Firewall rule needed for DHCP ?



  • Hi,

    We're running a 2-node pfsense 1.2.2 cluster.
    3 physical nic-ports in the server : 1x 'LAN',1x WAN,1x OPT1

    OPT1 interface is used for sync
    LAN interface is using VLAN's

    I have 2 issues I've been wondering about :

    1. On every 'LAN' interface (LAN + additional VLAN's) I have created a default rule '$LAN -> any' permit (as per the cluster howto).
      I've enabled DHCP relay on the various VLAN interfaces, and specified the IP of our internal DHCP-server.
      But, in order to get DHCP working I had to add the following rule on the subnet where the DHCP-server lives :

    UDP  0.0.0.0  68  255.255.255.255  67  *    Permit DHCP

    Otherwise, all DHCP requests from clients on the other VLAN would be blocked. Is this normal behaviour ?

    1. I see various log entries showing a block :

    Feb 21 20:53:05 LAN_VLAN41 192.168.128.228:3410 74.125.79.99:80 TCP

    It shows that source 192.168.128.228 (one of our workstation subnets) attempted to contact HTTP-service on 74.125.79.99, but got blocked.
    I just don't get why this get's blocked, since the only rule on LAN_VLAN41 interface is a 'permit any from 192.168.128.224/28 to any'.
    Also… the rule that blocked it is the 'block drop in log quick all label "Default deny rule"' according to the WebUI

    How is this possible ?






Locked