Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can DHCP responses/offers be blocked by a rule?

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rnsc
      last edited by

      I am trying to sort out a situation that is confusing for me.  I will ask my direct question first, then explain the larger picture.  Any extra comments or insights are very appreciated!

      Direct Question: 
      If I have a rule (Either the "Block Private Networks" check box on the WAN or an explicit rule I add) that blocks 10.x.x.x sources on the WAN, and my ISP's DHCP server is a 10.x.x.x address, will my DHCP client work? 
      Does the DHCP client pick up traffic "before" it hits the firewall rules, or (also of general interest) is EVERYTHING "inside" of the firewall rules? 
      If this rule would prevent a DHCP allocation from occurring, would PFSense continue with the last known good IP address on the WAN?

      I think the answer to these will at least cut the confusion in half!

      Thank you!

      Situation:
      I have been using PFSense for many years with no problem.  Incredible, invaluable (Used Linux based firewalls previously). 
      My ISP is Time Warner (Roadrunner) in Rochester, NY.

      Recently I have had "discontinuities" in my internet service.  It would just stop working for a minute or two then resume.  Looking at the logs, I saw that when my lease is up, often my DHCP renewal request is answered by a 192.168.x.x like address, and I would accept something like 192.168.1.100 for my address.  It would not work, PFSense would immediately (don't know how it knew!) broadcast to get another address, I would then get my previous/old one back from a 10.x.x.x server and my network would work fine until the lease is up again.

      I made a rule that blocks all incoming traffic from private networks.  My network still works, but I don't see any DHCP responses.  I believe I saw countless and continuous requests for an IP (But the log file cleared on a reboot so it is gone).

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        All traffic gets filtered by firewall rules. The DHCP response is allowed in by the state from the DHCP request, it cannot be filtered by source IP. Block private networks is for traffic sourced externally, not replies to what's been permitted outbound.

        What you describe sounds like what happens with some cable modems when you lose connectivity to the ISP, they'll assign a private IP from their own DHCP server.

        1 Reply Last reply Reply Quote 0
        • R
          rnsc
          last edited by

          Thank you.  So:
          (1) I should filter the private addresses, it will not block responses to my DHCP requests. 
          (2) It will let in these inappropriate responses, since they are in response to my request, and I cannot do anything about that.
          (3) Perhaps my cable is getting flakey.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Correct on all accounts.

            One other thing that may be worth considering, if your ISP's network is less than ideal, it may be possible you were getting a lease from a rogue DHCP server on your ISP's network. Usually that would be from a customer, for instance someone plugging their router in backwards (sounds crazy, but I've actually seen it happen on multiple occasions on less than ideal small ISP networks). If your ISP is doing things right, a customer port will never be able to respond to DHCP requests.

            It's also possible it was a broken DHCP server owned and authorized by the ISP. Private source IPs on ISP DHCP servers isn't uncommon, even with very large ISPs. Possibly an "oops" on their part.

            So yeah, if it continues, contact your ISP and tell them exactly what you described in your first post here.

            1 Reply Last reply Reply Quote 0
            • R
              rnsc
              last edited by

              Thanks for the added info.  Your theory of a backwards router is exactly what I was hypothesizing, but I wanted to have all of my ducks in a row and well documented before contacting them.  I don't want to loose credibility with them - they say that they only support people running Windows or MACs, you have to have a spare Windows PC to get service.  What a crock, but I won't go there.  Thank you very much.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.