seconds
vmx0.17: soliciting a DHCP lease
vmx0.17: sending DISCOVER (xid 0xe3d4b705), next in 4.3 seconds
**vmx0.17: if_sendraw: Permission denied**
timed out
dhcpcd exited

    When i'm tested this without specified Interface, it gave me errors because of duplicated IAID, so i changed these in /usr/local/etc/dhcpcd.conf

    interface vmx0.100
iaid 29:67:ec:6a
interface vmx0.101
iaid 29:67:ec:6c
interface vmx0.102
iaid 29:67:ec:6d

    But this didn't help.

    The error "if_sendraw: Permission denied" happens on 2 of 5 Interfaces and i have no clue why. I also stopped services to check if it will then work.

    What else could i check?

    0
  • M

    Ok, i found something: It's the CaptivePortal.

    i think its some sort of ipfw rule, wich blocks outgoing dhcp requests.
    I've found a workaround:

    Bad:
    edit "/usr/local/www/services_captiveportal_mac_edit.php"
    comment the following line out:

    $input_errors[] = sprintf(gettext("The MAC address %s belongs to a local interface. It cannot be used here."), $_POST['mac']);

    then i was able to add the local MAC-Address.
    But maybe this not allowed without purpose...

    Better:
    So i switched to dhcping-ng: https://github.com/pchytla/dhcping-ng

    I compiled this on an other freebsd11 system and copied to the pfsense machine

    /root/dhcping-ng -i vmx0.X -c 5 -w 2 -h aa:aa:aa:aa:aa:aa

    With the parameter -h i changed the source MAC-Address, so i also added this MAC-Adress in the CaptivPortal to the MACs section as Pass Action.

    I see this only as an workaround. I would like to be able sending what i want from the firewall-host

    Here the working Rouge-DHCP-Detection script. Added to the crontable executing every 5 minutes.

    #!/bin/sh

res1="`/root/dhcping-ng -i vmx0.9 -c 5 -h aa:aa:aa:aa:aa:aa 2>/dev/null`"
res1found="`echo $resnew | grep 'Recived Resonse from'`"
[ -n "${res1found}" ] && printf "Rogue DHCP detected! - Guest-Network\n\n$res1\n"

# for testing and finding
# ./dhcping-ng -v -i -c 100 vmx0.
    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy