v21.7.4: DHCPv4 DHCPDISCOVER blocked,when bogon blocking is active

[bitti]

Do you have "block bogons" active on your internal interface?

I discovered in the night after upgrading to 21.7.4, that a standard DHCP DISCOVER from 0.0.0.0 -> 255.255.255.255 was blocked due to bogons.

And yes, in the automatic generated rules bogon blocking is before DHCP rules.
Therefore a standard DHCP DISCOVER will be blocked as 0.0.0.0 can be a bogon address.

Anyone else already saw that behavior?

In the moment I unchecked the bogon blocking on the internal interface for having a working DHCP server on OPNsense.

BR
Andy

[IsaacFL]

I see it constantly, unless you turn off the bogon blocking.

The problem is the DHCP client rule on the WAN is written without the quick option so it is last match and anything can block it.

From rules.debug:

Code Select Expand

pass in on igb0 proto udp from {any} port {67} to {any} port {68} label "9cd55d1fd04481b742b3d9cb50614a68" # allow DHCP client on 0WAN
pass out on igb0 proto udp from {any} port {68} to {any} port {67} label "e25389aa146fb6435700a66cc3e3a96d" # allow DHCP client on 0WAN


Also this rule is AFTER the Block Bogons.  It should be one of the first rules. Note: that the ipv6 DHCP is before the block bogons, so it isn't consistant.


In my old pfsense rules, I can see the DHCP near the top right after the anti lockout rules and they use a Quick.

Code Select Expand

# webConfigurator lockout
block in  quick proto tcp from <sshguard> to (self) port 443 tracker 1000000351 label "GUI Lockout"
block in  quick from <virusprot> to any tracker 1000000400 label "virusprot overload table"
# allow our DHCP client out to the WAN
pass in  quick on $WAN proto udp from any port = 67 to any port = 68 tracker 1000000561 label "allow dhcp client out WAN"
pass out  quick on $WAN proto udp from any port = 68 to any port = 67 tracker 1000000562 label "allow dhcp client out WAN"


I don't know why they do it this way but I am constantly getting bit by this when trying to block malware lists etc, into the WAN.

[IsaacFL]

What I have done, is don't use the block bogons, since it is broken. ipv6 is even worse.

Instead, I download the bogon lists from:
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Then I add the following exclusions:
ipv4 exclusions based on what has bit me so far:
!192.168.0.0/16
!10.0.0.0/8
!224.0.0.0/4
!255.255.255.255/32

ipv6 exclusions:
!fe80::/10
!ff00::/8

Using this I make my own block bogon rules that don't actually break stuff.

Should probably add 0.0.0.0/32 to my list.

Fix would be to move the DHCP auto rules to before the Bogons and Private Address rules.  For WAN it should also be a quick rule.

[lwwarner]

The bogon blocking rules are not intended for use on local/private interfaces such as LAN. This is intended for use on your WAN interface to block address space that should never be seen/routed on the Internet from entering your  local/private networks.

--Bill