The pfSense Store

Author Topic: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)  (Read 15907 times)

0 Members and 1 Guest are viewing this topic.

Offline Hagabard

  • Newbie
  • *
  • Posts: 7
    • View Profile
HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« on: January 01, 2009, 10:20:46 am »
Seen a fair amount of questions related to bridged connections and DHCP not working on IRC lately, and no good forum post explaining what is going on or how to make it work again.  (I've tried searching, if there is a good or better post, please link it up.)

Since around 1.2.1-RC1 when you bridge an interface, pfSense (correctly, but silently) blocks broadcast traffic between the interfaces.  This means if you bridge your OPT1 (WIFI in my case) to your LAN (or WAN for some peoples setup) and expect your DHCP to work, it won't.  When I updated to 1.2.1-RC1 it was a surprise for me. I run a separate DHCP server on my LAN right now, but this should apply if you are using pfSense DHCP server as well.

There is probably a better rule you can use, but this is the one I have at present, and It Works For Me(tm) and it should work for OPT1->LAN as well as OPT1->WAN (although other fun applies there that is outside the scope of this post)

UDP      *      67 - 68      *      67 - 68      *             pass dhcp traffic

To fix it so your bridged connection can access your DHCP server:

Go to Firewall -> Rules
Click on the OPT1 tab (or whatever if you renamed it, WIFI in my case)
Click on the + icon to add a new rule
Change Protocol to UDP
Under source leave type set to any, click on advanced button
   From: (other) 67
   To: (other) 68
Leave destination type any
Destination port range
   From: (other) 67
   To: (other) 68
Description: pass dhcp traffic
Click Save
Click Apply Changes

DHCP should now work.  Enjoy my first post, see you on IRC.

Edit: I think I meant 1.2.1-RC1 not 1.2.1-RC2, although it could have been in between or even earlier when the change was made. I usually run snapshot builds.
« Last Edit: January 02, 2009, 05:25:31 pm by Hagabard »

Offline napdaddy

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #1 on: January 05, 2009, 11:32:24 pm »
I have a similar setup and tried your suggestion, but I'm still having issues. Does anyone have the _definitive_ answer for getting DHCP working across bridged interfaces? Everything was working fine until I upgraded to 1.2.1.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6296
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #2 on: January 05, 2009, 11:46:20 pm »
What he wrote is 100% correct. You have to add rules to allow the DHCP traffic.

Offline kpa

  • Full Member
  • ***
  • Posts: 261
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #3 on: January 06, 2009, 01:02:25 am »
I have similar setup with an OPT interface bridged to LAN and I have DHCP working on the OPT net using a similar but more restricted rule:

UDP    *    bootpc    *    bootps    *

where bootpc is port alias 68 and bootps is port alias 67.

If you can't get DHCP working with the rule posted by Hagabard the problem has to be somewhere else than the firewall rules.



Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #4 on: January 06, 2009, 05:03:14 am »
What he wrote is 100% correct. You have to add rules to allow the DHCP traffic.
Why was this changed from 1.2?

Offline espacious

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #5 on: January 06, 2009, 05:26:06 pm »
i have 1.2-RELEASE, but also on my release i have this rule to allow traffic from OPT1 to LAN (they are bridged) so i think that should work on 1.2.1-RC1. or not?
i dont get what was changed, if sth. was...?

*    OPT1 net    *    *    *    *         Default OPT1 -> any

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6296
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #6 on: January 07, 2009, 12:09:39 am »
What he wrote is 100% correct. You have to add rules to allow the DHCP traffic.
Why was this changed from 1.2?

Because it was a bug, the system should never allow any traffic that isn't explicitly allowed by your firewall rules. 

Offline theta

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #7 on: February 05, 2009, 10:53:21 pm »
It doesn't work for my wireless.

My wireless bridged to LAN (My LAN is O.K. to connect to internet), and then followed your instruction to add and apply rule in the firewall, but my wireless still cannot connect to internet.

I use pfsense V1.2.2

Can someone advise more troubleshooting steps? ;D

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6296
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #8 on: February 09, 2009, 07:15:37 pm »
It doesn't work for my wireless.

My wireless bridged to LAN (My LAN is O.K. to connect to internet), and then followed your instruction to add and apply rule in the firewall, but my wireless still cannot connect to internet.

I use pfsense V1.2.2

Can someone advise more troubleshooting steps? ;D

Check your firewall logs for blocked traffic, and if you're seeing any related to your DHCP requests, allow that traffic. If you aren't seeing blocks there, the problem resides somewhere else.

Offline theta

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #9 on: February 12, 2009, 03:48:05 am »
Can I simply put 3 "any" in the rule, and then save and apply it?  Any risk?

Offline loddington

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #10 on: March 05, 2009, 05:33:28 pm »
I had an Any to Any rule on my OPT1 interface and it still didn't work for my bridged interface (OPT1 and LAN).

To get it to work I followed Hagabard's instructions of allowing UDP port 67-68 BUT it needs to be the first rule in the list on the OPT1 interface.

UDP      *      67 - 68      *      67 - 68      *             pass dhcp traffic

Hope this helps others.

Duncan

Offline Vorkbaard

  • Jr. Member
  • **
  • Posts: 82
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #11 on: May 22, 2009, 08:31:35 am »
Seems to be working without any firewall additions in 1.2.3, can anyone confirm that?

Offline thenewguy1979

  • Jr. Member
  • **
  • Posts: 44
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #12 on: July 20, 2009, 01:26:56 pm »
It's working if your're OPT1 rule is like this

* * * * * *

because your'e passing everything including DHCP traffic.

I don't know why Pfsense doesn't allow DCHP traffic on Bridge connection automically. It just DHCP traffic anyway. I understand the reason why by default OPT1 traffic are block but DHCP should be auto since it's bridge right, just like for LAN.

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5062
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #13 on: July 23, 2009, 08:15:08 am »
I don't know why Pfsense doesn't allow DCHP traffic on Bridge connection automically. It just DHCP traffic anyway. I understand the reason why by default OPT1 traffic are block but DHCP should be auto since it's bridge right, just like for LAN.

pfSense does just what you tell it to.
If you dont create a rule telling it to allow DHCP it wont allow it.
Why should it automatically allow something?

In fact this would be very bad.
I bridge in one of my setups my LAN(s) with the WAN(s) but i still have a DHCPs on the LAN(s).
(192.168.0.0/22 subnet on WAN, 4x 192.168.0.x/24 as /22 subnets)
Since outbound traffic is allowed i see quite a number of DHCP requests on my WAN(s).
I wouldn't want my DHCPs in the other subnets to answer any of these requests....
« Last Edit: July 24, 2009, 01:45:05 am by GruensFroeschli »
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: HOWTO: DHCP with bridged connections (1.2.1-RC1 and later)
« Reply #14 on: July 23, 2009, 05:22:32 pm »
I don't know why Pfsense doesn't allow DCHP traffic on Bridge connection automically. It just DHCP traffic anyway. I understand the reason why by default OPT1 traffic are block but DHCP should be auto since it's bridge right, just like for LAN.

pfSense does just what you tell it to.


I think there is an inconsistency in configuring DHCP services and this has confused a number of users:

Firewall rules seem to be required for DHCP service only on bridged interfaces.
DHCP services are enabled by a tab under Services -> DHCP Server EXCEPT if the interface is bridged in which case you need to add firewall rules.

I haven't tried this, but I wonder how one would configure DHCP service on OPT1 if OPT1 were bridged to LAN and DHCP service was to be disabled on LAN. I guess one would have to bridge LAN to OPT1 and then DHCP on OPT1 could be enabled by a tab under Services -> DHCP Server.

I can see that its useful to be able to control DHCP on individual interfaces but enabling DHCP on interfaces involved in a bridge is quite non-intuitive. I think new users would appreciate it if there was a consistent GUI interface for enabling DHCP service: To enable DHCP service on a physical interface do so through the appropriate tab under Services -> DHCP Server regardless of whether or not the interface was bridged.