OPNsense Forum
English Forums => General Discussion => Topic started by: Vuurmuur on February 16, 2021, 11:31:44 am
-
A few hours ago my WAN access dropped.
When I investigated I stumbled upon my WAN interface having an assigned DHCP IP address: 192.168.100.13/24
I am not entirely sure but I expect that the DHCP server (or a relay) would need to be in the 192.168.0.0/16 range.
In which case, I would have expected the auto generated firewall rules to block the negotiation because the bogon is blocked before the DHCP negotiation is allowed. (unless the IPv4 DHCP server negotiated with the dhcpv6 port? ???)
It is not an issue anymore as my ISP has fixed the issue on their end. But I'm left with some questions.
If someone could help me clarify the questions I have, that would be much appreciated.
- How could this have happened? Looking at the firewall rules I would have expected the DHCP negotiation to be blocked.
- Could this be a security issue if one of my LAN networks is in the 192.168.0.0/16 range as well?
- Why is the IPv4 protocol in the dhcpv6 rules and vice versa for the DHCP rules? (see firewall screenshot)
-
Are "Block private networks" and "Block logon networks" checked on the WAN interface?
miroco
-
Yes, the firewall rules that are visible in the screenshots are from the 'Automatically generated' section.
Enabling that option automatically generates the corresponding firewall rule.
-
192.168.100.1 is a common cable modem management address. If the DOCSIS side of the cable modem goes out, the modem will assign your WAN an address in the 192.168.100.x range, typically with a 30 second lease. This is done so you will still have IP connectivity to the modem management interface.
So, just be sure you really want to block this expected behavior.
-
192.168.100.1 is a common cable modem management address. If the DOCSIS side of the cable modem goes out, the modem will assign your WAN an address in the 192.168.100.x range, typically with a 30 second lease. This is done so you will still have IP connectivity to the modem management interface.
So, just be sure you really want to block this expected behavior.
Ah that explains a lot. My knowledge on DOCSIS is limited but the behavior you mentioned should indeed stay as it is now, thanks for clearing that up.
However, I'm still trying to understand how the DHCP lease could have been provided from a bogon ipv4 range while the firewall rules block those ranges before it arrives at the 'allow DHCP client on WAN' rule.
Furthermore I'm interested if this can cause unintended routing or collisions if both the WAN and a LAN interface are assigned to a 192.168.0.0/16 range.
-
The bogon rules are IP Layer 3 access lists. DHCP occurs before the bogon rules come into play (regardless of how the ordering of the rules appears). So, they will not prevent you from getting a 192.168.100.x address.
Even with bogon rules enabled, you would still be able to connect to 192.168.100.1 from the LAN, because that would be an established connection and the return traffic would pass.
Yes, there could be unintended routing issues if you have full 192.168.0.0/16 address range within your LAN. Then it would be a local route and not pass to the WAN.
-
Ah ofcourse, DHCP is a layer 2 responsibility.
Yes, there could be unintended routing issues if you have full 192.168.0.0/16 address range within your LAN. Then it would be a local route and not pass to the WAN.
Great, as long as there can't be an unintentional leak that's perfectly fine.
Thanks for elaborating, I understand what's going on now.
Have a great day! :)