OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: FarmServer on November 12, 2017, 10:53:14 pm

Title: DHCP issue with firewall: IP on port 67 getting blocked from 68
Post by: FarmServer on November 12, 2017, 10:53:14 pm

I have numerous firewall entries from an IP address trying to call the 255.255.255.255.68 address internally.

packet capture log set to full(not any different in detail from other settings)
13:33:32.895203 IP 10.102.0.1.67 > 255.255.255.255.68: UDP, length 250

When I look at the firewall log the explanation for the blocking is
@61 block drop in log quick on bce0 on inet from 10.0.0.0/8 to any label "Block private networks from WAN"

These incidents happen every minute or so. There doesn't seem to be any issues. 67 and 68 are related to dhcp and that seems to be working properly. I have three lans that have their own dns servers and they are being assigned IP addresses and dns addresses correctly.

Any thoughts? I thought packet capture might give me more detail on the source of this IP but it didnt return much detail.

Title: Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
Post by: bartjsmit on November 13, 2017, 08:21:54 am

You can save the packet capture to a file and open this in Wireshark. This will give you the MAC address of the device that is generating the DHCP traffic.

Bart...

Title: Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
Post by: FarmServer on November 14, 2017, 03:51:52 am

Thanks, i thought it was odd the level of detail wasnt changing.

Title: Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
Post by: FarmServer on November 15, 2017, 02:17:49 am

So wireshark showed me the mac address of the device and it appears to be a Cisco device coming from my ISP since the first two ipv4 values match that of my assigned wan ip.

The firewall is seeing a 10.102.0.1 address from the Cisco MAC but this is not what matches the Cisco MAC and IP address shown in the ARP table.

But why then is the firewall blocking it as a private network?Why would it be showing up with a different IP but same MAC?

Further down the wireshark log under Bootp it shows:
Client IP address: 0.0.0.0 (to which i think this just means any IP, could be wrong)
Your(client)IP address: 10.102.155.99(Its not)
Next server IP address: 0.0.0.0(any again?)
Relay agent IP address: 10.102.0.1  <---The offending IP, but nothing I have configured uses an IP like this

For what its worth the only interface receiving an IP from my ISP is the WAN IP. The other LANS are their own DHCP servers.

Title: Re: DHCP issue with firewall: IP on port 67 getting blocked from 68
Post by: BertM on November 15, 2017, 06:42:46 am

FarmServer,

What you see (UDP packets towards 255.255.255.255:68) is a DHCP discover from a device that does not yet have an IP address (hence the 0.0.0.0 source adrress) and is trying to find a DHCP server to request an address.
For some reason, this DHCP discover is relayed (from your ISP network?) to your OPNsense box.

Kind regards,
Bert