Firewall rule blocking DHCP? DHCP too slow early in the morning.



  • PFSense 2.0.1.

    PFSense box is both my network DHCP and gateway.
    A few weeks ago I changed my LAN filter rules to block every outgoing packet, and before this block all rule, there are some rules allowing legitimate traffic. There was no rule allowing UDP ports 57 and 58. So basically I was blocking everything from the LAN to the outside, allowing only legitimate remote services to be accessed.

    My problem: I don't know if this is related, some of my users started complaining that early in the morning it takes about 5 to 10 minutes to get an ip address. Some even reboot the machine 2 or 3 times. As any regular user, they don't know exactly when this started, if it was before the new LAN filter rules, or after.

    Today I added UDP (and TCP, just to be sure) ports 57 and 58 to the list of allowed services. I think since the DHCP operates on the IP address of the gateway, and it is the interface assigned to the LAN in PFSense, when DHCP negotiation starts, clients send UDP packets to the LAN interface (in this case packets do not go outside the network, which is the case of other services, such as www or msnp), and maybe these rules were blocking such requests.

    I read some documentation on the Internet, surprisingly, Microsoft site was really useful http://technet.microsoft.com/en-us/library/cc958935.aspx . I noticed that, during the DHCP negotiation process, in the early stages, traffic in the layers beneath TCP/IP happen, so in these stages IP filter rules would not affect, I think, but in the "Initialization State" some UDP traffic already happens, as the document states.

    Additional information: we have a PFSense box in the university Datacenter, serving 4 different buildings, all in the same LAN (a /23 network), some of the buildings are as far as 15km apart, all connected with optical fibre and gigabit switches. Between some of these switches there are other networks, but we use VLAN's. We have about 200 workstations, maybe the network size is a factor here, but no recent modifications were made, I mean, no new traffic is happening. Since I inserted those "block all going outside" rules average downloads decreased about 10 times, and upload about 30 times (yeah, 30 times). All to try to stop P2P.



  • The initial DHCP request has a destination IP address of 255.255.255.255 and a source IP address of 0.0.0.0. Do your your rules allow that traffic?



  • I added this rule, thanks for your help, I'll check tomorrow if users are having problems.



  • DHCP is on ports 67 and 68


Locked