Retired > 1.2.1-RC Snapshot Feedback and Problems-RETIRED

cannot override "default" rule set? blocking UDP broadcasts between interfaces

(1/2) > >>

I noticed this when I started having trouble getting my wireless clients to assign themselves DHCP addresses.  I have a wireless access point on its own interface that is bridged with LAN.  I have a rule for the AP's interface (rl2) to allow everything to everywhere.  For some reason, some default rule is blocking the UDP broadcasts for BOOTP/DHCP.

--- Code: ---1. 277301 rule 587/0(match): block in on rl2: > BOOTP/DHCP, Request [|bootp]
000289 rule 587/0(match): block in on bridge0: > BOOTP/DHCP, Request [|bootp]
000242 rule 587/0(match): block in on rl2: > BOOTP/DHCP, Request [|bootp]

--- End code ---

I can't seem to find a way to disable the blocking.  Is this a bug or a newly implemented "feature" in 1.2.1?

May be look this ?
Interfaces: WAN
Block private networks
Block bogon networks

yup.  disabled both of those and no difference.

Under services -> DHCP Server do you have DHCP enabled on the LAN interface?

I have a configuration which sounds similar to yours: LAN, WLAN, DMZ, LAN and WLAN bridged. I have DHCP working on both LAN and WLAN.

I used 1.2.1 from its early days. I think it was sometime in August I upgraded to a pretty new build and then DHCP on the WLAN was broken (newly blocked by the firewall). I worked around it by adding a couple of firewall rules on the WLAN interface. I posted a note trying to provoke someone into explaining the rationale for the new DHCP behaviour but nobody took the bait.

Its now a few weeks since  I upgraded, maybe its about time to do it again and see if I still need those rules I had to add in August. They were (both pass rules):

UDP      *      bootpc      bootps      *            
UDP     *    bootpc    LAN address    bootps    *

where bootpc is alias for 68 and bootpc is alias for 67.

Thanks - that did it.  Although it did involve a good bit of fiddling - didn't really "take" until I brought the AP_Bridge interface down and back up.

I also had to add a rule for some other magic that OSX seems to like.  'domain' is an alias for port 5353

IGMP     *     *         *            *           
UDP      *     domain      domain    *   

Thanks for the heads-up.  I was tearing my hair out yesterday. 

I wonder why they decided to add such blocking to the default rules?


[0] Message Index

[#] Next page

Go to full version