Retired > 1.2.1-RC Snapshot Feedback and Problems-RETIRED

cannot override "default" rule set? blocking UDP broadcasts between interfaces

(1/2) > >>

akula169:
I noticed this when I started having trouble getting my wireless clients to assign themselves DHCP addresses.  I have a wireless access point on its own interface that is bridged with LAN.  I have a rule for the AP's interface (rl2) to allow everything to everywhere.  For some reason, some default rule is blocking the UDP broadcasts for BOOTP/DHCP.


--- Code: ---1. 277301 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000289 rule 587/0(match): block in on bridge0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
000242 rule 587/0(match): block in on rl2: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]

--- End code ---


I can't seem to find a way to disable the blocking.  Is this a bug or a newly implemented "feature" in 1.2.1?

dvserg:
May be look this ?
Interfaces: WAN
Block private networks
Block bogon networks

akula169:
yup.  disabled both of those and no difference.

wallabybob:
Under services -> DHCP Server do you have DHCP enabled on the LAN interface?

I have a configuration which sounds similar to yours: LAN, WLAN, DMZ, LAN and WLAN bridged. I have DHCP working on both LAN and WLAN.

I used 1.2.1 from its early days. I think it was sometime in August I upgraded to a pretty new build and then DHCP on the WLAN was broken (newly blocked by the firewall). I worked around it by adding a couple of firewall rules on the WLAN interface. I posted a note trying to provoke someone into explaining the rationale for the new DHCP behaviour but nobody took the bait.

Its now a few weeks since  I upgraded, maybe its about time to do it again and see if I still need those rules I had to add in August. They were (both pass rules):

UDP      *      bootpc      255.255.255.255      bootps      *            
UDP     *    bootpc    LAN address    bootps    *

where bootpc is alias for 68 and bootpc is alias for 67.

akula169:
Thanks - that did it.  Although it did involve a good bit of fiddling - didn't really "take" until I brought the AP_Bridge interface down and back up.

I also had to add a rule for some other magic that OSX seems to like.  'domain' is an alias for port 5353


IGMP     *     *            224.0.0.251       *            *           
UDP      *     domain    224.0.0.251      domain    *   


Thanks for the heads-up.  I was tearing my hair out yesterday. 

I wonder why they decided to add such blocking to the default rules?

Navigation

[0] Message Index

[#] Next page

Go to full version