OPENVPN TAP Interfaces + pfsense 2.0 + blocking dhcp broadcast traffic

  • Hi Guys, does anyone know if pfsense 2.0 will support OPENVPN with tap interfaces and be able to block dhcp broadcast traffic?

    I am aware that this is possible under linux with ebtables, I don't know what's the case with FreeBSD.

    As many have posted before, the problem with tap interfaces is that if you use 2 boxes bridged through tap interfaces you end up with 2 dhcp servers and clients would get their lease (and default gateway) from the box on the other side of the tunnel which is not desirable in some cases.

    Perhaps, if someone out there has already accomplished this with pfsense 1.2.x you could post a tutorial?

    All thoughts are appreciated,


  • I was able to block dhcp broadcast traffic (layer 2) on a tunnel (tap0, bridged) with the same subnet by setting with linux machines, kernel 2.6, using the following ebtables and firewall settings:

    block DHCP through tunnel

    insmod ebtables
    insmod ebtable_filter
    insmod ebt_ip.o

    iptables -I INPUT -i tap0 -p udp –dport 67 -j DROP
    iptables -I OUTPUT -o tap0 -p udp --dport 68 -j DROP

    ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

    Is anything like this supported in FreeBSD?

  • You don't need ebtables, you can just configure a firewall rule to block traffic to (the broadcast address).

    ISTR the ability to apply firewall rules to OpenVPN interfaces is coming with pfSense 2.0.  Once that arrives you should be set.

  • Yes, I believe that could be a plausible solution only if you want to block all broadcast traffic.  However, is it possible to filter only some services that rely on broadcast traffic?  In my current situation I would like to block only dhcp requests and let other services through.

  • Yes.

  • Which rules would you need to set up to block only dhcp broadcast traffic?

  • As the IPTables rules you wrote, but remember to enter the destination IP as the (global) broadcast address.

  • Rebel Alliance Developer Netgate

    You can filter OpenVPN traffic on 1.2.3 with some work. I know it works with tun, I haven't tried it with tap:

    And more info is also in the book.

  • Will TAP interfaces be supported in pfSense 2.0 ?

Log in to reply