Filter DHCP Requests on Bridge

Started by skydiablo, October 27, 2023, 11:28:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 27, 2023, 11:28:24 AM
Hi,
I want to ensure that the DHCP traffic from clients 1 and 2 doesn't get forwarded to clients 3 and 4. I've created a rule on the bridge to block everything with a destination port of 67, but this rule is being ignored, and it's not exactly what I want. Ideally, I would like to apply this only to packets coming in on interface 1. Does anyone have an idea on how I could achieve this?

Code Select

             +-----------------------+
             |Third-Party DHCP Server|
             +-------------+---------+
+--------+                 |
|Client 1+--------------+  |
+--------+              |  |
                      +-+--+-+
                      |Switch|
                      +-+--+-+
+--------+              |  |
|Client 2+--------------+  |
+--------+                 |
                           |
                           |
     +---------------------+---------+
     |OpnSense             |         |
     |          +-------+--+--+---+  |
     |          |       |Intf1|   |  |
     |          |       +-----+   |  |
     |          |                 |  |
     |          |Bridge 1   +-----+  |
     |          |           |Intf2+--+----+
     |          +-----------+-----+  |    |
     |                               |    |
     +-------------------------------+    |
                                          |
                                          |
              +--------+                  |
              |Client 3+------+        +--+---+
              +--------+      +--------+Switch|
                                       +--+---+
                                          |
              +--------+                  |
              |Client 4+------------------+
              +--------+
October 27, 2023, 11:48:38 AM #1 Last Edit: October 27, 2023, 11:51:04 AM by Monviech
When the DHCP Server is started on the firewall, there are automatic rules generated to allow DHCP traffic. They match with "quick" before your block rules, so the DHCP traffic is still allowed.

You can see the rules when you expand "Automatically generated rules" in an Firewall: Rules: INTERFACE". "allow access to DHCP server"

Maybe you should use DHCP Snooping on your Switch to ensure that DHCP Traffic is blocked on the port connected to the opnsense.
Hardware:
DEC740
October 27, 2023, 11:59:30 AM #2
thx, but i can not see any auto-generated rules on my bridge? and also not on intf1 ...
October 27, 2023, 12:09:43 PM #3
Since DHCP is a broadcast, I'm not sure if the bridge will filter it out with firewall rules.
Hardware:
DEC740
October 27, 2023, 01:17:39 PM #4
so opnsense can not handle broadcast traffic? what about L2 traffic? i also want to limit some ARP traffic. befor switchging to opnsense, i have already done this with linux (ubuntu). here are some of my rules to handle all this stuff:

Code Select

# isolate bridge - preventing to breakout from the bridge
ip link set dev br100 type bridge vlan_filtering 1

# supress trash traffic
bridge link set dev vxlan100.2 mcast_flood off
ebtables -A FORWARD -i cw100 -o vxlan100.2 -d ff:ff:ff:ff:ff:ff -j DROP

#isolate remote-gateways tunnels
bridge link set dev vxlan100.2 isolated on


can i do this also with opnsense (with or without GUI?)
October 27, 2023, 03:06:35 PM #5
I am really unsure here, but from my understanding there's the following:

- OPNsense uses FreeBSD13 and the Packet Filter "PF" as main firewall solution. PF filters packets on layer 3 and 4.
- OPNsense also uses IPFW for dummynet, the IPFW Firewall functionality isn't loaded in the kernel though. IPFW could also filter layer 2 in addition to 3 and 4.

Since DHCP uses a layer 2 broadcast in it's "DHCP Discover", the PF firewall can't block it because it can't filter layer 2.

Maybe the DHCP Request or Acknowledge can be filtered since they're usually on layer 3. For that, the filtering tunables have to be set onto the bridge.

https://man.freebsd.org/cgi/man.cgi?query=if_bridge&apropos=0&sektion=4&manpath=FreeBSD+13.2-RELEASE+and+Ports&arch=default&format=html

In this man page you can see, that you have to set certain tunables to filter layer 3 on the bridge, and that layer 2 filtering is only possible with ipfw.

Hope that helps you to decide if the OPNsense is the right choice for that spot in the network.
Hardware:
DEC740
October 27, 2023, 03:48:43 PM #6
What concern are you attempting to address by blocking DHCP traffic?  Perhaps a bridge is not the right solution for what you're attempting to do.

If you don't use a bridge then you can separate each group into their own subnet and they won't see any traffic that you don't expressly allow.
October 27, 2023, 04:09:40 PM #7
When you build a bridge with two ports you are essentially creating a 2 port switch inside OPNsense and you cannot filter anything going on between these two ports. Just like an unmanaged switch cannot do that.
This is the point.

You can theoretically revert the two tunables from the LAN Bridge documentation, removing packet filtering from the bridge interface and putting it back on the individual ports. Of course this will break all sorts of things and you will have to manually create all rules necessary for bridged operation.


These two topologies are equivalent:

Code Select
  OPNsense                                               OPNsense                                           
┌─────────────────────────────────────────┐            ┌─────────────────────────────────────────┐           
│                                         │            │                                         │           
│  Bridge                                 │            │                                         │           
│ ┌────────────────────────────┐          │            │                                         │           
│ │ ┌──────┐ ┌──────┐ ┌──────┐ │ ┌──────┐ │            │ ┌──────┐   ┌──────┐  ┌──────┐  ┌──────┐ │           
│ │ │ Port │ │ Port │ │ Port │ │ │ Port │ │            │ │ Port │   │ Port │  │ Port │  │ Port │ │           
│ │ └──────┘ └──────┘ └──────┘ │ └──────┘ │            │ └───┬──┘   └──────┘  └──────┘  └──────┘ │           
│ └────────────────────────────┘          │            │     │                                   │           
└─────────────────────────────────────────┘            └─────┼───────────────────────────────────┘           
                                                             │                                               
                                                             │                                               
                                                             │                                               
                                                       ┌─────┼──────────────────────────────────────────────┐
                                                       │ ┌───┴──┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐       │
                                                       │ │ Port │ │ Port │ │ Port │ │ Port │ │ Port │       │
                                                       │ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘       │
                                                       └────────────────────────────────────────────────────┘
                                                         Switch                                             
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 29, 2023, 03:22:44 PM #8
Quote from: Patrick M. Hausen on October 27, 2023, 04:09:40 PM
Code Select
  OPNsense                                               OPNsense                                           
┌─────────────────────────────────────────┐            ┌─────────────────────────────────────────┐           
│                                         │            │                                         │           
│  Bridge                                 │            │                                         │           
│ ┌────────────────────────────┐          │            │                                         │           
│ │ ┌──────┐ ┌──────┐ ┌──────┐ │ ┌──────┐ │            │ ┌──────┐   ┌──────┐  ┌──────┐  ┌──────┐ │           
│ │ │ Port │ │ Port │ │ Port │ │ │ Port │ │            │ │ Port │   │ Port │  │ Port │  │ Port │ │           
│ │ └──────┘ └──────┘ └──────┘ │ └──────┘ │            │ └───┬──┘   └──────┘  └──────┘  └──────┘ │           
│ └────────────────────────────┘          │            │     │                                   │           
└─────────────────────────────────────────┘            └─────┼───────────────────────────────────┘           
                                                             │                                               
                                                             │                                               
                                                             │                                               
                                                       ┌─────┼──────────────────────────────────────────────┐
                                                       │ ┌───┴──┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐       │
                                                       │ │ Port │ │ Port │ │ Port │ │ Port │ │ Port │       │
                                                       │ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘       │
                                                       └────────────────────────────────────────────────────┘
                                                         Switch                                             

How long did that take you or do you have some sort of magic ASCII diagram maker?
October 29, 2023, 06:07:12 PM #9 Last Edit: October 29, 2023, 06:09:53 PM by Patrick M. Hausen
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 30, 2023, 09:21:22 AM #10
Quote from: CJ on October 27, 2023, 03:48:43 PM
What concern are you attempting to address by blocking DHCP traffic?  Perhaps a bridge is not the right solution for what you're attempting to do.

If you don't use a bridge then you can separate each group into their own subnet and they won't see any traffic that you don't expressly allow.

In the end, I am operating a Wi-Fi network with a central Network Access Control (NAC). As a result, I need to utilize a Layer 2 network to transmit client MAC addresses. I am contemplating the creation of a new dedicated Linux-based gateway to manage these tasks. Initially, I will attempt to address certain issues by forcibly converting some broadcasts into unicast traffic directly to my NAC. However, I currently lack a concrete plan for handling ARP-related matters.
October 30, 2023, 10:19:49 AM #11
The Wi-Fi access point should provide client isolation, shouldn't it?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 30, 2023, 11:15:01 AM #12
Certainly, the Wi-Fi network is provided externally and is not under the control of OPNsense. I have multiple remote locations connected via VXLAN and terminated on a bridge (I can control traffic between these locations through private ports). However, within this bridge, there is an additional port connected to an external NAC system and another remote location with numerous Wi-Fi devices. My predicament arises from the fact that this traffic is inundating my VXLAN external locations. So, as we discuss these issues, I've come to realize that I am inadvertently overwhelming the other external Wi-Fi network with my VXLAN traffic (facepalm). The only proper solution to this problem is to connect the external Wi-Fi network to my bridge as a private port and then redirect all the traffic to the external NAC through the only non-private bridge port.

thx, to be my rubberduck ;)
October 30, 2023, 11:16:59 AM #13
Glad to be of service. Quack.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions