Firewall rule needed for DHCP ?
-
Hi,
We're running a 2-node pfsense 1.2.2 cluster.
3 physical nic-ports in the server : 1x 'LAN',1x WAN,1x OPT1OPT1 interface is used for sync
LAN interface is using VLAN'sI have 2 issues I've been wondering about :
- On every 'LAN' interface (LAN + additional VLAN's) I have created a default rule '$LAN -> any' permit (as per the cluster howto).
I've enabled DHCP relay on the various VLAN interfaces, and specified the IP of our internal DHCP-server.
But, in order to get DHCP working I had to add the following rule on the subnet where the DHCP-server lives :
UDP 0.0.0.0 68 255.255.255.255 67 * Permit DHCP
Otherwise, all DHCP requests from clients on the other VLAN would be blocked. Is this normal behaviour ?
- I see various log entries showing a block :
Feb 21 20:53:05 LAN_VLAN41 192.168.128.228:3410 74.125.79.99:80 TCP
It shows that source 192.168.128.228 (one of our workstation subnets) attempted to contact HTTP-service on 74.125.79.99, but got blocked.
I just don't get why this get's blocked, since the only rule on LAN_VLAN41 interface is a 'permit any from 192.168.128.224/28 to any'.
Also… the rule that blocked it is the 'block drop in log quick all label "Default deny rule"' according to the WebUIHow is this possible ?
- On every 'LAN' interface (LAN + additional VLAN's) I have created a default rule '$LAN -> any' permit (as per the cluster howto).
-
-
Yes, that's normal.
-
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F
-
-
@cmb:
-
Yes, that's normal.
-
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F
Great, thanks :)
-