DHCP between interfaces with Windows DHCP server



  • I want to setup a second LAN interface on my pfSense to allow internet access, but isolate it from the rest of my network – except I want to serve DHCP and DNS from a Windows server on the main LAN.

    I have some VLANs setup in this way, but they are not isolated and have firewall rules to allow all traffic.

    I am running a DHCP relay on my pfSense and it works fine for those VLANs with the allow all firewall rules.

    But on this interface that I want to be more restrictive clients aren't getting DHCP leases. If I static my computer in the proper subnet everything else works fine, including DNS.

    The firewall rules on this restricted interface:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    add
    icon   IPv4 UDP * * * 67 - 68 * none   Allow -> DHCP 
    edit
    delete add
    icon   IPv4 * * * This Firewall * * none   Block -> pfSense 
    edit
    delete add
    icon   IPv4 TCP/UDP * * server 53 (DNS) * none   Allow -> DNS Server
    edit
    delete add
    avanced icon   IPv4 * * * * * WANGW none   Allow -> Internet

    I thought the first firewall rule would allow DHCP, does it not? Or do I need some other rules on the LAN interface with the DHCP server?

    The main LAN interface with the DHCP server on it has this firewall rule that I think should allow all traffic:

    IPv4 * LAN net * * * * none   Default allow LAN to any rule

    I have not ruled out a problem with the DHCP server, but since DNS works and the other LAN segments work I am looking at the firewall rules first.


  • LAYER 8 Global Moderator

    if you want to serve up dhcp off a different network, then you need to setup dhcp relay on this interface.  You don't need any special rules for that.  Pfsense does it in the background when you setup relay.

    It would be much easier to read if you posted up a screen shot of your rules vs your attempt at ascii art.

    see example of my dmz segment rules attached

    So I let clients in dmz segment ping pfsense ipv4 or ipv6
    I allow for clients in dmz to use pfsense interface in dmz segment for dns.
    I don't allow anything in dmz to talk to any other interface on pfsense either ipv4 or ipv6
    I then allow anything in dmz segment to go anywhere they want other than any other segments in my network both ipv4 or ipv6.. Those aliases contain my ipv4 and ipv6 local networks.  like lan, ps3, wlan, etc..




  • I do have the DHCP relay enabled for this interface and it is working for the other VLANs it is enabled for, so I assume there are no problems with the DHCP relay (though I am not 100% sure of that yet)

    I believe everything is working except DHCP. As I mentioned I can static my computer and get internet access, DNS works via the Windows DNS server, and I cannot connect to the pfSense management ports or devices on other interfaces.

    ![Screen Shot 2015-10-01 at 8.32.47 PM.png.png_thumb](/public/imported_attachments/1/Screen Shot 2015-10-01 at 8.32.47 PM.png.png_thumb)
    ![Screen Shot 2015-10-01 at 8.32.47 PM.png.png](/public/imported_attachments/1/Screen Shot 2015-10-01 at 8.32.47 PM.png.png)


  • Banned

    Look at the firewall logs. The DHCP(v4) relay creates no firewall rules whatsoever, need to do those manually. https://redmine.pfsense.org/issues/4558


  • LAYER 8 Global Moderator

    What??  Really… Last time I played with relays it auto created them I am pretty sure..  That would of been before 2.2 for sure though.

    I would validate that your dhcp server is setting the relay of the dhcp discover, etc.  And sending back offer -- simple sniff will tell you that.


Log in to reply