DHCP on second LAN not seeing requests



  • 2 WAN - 2 LAN setup.
    1st LAN is on a domain with no DHCP services running on pfsense
    2nd LAN is for unsecured public access to the internet and I'm trying to get DHCP running on it.
    2nd LAN routes fine and any statically assigned machine can get internet access just fine.
    DHCP server logs show no error, but they also show no attempts to hand out an address.
    Do I need to define any firewall rules for DHCP?
    With no errors in the log what steps can I take to troubleshoot this?

    DHCP settings are pretty plain-jane.  Mask is valid, Range is within available, no additional pools everything else to default.  I am not Denying unknown clients or using static ARP entries.

    I could put another machine or appliance on the 2nd LAN for DHCP, but I don't have one at the moment and I'd rather not have another device if possible.



  • The default LAN interface has some implied defaults, additional interfaces do not.
    You will need to add rules to your 2nd LAN to allow DNS, DHCP, and access out, and block any access back to your primary LAN (unless you want to allow that)

    • Block Proto IPv4 TCP/UDP SRC: 2ndLAN subnet DST: LAN subnet

    • Allow Proto IPv4 UDP SRC: 2ndLAN subnet DST: 2ndLAN address, ports 67,68 - allow DHCP

    • Allow Proto IPv4 TCP/UDP SRC: 2ndLAN subnet DST: 2ndLAN address, ports 53 - allow DNS if running DNS forwarder locally

    • Allow Proto IPv4 ICMP echoreq SRC: 2ndLAN subnet DST: 2ndLAN address - allow ping



  • @awebster:

    The default LAN interface has some implied defaults, additional interfaces do not.
    You will need to add rules to your 2nd LAN to allow DNS, DHCP, and access out, and block any access back to your primary LAN (unless you want to allow that)

    • Block Proto IPv4 TCP/UDP SRC: 2ndLAN subnet DST: LAN subnet

    • Allow Proto IPv4 UDP SRC: 2ndLAN subnet DST: 2ndLAN address, ports 67,68 - allow DHCP

    • Allow Proto IPv4 TCP/UDP SRC: 2ndLAN subnet DST: 2ndLAN address, ports 53 - allow DNS if running DNS forwarder locally

    • Allow Proto IPv4 ICMP echoreq SRC: 2ndLAN subnet DST: 2ndLAN address - allow ping

    First rule was already in place.  I added the DHCP and ping rules, still no change.
    The DHCPD logs still show no attempts

    Sep 24 11:26:53 dhcpd: Internet Systems Consortium DHCP Server 4.2.6
    Sep 24 11:26:53 dhcpd: Copyright 2004-2014 Internet Systems Consortium.
    Sep 24 11:26:53 dhcpd: All rights reserved.
    Sep 24 11:26:53 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
    Sep 24 11:26:53 dhcpd: Wrote 0 leases to leases file.
    Sep 24 11:26:53 dhcpd: Listening on BPF/em1/00:26:55:e8:cc:f8/x.x.81.0/24
    Sep 24 11:26:53 dhcpd: Sending on BPF/em1/00:26:55:e8:cc:f8/x.x.81.0/24
    Sep 24 11:26:53 dhcpd: Sending on Socket/fallback/fallback-net



  • OK, I'm an idiot, but you got me looking in the right direction.
    I had my switch configured to block rogue DHCP servers and forgot.  Explains all the issues I was having on earlier attemps with a separate router.



  • Ah yes, that protection on switches has fooled even seasoned network veterans!

    For completeness' sake, the 2nd rule should be:
    Allow Proto IPv4 UDP SRC: 2ndLAN subnet DST: ANY (or an alias of 2ndLAN subnet and 255.255.255.255), ports 67,68 - allow DHCP
    Since the initial request is a discover packet sent to 255.255.255.255.

    Set logging on for the dhcp rule, look for hits in the firewall log

    You can also try tcpdump if you don't mind getting your hands dirty.
    Enable ssh, and connect to pfSense
    Note down the interface that corresponds to 2nd LAN (looks like em1)
    Drop to the shell and run:
    tcpdump -i em1 -s 0 -n -v udp port 67 or udp port 68
    You should see DHCP packets from the client.