can pfsense filter isc.org dhcp server traffic?

iwishitwouldwork · Apr 13, 2023, 11:49 AM

I have my reasons for wanting to preserve the isc.org server that I have running on my file server.

I read online (somewhere) that, by default, a router would not forward DHCP traffic between interfaces. I further read that this might not work on an isc.org DHCP server because it uses raw packets. I don't know enough to test any of that.

What I do know is that I have tried two different routers. Let the ISC interface be the one that has my isc.org dhcp server. I claim that that ought to mean that the OTHER interface on the router should not be able to get DHCP packets originating on the ISC interface. But that's not what I observe. i've tried wireshark and such, and I can see packets, but I don't understand them sufficiently. I have tried to prevent the isc.org server from responding to the MAC address -- but both "deny booting" and "ignore booting" do not do what I need.

So, I'm considering a small PC running pfsense w/ two GBe interfaces. I will need one interface (WAN) to configure itself via DHCP; the other (LAN) I can assign a static IP, but I want it to ignore/drop all DHCP packets, so that the WAN interface can't get its configuration from the LAN side. Is this possible?

Gertjan · Apr 13, 2023, 6:19 PM

@iwishitwouldwork said in can pfsense filter isc.org dhcp server traffic?:

So, I'm considering a small PC running pfsense w/ two GBe interfaces. I will need one interface (WAN) to configure itself via DHCP; the other (LAN) I can assign a static IP, but I want it to ignore/drop all DHCP packets, so that the WAN interface can't get its configuration from the LAN side. Is this possible?

My one and only pfSEnse WAN setup :

You saw the (ix3) ? That's the name of the driver that us used for my 'WAN' interface.

The IPv4 configuration Type is "DHCP".

So, a process called 'dhclient' is bound to that ix3 or WAN interface to handle DHCP on my WAN interface.
And no other interface !!

Let's check :

[23.01-RELEASE][root@pfSense.local.tld]/root: ps ax | grep 'dhclient'
43239  -  Is      0:00.00 dhclient: ix3 [priv] (dhclient)
46094  -  Ss      0:01.72 dhclient: ix3 (dhclient)
....

So, yes : dhclient is the process in memory, active, waiting to 'do something' when needed. For example, it will renew my WAN lease against the upstream ISP router (with a DHCP server) when my WAN lease is half way.

All this has nothing with what you do on your LAN interface.
By default, the LAN interface uses a DHCP server process.
A DHCP server works with DHCP clients. On pfSense, these two are complete different processes, with different settings and goals in mind.

The DHCP server is bound to a (one) interface :

This image shows you that I have one DHCP server process that listens to the LAN interface.
And one for the PORTAL interface, and another for the IDRAZC interface.

The dhclient can not - will not - should not listen to packets coming into LAN PORTAL and IDRAC.
The DHCP server on LAN can not see - hear - notice DHCP traffic that comes in the interface WAN, PORTAL IDRAC.
Etc.

All this works out of the box.

@iwishitwouldwork said in can pfsense filter isc.org dhcp server traffic?:

my isc.org dhcp server

That's the one pfSense uses.

iwishitwouldwork · Apr 13, 2023, 6:19 PM

@gertjan

which is what i want, so thanks for confirming that.

Gertjan · Apr 14, 2023, 7:34 AM

@iwishitwouldwork

pfSense told me :

Remember : the logs always contain 'the answer'