|
I made the block rules the same for LAN as WAN. In
the logs I see some drops (not related to DHCP but at least I see how the logs
are labled) showing up as LAN but the all of these DHCP related drops are being
labled as "BRIDGE0" instead of what I would expect to see as WAN or LAN...at
least one of those 2.
We made the block rules for both LAN and WAN
becuase we were not really sure which direction the multicast storm was
coming from. We sniffed network for 24+ hours from 4 different points and all
the captures show the same source MAC address but coming from different IPs
about every 10 minutes. We never find the this MAC address in our bridging
tables of our access points or backhauls to turn them off.
I am using a PFSense box as a bridge in a similar
situation and its passing DHCP thru just fine, however, it does have 3 NICs and
I bridged OPT and LAN since the box was upgraded from Monowall and that was a
requirment. Maybe im on the wrong track there, just dont get it! Ive got my
stinkin laptop running DHCP over on that side of the net and need to let it flow
thru.
Thanks
Tim
----- Original Message -----
Sent: Friday, April 28, 2006 3:07
PM
Subject: Re: [pfSense Support] HELP! Beta
3 + Bridge Not allowing DHCP thru
What direction is the blocking rule matching on? In or
out?
On 4/28/06, Tim
Roberts <[EMAIL PROTECTED]> wrote:
I did. The first line in my post was from the
system log. Heres another snip:
172.16.248.106 and 172.16.248.3 are our DHCP
servers. We have permited UDP 67 & 68 from any host to any host and even
from any host to 255.255.255.255 just for
giggles. Doesnt seem to matter which rules I plop in DHCP doesnt work. Is
there something Im missing for DHCP other then UDP 67 & 68? Its WinBlowz
DNS. Should I have put a 3rd NIC and bridged from LAN to OPT? Monowall used
to make you do that. Just seemed silly to have 3 nics for a bridge when you
only need 2. Is there a hitch bridging from LAN to WAN for this type of
service?
Thanks
-----
Original Message -----
Sent:
Friday, April 28, 2006 1:14 PM
Subject:
Re: [pfSense Support] HELP! Beta 3 + Bridge Not allowing DHCP thru
Look in the System logs for the items being blocked and
allow them. I have a wireless WAN to OPT1 bridge and I am getting
DHCP no problem on my powerbook.
On 4/28/06, Tim
Roberts <[EMAIL PROTECTED]> wrote:
We came under a multicast flood tht is
cripling us. I quickly tossed together a PFSense Beta 3 box with 2 nics
and set it up as a bridge. We placed it in a half way point in our
wireless backbone. We put 2 rules on each interface (we couldnt tell
which interface was which under frustrating circumstances in he dark at
a tower). Both rules are to drop IGMP from any to any. We also added a
rule to drop any source to 224.0.0.0/4 on both the lan
and the wan.
our problem is that now our clients on the
far side of the backbone cannot obtain addresses via DHCP. static
customers get on and flow fine. So we inserted "allow any source to any
destination udp 67-68". The firewall logs show drops over and over from
our dhcp (172.16.248.3)
server:
here are the lan rules:
|
|
Proto |
Source |
Port |
Destination |
Port |
Gateway |
Description |
|
|
 |
UDP |
172.16.248.3 |
67 |
255.255.255.255
|
68 |
* |
Allow All Thru DHCP |
|
|
|
* |
172.24.128.128 |
* |
172.16.248.8 |
* |
* |
Allow All Thru DHCP |
|
|
|
UDP |
* |
* |
* |
67 |
* |
Allow All Thru DHCP |
|
|
|
UDP |
* |
* |
* |
68 |
* |
Allow All Thru DHCP |
|
|
 |
IGMP |
* |
* |
* |
* |
* |
Drop IGMP |
|
|
|
* |
* |
* |
224.0.0.0/12 |
* |
* |
Drop IGMP |
|
|
|
*
|
*
|
*
|
*
|
*
|
*
|
Default LAN -> any |
|
wan rules are same. As you can see we have
tried some pretty stupid stuff troublshooting. I realize the 1st rule is
dumb but the 3rd & forth outta get'r done shouldnt?
Thanks in advance!
|
