Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall rule needed for DHCP ?

    Firewalling
    2
    3
    9197
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MadDog2K last edited by

      Hi,

      We're running a 2-node pfsense 1.2.2 cluster.
      3 physical nic-ports in the server : 1x 'LAN',1x WAN,1x OPT1

      OPT1 interface is used for sync
      LAN interface is using VLAN's

      I have 2 issues I've been wondering about :

      1. On every 'LAN' interface (LAN + additional VLAN's) I have created a default rule '$LAN -> any' permit (as per the cluster howto).
        I've enabled DHCP relay on the various VLAN interfaces, and specified the IP of our internal DHCP-server.
        But, in order to get DHCP working I had to add the following rule on the subnet where the DHCP-server lives :

      UDP  0.0.0.0  68  255.255.255.255  67  *    Permit DHCP

      Otherwise, all DHCP requests from clients on the other VLAN would be blocked. Is this normal behaviour ?

      1. I see various log entries showing a block :

      Feb 21 20:53:05 LAN_VLAN41 192.168.128.228:3410 74.125.79.99:80 TCP

      It shows that source 192.168.128.228 (one of our workstation subnets) attempted to contact HTTP-service on 74.125.79.99, but got blocked.
      I just don't get why this get's blocked, since the only rule on LAN_VLAN41 interface is a 'permit any from 192.168.128.224/28 to any'.
      Also… the rule that blocked it is the 'block drop in log quick all label "Default deny rule"' according to the WebUI

      How is this possible ?

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        1. Yes, that's normal.

        2. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F

        1 Reply Last reply Reply Quote 0
        • M
          MadDog2K last edited by

          @cmb:

          1. Yes, that's normal.

          2. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F

          Great, thanks :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post