1 WAN quad LAN



  • I'm building a pfsense router with a quad gigabit card as lan interfaces.

    I have been lurking the forum to find a solution to the "no DHCP on opt1" and i know that i have to add a firewall rule to allow the clients to get an ip but i dont know how the rule should be.

    i have all the ports on the quad nic bridged to the lan interface with the settings static and i have no ip writen there.

    what is the firewall rule that i need to add to each of the ports to allow dhcp from LAN?



  • DHCP only broadcasts on the local subnet.  If you are trying to use DHCP on a network without a DHCP server then you'll need a DHCP relay.

    Go to "Service > DHCP Relay".  Select the tab for your OPT interface.  Check the box at the top, type in the IP of your DHCP server on your LAN in the box at the bottom, and then click "Save".  Make sure you've got a scope defined for that network on your DHCP server.



  • I have a DHCP server on the LAN, but i want to have the same DHCP on all the ports like any modern broadband router except that i'm in controll of it.

    When i try to ativate the DHCP Relay it tell me this.
    DHCP Server is currently enabled. Cannot enable the DHCP Relay service while the DHCP Server is enabled on any interface.

    So that option diden't work.



  • You need to add firewall rules for each interface bridged to LAN to allow DHCP traffic. (From web GUI, Firewall -> Rules, click on the appropriate interface tabs).

    I've used the following two rules:

    Proto = UDP, Source = *, port = 68, destination = 255.255.255.255, port = 67, gateway = *
    Proto = UDP, Source = *, port = 68, destination = LAN address, port = 67, gateway = *

    You don't need DHCP relay unless the pfSense box is passing DHCP requests to another subnet (which doesn't appear to be the case here). It would appear you want the pfSense box to be the DHCP server but I don't think you have explicitly stated that.



  • i can't get it to work. I log the rules and i don't se anything in the logs.
    So i thought i was stupid so i tried all the ports but none give me an ip except lan.



  • Just checking: You have LAN, OPT1, OPT2 and OPT3. OPT1 and OPT2 and OPT3 are bridged to LAN. You have those rules on each of OPT1, OPT2 and OPT3. DHCP server is enabled on LAN. There is no sign of a DHCP request in the DHCP Server log (from web GUI Status -> System Logs, click on DHCP tab). There is no sign of a DHCP request in the firewall log (Status -> System Logs, click on Firewall tab).

    If all the above is true then I suspect DHCP requests are not getting to your system. You should try a packet capture on one of your interfaces, for example, on the console

    tcpdump -i em0 port 67

    should show any DHCP traffic appearing on interface em0.

    You should also check DHCP server is running: on the console type

    ps ax | grep dhcpd



  • every opt is bridged, ruled and when i tcpdump i see the dhcp traffic but i cant se it in the logs so my router machine is not geting the packets by some odd reason.

    dhcpd is running.



  • In tcpdump do you see incoming traffic and replies?

    In the incoming DHCP traffic what is the destination IP address? If its not the broadcast address (255.255.255.255), what address is it? (DHCP client implementations will often try to get an IP address from the IP address which last gave them an IP address. Maybe that address is no longer the address of a DHCP server.)



  • I see all the requests but no replies.

    tcpdump

    # tcpdump -i em0 port 67
    tcpdump: WARNING: em0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    02:26:48.667774 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    02:26:52.667642 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    02:27:00.667368 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    02:27:46.001297 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    02:27:50.001526 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    02:27:57.001253 IP 10.0.0.100.bootpc > router.tagnard.net.bootps: BOOTP/DHCP, Request from 00:24:8c:74:ef:da (oui Unknown), length 307
    
    

    router.tagnard.net is 10.0.0.254



  • Your DHCP trace suggests to me that the system already knows its IP address (10.0.0.100) and so its probably requesting a DHCP lease renewal from router.tagnard.net. In contrast, a system that didn't know its IP address and was looking for a system to assign it an address would be sending from 0.0.0.0 to 255.255.255.255.

    I don't know the history of your configuration. Perhaps 10.0.0.254 was previously used by another system which also acted as DHCP server. I don't know if the pfSense DHCP server would log a request to renew a DHCP lease it knew nothing about.

    The note on the page displayed by the web GUI at Diagnostics -> States, click on Reset states tab, suggests that its probably worthwhile to reset states after every time you fiddle with the firewall rules.

    Suggestion: Halt the computer sending the DHCP requests. Restart the pfSense box. Start the tcpdump trace. Then start the PC. Then post the trace here, either the first 8 entries or the first five minutes worth (after the first entry).



  • You may be absolutly right. the "backup" firewall i'm running right now is a clone of the one i'm fixing now and i have used it to access the internet to read your replies.

    When i reset the states and /release - /renew i get an IP without problem.



  • Now i have another strange problem. When i disconnect the cable from lan i dont get any ip from dchp on any of the other 4 ports.

    Is there a way to fix this os is it a bugg?


Log in to reply