Can DHCP responses/offers be blocked by a rule?

  • I am trying to sort out a situation that is confusing for me.  I will ask my direct question first, then explain the larger picture.  Any extra comments or insights are very appreciated!

    Direct Question: 
    If I have a rule (Either the "Block Private Networks" check box on the WAN or an explicit rule I add) that blocks 10.x.x.x sources on the WAN, and my ISP's DHCP server is a 10.x.x.x address, will my DHCP client work? 
    Does the DHCP client pick up traffic "before" it hits the firewall rules, or (also of general interest) is EVERYTHING "inside" of the firewall rules? 
    If this rule would prevent a DHCP allocation from occurring, would PFSense continue with the last known good IP address on the WAN?

    I think the answer to these will at least cut the confusion in half!

    Thank you!

    I have been using PFSense for many years with no problem.  Incredible, invaluable (Used Linux based firewalls previously). 
    My ISP is Time Warner (Roadrunner) in Rochester, NY.

    Recently I have had "discontinuities" in my internet service.  It would just stop working for a minute or two then resume.  Looking at the logs, I saw that when my lease is up, often my DHCP renewal request is answered by a 192.168.x.x like address, and I would accept something like for my address.  It would not work, PFSense would immediately (don't know how it knew!) broadcast to get another address, I would then get my previous/old one back from a 10.x.x.x server and my network would work fine until the lease is up again.

    I made a rule that blocks all incoming traffic from private networks.  My network still works, but I don't see any DHCP responses.  I believe I saw countless and continuous requests for an IP (But the log file cleared on a reboot so it is gone).

  • All traffic gets filtered by firewall rules. The DHCP response is allowed in by the state from the DHCP request, it cannot be filtered by source IP. Block private networks is for traffic sourced externally, not replies to what's been permitted outbound.

    What you describe sounds like what happens with some cable modems when you lose connectivity to the ISP, they'll assign a private IP from their own DHCP server.

  • Thank you.  So:
    (1) I should filter the private addresses, it will not block responses to my DHCP requests. 
    (2) It will let in these inappropriate responses, since they are in response to my request, and I cannot do anything about that.
    (3) Perhaps my cable is getting flakey.

  • Correct on all accounts.

    One other thing that may be worth considering, if your ISP's network is less than ideal, it may be possible you were getting a lease from a rogue DHCP server on your ISP's network. Usually that would be from a customer, for instance someone plugging their router in backwards (sounds crazy, but I've actually seen it happen on multiple occasions on less than ideal small ISP networks). If your ISP is doing things right, a customer port will never be able to respond to DHCP requests.

    It's also possible it was a broken DHCP server owned and authorized by the ISP. Private source IPs on ISP DHCP servers isn't uncommon, even with very large ISPs. Possibly an "oops" on their part.

    So yeah, if it continues, contact your ISP and tell them exactly what you described in your first post here.

  • Thanks for the added info.  Your theory of a backwards router is exactly what I was hypothesizing, but I wanted to have all of my ducks in a row and well documented before contacting them.  I don't want to loose credibility with them - they say that they only support people running Windows or MACs, you have to have a spare Windows PC to get service.  What a crock, but I won't go there.  Thank you very much.