Hundreds of DHCP Requests?



  • I'm using the newest PFSense release as I just installed it a couple days ago. I'm using a static IP/DNS for my WAN interface. I also disabled DNS forwarder because the DNS server internally is our Windows Server (Windows SBS 2011). For some reason I'm not able to access sites that are up such as yahoo.com.

    In Status: System logs: Firewall I have constant entries that look like this:

    Interface > WAN Source > 10.14.0.1:67 Destination > 255.255.255.255:68 Protocol: UDP

    I get one about every 10 seconds. Could this be causing the issues I'm having accessing websites? Any help is greatly appreciated.



  • Where have you setup your internal dns within pfsense?

    What is 10.14.0.1, your configured static ip on wan?

    Maybe more info on your setup is needed, just a simple ascii diagram can do



  • I rebooted PFSense and all website requests work now. My internal DNS is setup on all the clients. They all point to the server. I have the WAN DNS IP's (primary and secondary) setup in System > General Setup. However, I'm still getting all the 10.14.0.1 requests.

    I don't know what 10.14.0.1 is. My static IP on WAN begins with 68, and all internal clients are 10.0.0.X. My setup is real simple:

    ISP Modem > PFSense Firewall > Switch

    I often get more than one every 10 seconds. For example, if I look at the log right now I get more than 1 a second.



  • Maybe its the modem?



  • That's what I was thinking. Couldn't this be slowing everything down because of the frequency?



  • I'm now seeing this:
    Interface: WAN
    Source: 10.14.0.1
    Destination 224.0.0.1
    Protocol: IGMP

    They show up about once a minute.



  • @chris32lr:

    I'm now seeing this:
    Interface: WAN
    Source: 10.14.0.1
    Destination 224.0.0.1
    Protocol: IGMP

    They show up about once a minute.

    I get that too, its my modem, but I dont get the dhcp stuff :) I would log in to the modem and see whats going on in there if you still get the dhcp requests.



  • I can't login to the modem because it's the ISP's



  • Anyone else have any idea what could be going on? Also, do I have DNS setup correctly since our DNS server is our windows server? I have the check box unchecked that "allow DNS server list to be overriden by DHCP/PPP on WAN" and I have DNS Forwarders disabled.



  • What sort of Internet link do you have? xDSL? Cable?

    My understanding is that cable is a broadcast medium meaning you could be seeing traffic from your neighbours.

    You could reduce the overhead of logging those DHCP requests by adding a specific firewall rule to ignore DHCP requests on WAN.

    @chris32lr:

    Also, do I have DNS setup correctly since our DNS server is our windows server? I have the check box unchecked that "allow DNS server list to be overriden by DHCP/PPP on WAN" and I have DNS Forwarders disabled.

    That looks right. Have you checked on a DHCP client?


  • Rebel Alliance Global Moderator

    Well normally you would not see those packets in the firewall log because they would be allowed by the built in rules when set for dhcp on wan..  I would assume.

    allow our DHCP client out to the WAN

    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

    Not installing DHCP server firewall rules for WAN which is configured for DHCP.

    But since your static these rules might be created?  You can look in /tmp/rules.debug for all the rules being used.

    Either should not be logged I wouldn't think because there is going to be a lot of dhcp noise on a public internet connection quite often..  I for example see quite a bit of it just doing a capture - but none of it shows up in log

    14:26:26.293869 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300
    14:26:26.316969 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300
    14:26:38.867621 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 304
    14:26:42.708549 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 304
    14:26:47.730643 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300

    Thats 5 in 21 seconds or roughly 1 ever 4 seconds which is double what you say your seeing ;)

    Now I would assume 96.120.27.233 is my isp dhcp server - but its quite possible for your isp to be using a private IP for their dhcp server as well.  Now since your static its hard to see where you get your lease from.  But if you can use dhcp you could then look in your leases file.  You should be able to find it in /var/db you should see dhclient.leases.em1 with em1 being whatever your wan interface is.

    Now in my lease I show
    option dhcp-server-identifier 69.252.202.7;

    And when I look at some of those packets I capture I can see that yes in fact that is my isp dhcp server relay at 96.120 - see attached.  And its acks to fellow isp users on my same network..  So seeing dhcp packets on your wan interface is quite normal.

    The odd part is why are they being logged in your firewall rules?  Are you blocking private, this could be logging them since its coming from a private IP.  Take a look at some of the packets to satisfy your curiosity to what they are exactly..  Once you realize its just common internet noise prob redo your firewall rules not to log such noise.  Same sort of thing would go for your IGMP packets your seeing..  Your going to see quite a bit of that noise on the internet.. Normally shouldn't be logging it.

    Or as mentioned it could be coming from your modem, again it would just be noise that you shouldn't be logging.. As stated take a look to see what it is via your fav analyzer, wireshark is FREE and works great for this sort of thing.




  • Thanks for the replies. It's a cable modem.

    The only thing that is logging right now is the default block bogon networks. I don't have block private networks on. I don't have anything else logged. I don't want to turn DHCP on in WAN because we have a website hosted internally and need the IP to be static. As long as everything works ok, I'm fine with it, it's just alarming how frequent it is which also varies, sometimes I get two or three a second.

    Good call on wireshark, I'll give that a shot. Thanks!


  • Rebel Alliance Global Moderator

    And how many uses do you think are on the same segment as you?  I am on cable and the broadcast domain is a /21, thats what 2046 possible boxes asking for IPs, renewing IPs - and I wouldn't put it past them to be broadcasting to more than the /21

    And what is the lease time?  Then people rebooting, connecting different devices, how many have actual pc connected - now you could be seeing applications ask for dhcp info, wpad, etc.

    Its noise!  Look at it with wireshark to satisfy you and then just put in a rule to not log it.



  • That's perfectly normal for any cable ISP.


Locked