DHCP requests across firewall
-
look at the table of what is in bogon - why would any of those networks be on your local network? To be honest I don't really see much point in blocking them on the wan either ;) Default rule is block on wan. So blocking bogon would just be for ports that you have opened. And bogon are not even routeable on the internet, etc.
They seem to cause way more problems then they are worth in blocking any sort of risk. that 0.0.0.0/8 for example your seeing. And there are some other networks in the ipv6 bogon that really legit for link local addressing.
As to your version of pfsense - its good idea to stay current. They add nice stuff in every update, for example the listings of the rule that blocked in the logs ;) 2.2 has full resolver vs just forwarder for dns, etc.
As to dhcp load - I highly doubt that is a problem for pfsense.. But sure dhcp is better to run off your windows AD then pfsense.
While generally speaking yes if not a valid address shouldn't be allowed - but without real easy way to edit the list you can run into stuff that may or may not be "valid" And the way they have it added to the rules there is really no way to put stuff in front of it, etc.
If you were really worried about blocking bogons, I would prob just grab the list and put in a alias and use that in a normal rule vs how they have bogon implemented in pfsense.
-
I tried 2.2 when that came out, but I was getting weird errors, so I just decided to wait a little while.
As for dhcp load, yeah that was the wrong word XD More.. Functionality? I just want to be authoritative over my domain (DNS, DHCP, etc.). Plus, windows AD is incredibly fun and interesting! Haha, I'm well aware of pfSense's power, it truly is a masterpiece!
-
I agree if your running an AD then dns and dhcp should be by your AD not your router ;)
As to it being fun, that would be a matter of opinion. While it has always been interesting, not sure I would use the word fun to describe MS products ;) I have been admin of windows networks since before there was "domains" back when it was only 3.11 for "workgroups" and then went to NT 3.51 as server from OS2, etc.
As to your issues with 2.2 - where you blocking bogon on your lan interfaces? ;)
You really should move away from 2.1 and go to 2.2, unless you were in some critical production setup there is no reason not to be current.
-
Ha ha. In reality, most likely. But my problem was hardware, I believe. I'm going to try again and go into more depth soon. As for my current setup, when I try to switch between WAPs on each subnet, it only gives me a lease from the first subnet I joined and I also am unable to access the web. Is this a windows thing?
-
What do you mean it gives you IP from the first subnet? Why would you have Wireless on both segments? Wireless should be its own segment.
-
Wireless device A connects to WAP on NetA and gets an IP from NetA scope. Wireless device A then switches to WAP on NetB but doesn't get a new IP from the NetB scope, it keeps the old NetA address.
One on each subnet so I can administer them differently (Content filtering and whatnot)
Its own segment? Is this good practice or absolutely necessary for this to work?
Also: I tried enabling Name Protection on the entire IPv4 region of the DHCP server, doesn't seem to have worked.
-
So you just move to new wireless network, is this a different ssid? Did you release the IP to get a new one?
I have never in all my years of working with IT and networking ever seen anyone put bridged wireless on 2 different segments like your doing.. Its completely pointless!!
Your wireless should be on its own segment plain and simple, or bridged to 1 of them.. It sure and the hell does not need to be on both. Name protection?? Why do you think you need that??
-
This is by no means a wireless bridge, unless I'm completely misunderstanding what a bridge is. These are two completely separate WAPs, on completely seperate subnets, with completely different SSIDs, with different purposes. And no, I didn't release it. The wireless device (IE: a cell phone) doesn't have release functionality and is not joined to the domain either.
Name Protection -> So when I switch WAPs (and therefore switch subnets) the DHCP server gets rid of the duplicate entry so there aren't two devices with the same name (even though it is the same device).
-
It is bridged to you wired network is it not! Wireless bridge.. AP, etc..
There is NO point in having wireless on both of your wired segments.. Put them on 1 of them, or put them on its own which is more secure and then allows you to leverage firewall between your wireless and wired network
Your not understanding what Name protection is ;) Its designed to remove non ad members that might register a name. Not remove entry of box A ipaddress1 and replace it with ipaddress2
-
I'll just renable the pfSense dhcp server on Net B and leave the windows dhcp for Net A, which is how it was prior to the relay and switching between WAPs worked just fine.
-
What you should be doing like any normal network would be to put your wifi on its own segment or just have it on 1 of your segments.
-
I'd love to, but if all my wireless is on one network/segment, then I can't have custom content filtering per WAP. for example: One access point will have filters that block adult content, whereas the other will not for those spicey/naughty situations.
-
"then I can't have custom content filtering per WAP"
AcessPoints don't do content filtering.. if they are doing any sort of content filtering then you must be using them in NAT mode as a wifi router
What are these devices that your calling WAP that do content filtering? Why would you not do the content filtering at pfsense and you can setup rules based upon IP or authentication. So adults can auth no matter what machine they are on surf porn, while kids no matter what machine they are could only got Nickelodeon and the Disney page..
-
Of course the WAPs don't do content filtering, and even if they did, then what subnet it's on wouldn't make a difference anyways.
I meant, I have content filters ON PFSENSE attached to one subnet and not the other. Therefore, all of one subnet has content filtering, and subsequently the WAP connected to that subnet, and the other subnet does not.
But I'm just going to guess you'll suggest a better method where they can be on the same subnet, that I'm most likely not aware of.
-
Yes as I already stated you can do content filtering based upon source IP or based upon auth.
if you isolated your wifi to its own segment then you can firewall devices on your wifi network from accessing stuff on your wired lan.. How you have it anyone on your wifi network can do anything they want to your wired devices.
-
If the WAPs are on the same subnet, and the subnet is getting IPs from it's respective scope on the DHCP server, how can I filter by IP? Won't it be assigned randomly?
-
Normally yes, which is why you would setup a reservation or static.. This is easy done in both windows dhcp and pfsense dhcp.
You setup a reservation so that client with specific mac address always gets IP a.b.c.d, if you don't have that mac address you don't get that IP.
-
What about a client that frequently switches between wired and wireless, for example: A laptop. How would you get around the issue, which is identical to the one in having now with the wireless device?
-
So you have reservation for their wired and their wireles mac – that was hard ;)
Wireless address 192.168.2.42, wired address 192.168.1.42
-
You aren't seeing my problem, the clients aren't getting a different IP when they switch between them. They keep the up of the first one the joined and thus can't join the other.
