Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unusual DHCPD startup function.

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lukeo
      last edited by

      Hi All,

      My company experienced an unusual occurrence last night.

      Upon failure of a routing component provided by our data centre, our network administrator logged on to our rack firewall (also functions as a gateway) suspecting this to be the issue .

      Upon logging on he noticed an unusually high cpu load, as well as some 'unusual' logged activity which can be seen in the attached image.

      Our primary concern is if this DHCPD initialisation is a legitimate firewall action, and if so why would it happen?

      Relevant Notes

      • Firewall Wan and Lan both using static IP
      • The WAN and LAN interfaces are bridged
      • DHCP is disabled in the firewall GUI (we do not assign LAN addresses from this device)
      • Cisco router that pfsense box connected to had a brief outage
      • The firewall did not restart
      • We spotted a /tmp/dhcpd.sh and tcpdump running at the same time of all this.

      If anyone has 5 minutes to rack their brains over this it would be much appreciated :)

      Thanks folks.

      ![Screen Shot 2012-08-23 at 10.50.45.png](/public/imported_attachments/1/Screen Shot 2012-08-23 at 10.50.45.png)
      ![Screen Shot 2012-08-23 at 10.50.45.png_thumb](/public/imported_attachments/1/Screen Shot 2012-08-23 at 10.50.45.png_thumb)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/services.inc#L294

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          SeventhSon
          last edited by

          checked a clean VM install:
          /tmp/dhcpd.sh on my system looks exactly like "the unusual activity" and tcpdump is also running (on pflog0 interface)

          don't know what your looking for but did you actually see dhcpd started? where did you see this unusual activity?

          1 Reply Last reply Reply Quote 0
          • L
            lukeo
            last edited by

            Thanks for the feedback guys, it's much appreciated.

            The confusion over this comes from the fact that all DHCP services were disabled within the GUI, which raises the question why is dhcpd being initialised?

            Evidence of this happening was found within a dhcpd log sitting within the firewalls tmp directory. The timestamp attached to the dhcpd startup in the logs coincided with the high CPU load discovered on the firewall.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.