Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP Discovery blocked

    Firewalling
    2
    3
    135
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andy142
      last edited by Andy142

      Hi All,

      I'm having an issue where cameras/devices connected to VLAN 22 (OPT6) can't communicate to the DHCP server.

      From the firewall log:
      c7f5578b-6f63-44e9-8a23-15dc4d218d4d-image.png

      Interface OPT6 linked to VLAN 22.
      Access ports set on switch for VLAN 22.
      pfSense on trunked port including VLAN 22.

      Static IPv4 on OPT6 : 172.16.1.100/24
      DHCP setup on OPT6: 172.16.1.150-172.16.1.170

      Rules for OPT6:
      6c03ed33-4bdb-45c1-912a-9f0406477296-image.png

      As soon as a device is plugged in it shows in the DHCP leases as offline, I can't ping/access the webpage of the cameras. I also get the top picture in the firewall log.

      31f6ace8-1fb0-4eee-ab80-538a3893b5a5-image.png

      I have plugged in my desktop to the VLAN, it gets a DHCP address but can't access DNS (gets blocked by the firewall) even though I have an allow all rule.

      From the desktop I can access one of the cameras on the same subnet directly that does show active on the DHCP leases. But not the other two.

      Any help would be appreciated.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Andy142
        last edited by

        @Andy142 said in DHCP Discovery blocked:

        but can't access DNS (gets blocked by the firewall)

        Was it logged as such ? (DNS traffic neing blocked).
        Not by this firewall rule :

        0ed07cb8-8354-4d79-8d63-428883cc6fad-image.png

        This rule says all IPv4 traffic. "DNS" is part of "All".

        Is unbound, the resolver, listing on the OPT6 interface ?

        strange enough : no states neither bytes are using this rule ... this interface ?
        So, where do you want your traffic going ? And where is is going in reality ^^ ?
        A VLAN issue open up now ...

        @Andy142 said in DHCP Discovery blocked:

        But not the other two.

        They are listed in the leases list, and their lease is still valid.
        So they have an IP.
        Always keep in mind : Having an IP doesn't mean that a device should (has to) 'answer' to any request, on any port, for any protocol. It should be set up to do this.
        Even replying to ping (ICMP) is optional, not mandatory.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • A
          Andy142
          last edited by

          Thanks for your reply.

          I have solved the issue, which as usual with these forums, was operator induced.

          Previously I had installed Tailscale and set some firewall rules for it using the "tailscale network" dropdown for source.
          It threw an error saying this macro wasn't defined but the firewall was passing traffic so I figured I'll work that one out at a later date.

          Each time I was applying my firewall rules I assumed the rules were getting set, but due to the mentioned error the firewall wasn't updating. This was only evident when i looked at the monitor for the rules update. Doh!

          Sorry for wasting your time.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.