Block DHCP through WAN Interface
-
Hi, guys!
I need to block DHCP outside the firewall and/or passing through the firewall. I apologize if this question and popped up before – I’ve searched the googler and can’t find the answer. And, I broke my network with it!
I use multiple instances of pfS as vm’s in front of customer virtual networks. All of these up to now are all static IP’s with no DHCP. But, I had to create a new customer network with DHCP and broke my work. Seems like the DHCP from pfS passing back out the WAN interface and effecting the rest of my network.
I tried firewalling it at the network level but the traffic is inner-switch and UniFi doesn’t give me the granularity to build these kinds of access lists per switch.
So… I’m hoping the community can help me with a pfS firewall rule to block DHCP in/out of the WAN port but not the LAN port, completely. I did disable DHCP on the WAN port but it’s still getting out from the LAN side (I can tel by the address assignments). Also, note that I have an OpenVPN server in a vm behind this instance of pfS that does need to pass DHCP. I presume that particular DHCP traffic would be encapsulated in the VPN tunnel and not be affected by the firewall but feel like I need to point it our, just in case I’m wrong.
Any help is greatly appreciated!
Thanks, guys!
-brian
-
@BDMcGrew said in Block DHCP through WAN Interface:
Seems like the DHCP from pfS passing back out the WAN interface and effecting the rest of my network.
This can only happen if the LAN is bridged to the WAN. Is this the case at ll?
DHCP traffic would otherwise stay within a subnet.
-
Not sure. Would you tell me where to look? While I do use a lot of pfsS, I'k no expert; I use a very limited subset of features. So I'll say, possible?
--
-brian -
@BDMcGrew Check the DHCP server settings. It is enabled per interface.
What @viragomann means is, your VM networks are presumably not separated/isolated, via separate wires or VLANs. DHCP works via broadcast.
-
@BDMcGrew if your seeing dhcp like that you do not have isolation at layer 2 as you should.. And your config with static IPs was flawed from the get go. And firewall ruiles wouldn't do any good. Unless you had specifically setup a bridge in pfsense - which you would clearly know you did, and should understand that dhcp would/could pass through the bridge.
-
Ok, got it!
Yes, the VLANS outside this virtual networks are not isolated from it neither physically or logically. The external VLANS can (and should) be able to reach into the virtual network. However, I use pfS to prevent the virtual networks from reaching back out into the physical VLANS.
The firewall rule I have in place to prevent the virtual from getting out to the physical does work and tested to be fine, save for the few ports it needs to reach. However, it still passes DHCP from the internal pfS LAN out through the WAN interface to the external VLANS and the firewall rule doesn't seem to stop it. I would have thought that a generic block-all policy with only 3 exceptions for DNS and RDP would prevent that?
I do not have DHCP running on the WAN interface, only on the LAN interface.
Thanks!
--
-brian -
@BDMcGrew DHCP doesn’t pass through a router. Your networks are connected. Try disconnecting them and connect one at a time.
-
@BDMcGrew Do you not understand the difference between layer 2 and 3?
dhcp does not pass layer 2 boundaries... If you see dhcp on your wan from your lan network or from you wan network to your lan network - then those networks are not isolated at layer 2.. As mentioned dhcp would not pass through a layer 3 router/firewall.. So either you setup a specific bridge on pfsense between wan and lan.. Or your wan and lan are not on different layer 2 networks.
If your not isolated at layer 2 between your wan and lan - nothing in pfsense you could do to prevent these networks from seeing each others broadcast and multicast traffic - ie dhcp.
-
Ah, and the light just came on! You're right!
When I set up the LAN side of the network in ESXi on the VDS, I forgot to make it a private VLAN and left it at none. So yeah, Layer 2 was the magic word here.
Soon as I made it a private VLAN, all is good now!
Thanks... Sometimes you just have to talk through these things with people who know more than you ; -)
-
@BDMcGrew said in Block DHCP through WAN Interface:
Sometimes you just have to talk through these things
Exactly!! Couldn't agree more.. It can be very helpful just walking through what your doing with someone else - sometimes you run into blind spots on what your looking for, and just don't see it - until you walk through it with someone else. That doesn't have your "blinders" on ;)
So your all sorted now?
Just explaining your setup to someone else, can force you to see the setup in a different light - and make what is the issue jump out at you ;) Some times they don't even have to know more than you, or even what your talking about... But working through the steps to explain it to someone else.. Even if what your doing is dumbing it down to explain it someone that doesn't understand any of it can be very insightful in what you over looked.
-
Yes sir, thank you!
Soon as I made the network on the LAN side of pfS a Private VLAN in the VMware Virtual Distributed Switch, all the problems go away. I no longer see that private subnet (that's supposed to be private) on the rest of the network.
Again, thank you!
