Dhcp issues



  • Hi i set up pfsense and all seems to be working one issue i do see that im attempting to correct is my fire wall logs show a private ip address being blocked multiple times per second Apr 16 08:00:45  WAN  10.19.160.1:67  255.255.255.255:68  UDP
    Apr 16 08:00:58 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:01:01 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:01:13 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:01:15 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:01:15 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:01:19 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:02:06 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:02:06 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:02:49 WAN 10.19.160.1:67 255.255.255.255:68 UDP
    Apr 16 08:03:11 WAN 10.19.160.1:67 255.255.255.255:68 UDP

    i also see

    Apr 15 23:46:58 dhclient[26566]: DHCPDISCOVER on dc0 to 255.255.255.255 port 67 interval 1
    Apr 15 23:46:58 dhclient[26566]: DHCPOFFER from 10.19.160.1

    so im thinking this is some type of error on my part any suggestions? thanks for looking.



  • That is normal DHCP traffic, where the DHCP server, is responding to requests to other users, on the same subnet.

    Cheers.



  • I'm just confused who the users making that request are  since its just me a server and another wirelsess device behind the firewall.



  • What is your WAN IP and config type (e.g. PPPoE, DHCP, etc…)



  • My wan ip is 173.16.xxx.xx and i am using dhcp and i am sorry I also am totally green to pfsense.



  • They are coming from the same DHCP server, that gives you your address.  Your Cable/DSL/Dial-Up provider.

    As I said, normal traffic.  If you want to filter them out of the log, then you need to set up your own firewall rule, with No-Log, so they don't drop through to the default block rule.

    Cheers.



  • Why are they in a totally different (RFC1918) subnet?



  • For now i have just disable logging the default rule so at least i can see what is going on in my logs



  • @danswartz:

    Why are they in a totally different (RFC1918) subnet?

    I can't explain it, but so are mine.  Here's the contents of /tmp/re0_error_output:

    re0: no link .... got link
    DHCPDISCOVER on re0 to 255.255.255.255 port 67 interval 2
    DHCPDISCOVER on re0 to 255.255.255.255 port 67 interval 2
    DHCPDISCOVER on re0 to 255.255.255.255 port 67 interval 4
    DHCPOFFER from 10.252.48.1
    DHCPREQUEST on re0 to 255.255.255.255 port 67
    DHCPACK from 10.252.48.1
    bound to 98.148.xxx.xxx -- renewal in 43199 seconds.
    
    

    You can see that the DHCPOFFER and DHCPACK come from an 10. subnet, but the assigned IP is a valid, registered, 98. subnet.

    nslookup gives:  cpe-98-148-xxx-xxx.socal.res.rr.com

    Cheers.



  • Also in the default installation it asked if I wanted to block private networks I chose yes (why would a private network even be on the Internet) now I'm wondering if I choose to NOT block private networks if that would be a simple way to end my issues totally. What are the implications of this choice will it severely compromise my security?



  • @particleman:

    why would a private network even be on the Internet

    It's not.  It's only between you, and all the other users on the same "section" of your ISP's private network, using the same DHCP server.

    @particleman:

    now I'm wondering if I choose to NOT block private networks if that would be a simple way to end my issues totally.

    That's one way.  Another it to duplicate that particular rule, but precede it with one that specifically looks for the DHCP replies, and drops them, without logging.

    Cheers.



  • I want to thank you guys for all the help. So far so good running perfect.


Log in to reply