Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: benibilme on December 19, 2019, 02:51:57 PM

Title: Feature or bug? Dhcp deny unknown clients overrides/surpasses firewall rules
Post by: benibilme on December 19, 2019, 02:51:57 PM
Hello,

I have switched from mikrotik dhcp server to opnsense built-in dhcp server. I selected deny unknown clients option in general configuration. I also checked the Enable Static ARP entries and for each static entry I checked the Arp Table Static Entry option.

After these settings applied, the firewall does not even respond to ping request from  the clients not in the list. I have ip's statically set devices such as nas and switches and there is also allow icmp request rules from all lan subnet before all other rules in firewall rules. There is also pass through rules for statically entered ip addresses for example nas devices in the firewall rules. However unless explicitly typed in dhcp static list, they are still blocked.

According to me this is not proper behaviour, hidden feature or bug. Dhcp enteries becomes somehow firewall rules and even more than overrules the firewall rules. For example, test purposes, I manually assigned an ip address to my daily used labtop, which has valid passthroug address in firewall rules, that is not listed is dhcp static enteries, and I can not even ping the firewall and can not access the firewall.

This strange behaviour in effect overrules  anti lock rules, I can not access anything about firewall until I enter a valid address listed in the dhcp.

This must not be static lease behavior of dhcp or the affect of the setting must be explicity showed in the firewall rules according to me..

I appreciate any insight.

Thank you..

My configuration is as follows

-----------------------------------------
OPNsense 19.7.7-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019
Title: Re: Feature or bug? Dhcp deny unknown clients overrides/surpasses firewall rules
Post by: chemlud on December 19, 2019, 06:18:09 PM
Quote from: benibilme on December 19, 2019, 02:51:57 PM
Hello,

I have switched from mikrotik dhcp server to opnsense built-in dhcp server. I selected deny unknown clients option in general configuration. I also checked the Enable Static ARP entries and for each static entry I checked the Arp Table Static Entry option.
....

As you can read in the context help for this option, devices not in the static DHCP list will not be able to communicate with the firewall, so: everything working as expected ;-)
Text only | Text with Images