pfSense Gold Subscription

Author Topic: cannot override "default" rule set? blocking UDP broadcasts between interfaces  (Read 21065 times)

0 Members and 1 Guest are viewing this topic.

Offline akula169

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
  • yay for pfSense!
    • View Profile
I noticed this when I started having trouble getting my wireless clients to assign themselves DHCP addresses.  I have a wireless access point on its own interface that is bridged with LAN.  I have a rule for the AP's interface (rl2) to allow everything to everywhere.  For some reason, some default rule is blocking the UDP broadcasts for BOOTP/DHCP.

Code: [Select]
1. 277301 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000289 rule 587/0(match): block in on bridge0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000242 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]


I can't seem to find a way to disable the blocking.  Is this a bug or a newly implemented "feature" in 1.2.1?
« Last Edit: October 30, 2008, 10:04:15 am by akula169 »

Offline dvserg

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5257
  • Karma: +53/-0
    • View Profile
    • My Homepage
Re: cannot override "default" rule set? it is blocking UDP broadcasts
« Reply #1 on: October 30, 2008, 12:03:26 am »
May be look this ?
Interfaces: WAN
Block private networks
Block bogon networks

Offline akula169

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
  • yay for pfSense!
    • View Profile
Re: cannot override "default" rule set? it is blocking UDP broadcasts
« Reply #2 on: October 30, 2008, 12:16:54 am »
yup.  disabled both of those and no difference.

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5240
  • Karma: +11/-1
    • View Profile
Re: cannot override "default" rule set? it is blocking UDP broadcasts
« Reply #3 on: October 30, 2008, 06:36:15 am »
Under services -> DHCP Server do you have DHCP enabled on the LAN interface?

I have a configuration which sounds similar to yours: LAN, WLAN, DMZ, LAN and WLAN bridged. I have DHCP working on both LAN and WLAN.

I used 1.2.1 from its early days. I think it was sometime in August I upgraded to a pretty new build and then DHCP on the WLAN was broken (newly blocked by the firewall). I worked around it by adding a couple of firewall rules on the WLAN interface. I posted a note trying to provoke someone into explaining the rationale for the new DHCP behaviour but nobody took the bait.

Its now a few weeks since  I upgraded, maybe its about time to do it again and see if I still need those rules I had to add in August. They were (both pass rules):

UDP      *      bootpc      255.255.255.255      bootps      *            
UDP     *    bootpc    LAN address    bootps    *

where bootpc is alias for 68 and bootpc is alias for 67.

Offline akula169

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
  • yay for pfSense!
    • View Profile
Thanks - that did it.  Although it did involve a good bit of fiddling - didn't really "take" until I brought the AP_Bridge interface down and back up.

I also had to add a rule for some other magic that OSX seems to like.  'domain' is an alias for port 5353


IGMP     *     *            224.0.0.251       *            *           
UDP      *     domain    224.0.0.251      domain    *   


Thanks for the heads-up.  I was tearing my hair out yesterday. 

I wonder why they decided to add such blocking to the default rules?

Offline peter.riche

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: cannot override "default" rule set? it is blocking UDP broadcasts
« Reply #5 on: December 20, 2008, 01:03:20 pm »
UDP      *      68      255.255.255.255      67      *            
UDP     *    68    LAN address    67    *

confirmed! thanks a lot for avoiding one more week of madness!!

1.2-REALEASE works like a charm, but 1.2.1-RC2 and RC4 do have this bug... which was really cracking my head.

Thanks again.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
This is a "feature".   I'll let CMB explain since he is the one that made the change.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
It's not a bug, we just don't automatically allow DHCP traffic over bridges anymore. You have to add rules to pass that traffic just as you do with any other kind of traffic. Auto added rules are bad.  And this auto added rule wasn't even intended to allow DHCP traffic over bridges, that was just a consequence. Allowing that traffic was a bug, this is a bug *fix* that you now have to add that rule.