Trouble with DHCP

Murus
Post Reply
BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Trouble with DHCP

Post by BurningRoli » Sun Aug 09, 2015 12:14 pm

Hello
I'm using Murus Pro on my Macmini Server (10.10.4 with Server App 4.1.3) to block unwanted WAN Requests forwarded from my VDSL Router. That part works well.
The problem: Until Murus is running, no DHCP request hits the OSX Server anymore. After stopping Murus, DHCP requests hits the DHCP Server immediately.

In my understanding, pf rule 20-23 should always enable the DHCP communication.
pf rules.png
I have no clue whats going wrong. I installed Murus from scratch (with an advice how to, found in this Board), i tried serval configurations, done with the wizard and manual, also "all services" allowed in and out. No other Firewall is/was installed and running.

Here a cut-out from the DHCP Protocol. Murus was stopped at 12.30h until 12.45h. Netatmo (every 5 mins) and AppleTV is sending request and get an ACK, but not until Murus is running. Same behavior with clients like MacBook, iPhone, iPad .......

Aug 9 12:24:17 server.burningnet.ch bootpd[39269]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:25:30 server.burningnet.ch bootpd[39269]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:25:30 server.burningnet.ch bootpd[39269]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:26:43 server.burningnet.ch bootpd[39269]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:26:43 server.burningnet.ch bootpd[39269]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:27:55 server.burningnet.ch bootpd[39269]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:27:55 server.burningnet.ch bootpd[39269]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:28:51 server.burningnet.ch bootpd[39269]: DHCP DISCOVER [en0]: 1,70:ee:50:2:31:a
Aug 9 12:28:51 server.burningnet.ch bootpd[39269]: OFFER sent NetAtmo 192.168.5.41 pktsize 300
Aug 9 12:28:51 server.burningnet.ch bootpd[39269]: DHCP REQUEST [en0]: 1,70:ee:50:2:31:a
Aug 9 12:28:51 server.burningnet.ch bootpd[39269]: ACK sent NetAtmo 192.168.5.41 pktsize 300
Aug 9 12:29:00 server.burningnet.ch bootpd[39269]: DHCP RELEASE [en0]: 1,70:ee:50:2:31:a
Aug 9 12:29:08 server.burningnet.ch bootpd[39269]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:29:08 server.burningnet.ch bootpd[39269]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
--- missing 15 minutes here ---
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: server name server.burningnet.ch
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: interface en0: ip 192.168.5.10 mask 255.255.255.0
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: DHCP DISCOVER [en0]: 1,70:ee:50:2:31:a
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: OFFER sent NetAtmo 192.168.5.41 pktsize 300
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: DHCP REQUEST [en0]: 1,70:ee:50:2:31:a
Aug 9 12:45:08 server.burningnet.ch bootpd[59769]: ACK sent NetAtmo 192.168.5.41 pktsize 300
Aug 9 12:45:10 server.burningnet.ch bootpd[59769]: DHCP DISCOVER [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:45:10 server.burningnet.ch bootpd[59769]: OFFER sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:45:11 server.burningnet.ch bootpd[59769]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:45:11 server.burningnet.ch bootpd[59769]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:46:25 server.burningnet.ch bootpd[59769]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:46:25 server.burningnet.ch bootpd[59769]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306
Aug 9 12:47:46 server.burningnet.ch bootpd[59769]: DHCP REQUEST [en0]: 1,b8:78:2e:37:b5:6f <AppleTVhnzimmer>
Aug 9 12:47:46 server.burningnet.ch bootpd[59769]: ACK sent WohnzimAppleTV 192.168.5.38 pktsize 306

Here the System Log at 12.43h, other communication is working

Aug 9 12:43:46 server.burningnet.ch pf[518]: 00:00:01.420713 rule 37.murus.inbound.133/0(match): block in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from b8:78:2e:37:b5:6f, length 300
Aug 9 12:43:48 server.burningnet.ch pf[518]: 00:00:01.274359 rule 37.murus.inbound.133/0(match): block in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:ee:50:02:31:0a, length 308
Aug 9 12:43:51 server.burningnet.ch pf[518]: 00:00:03.217815 rule 37.murus.inbound.133/0(match): block in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from b8:78:2e:37:b5:6f, length 300
Aug 9 12:43:52 server.burningnet.ch pf[518]: 00:00:01.191056 rule 37.murus.inbound.4/0(match): pass in on en0: 192.168.5.131.56143 > 192.168.5.255.8612: UDP, length 16
Aug 9 12:43:59 server.burningnet.ch pf[518]: 00:00:06.991687 rule 37.murus.inbound.133/0(match): block in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from b8:78:2e:37:b5:6f, length 300
Aug 9 12:43:59 server.burningnet.ch pf[518]: 00:00:00.106371 rule 37.murus.inbound.4/0(match): pass in on en0: 192.168.5.131.54102 > 192.168.5.255.8612: UDP, length 16
Aug 9 12:44:01 server.burningnet.ch pf[518]: 00:00:02.315899 rule 37.murus.inbound.148/0(match): pass in on en0: 192.168.5.9.32927 > 192.168.5.10.53: 1026+ A? 23378c0c675b4fc7840ea889ac020dfb.digitalstrom.net. (67)

Has anyone an advise?
Thanks, Roland
You do not have the required permissions to view the files attached to this post.

Davide
Posts: 13
Joined: Tue Dec 30, 2014 7:34 pm

Re: Trouble with DHCP

Post by Davide » Mon Aug 10, 2015 9:47 am

hi

I think the problem is the block on Multicast

in preferences -> general , Pass All Multicast is checked ?

Davide

BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Re: Trouble with DHCP

Post by BurningRoli » Mon Aug 10, 2015 3:12 pm

Hi Davide,
yes, it is checked. All should be default.

Roland
Conf-General.png
Conf-Advanced.png
You do not have the required permissions to view the files attached to this post.

Davide
Posts: 13
Joined: Tue Dec 30, 2014 7:34 pm

Re: Trouble with DHCP

Post by Davide » Tue Aug 11, 2015 8:51 am

hi

try to remove the option "Static Filtering" from All Services

if this does not work you should start from a new configuration , and step by step , observe what happen with your DHCP

Davide

BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Re: Trouble with DHCP

Post by BurningRoli » Tue Aug 11, 2015 7:22 pm

Hi Davide,
well, i think that i found the problem.

1. i started with a empty ruleset and standard and advance settings, added "all services" for everyone for both in and out
-> DHCP passing

Code: Select all

Aug 11 18:26:37 server.burningnet.ch pf[518]: 00:00:00.315578 rule 37.murus.inbound.2/0(match): pass in on en0: 192.168.5.41.68 > 192.168.5.10.67: BOOTP/DHCP, Request from 70:ee:50:02:31:0a, length 308

2. changed "all services" inbound only for group 192.168-net
-> DHCP blocked, the requests going blocked cause the allowed group with 192.168-net vs. 0.0.0.0 is not matching

Code: Select all

Aug 11 18:42:49 server.burningnet.ch pf[518]: 00:00:01.266511 rule 37.murus.inbound.2/0(match): block in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:ee:50:02:31:0a, length 308
At this point, i'm wondering me, why the default rule is not working, then i found the problem: the default rule of Murus is faulty.

Take a look at the log - DHCP requests are coming in from port 68 to port 67.
The ports from / to are inverse. The Murus rule should be swapped (pass in <-> pass out) then the ports are correct
pf rules.tiff
i added a custom rule to check my theory
rule in works.tiff
The result: it works!

Code: Select all

Aug 11 19:05:37 server.burningnet.ch pf[518]: 00:00:00.260297 rule 40.murus.custom.1/0(match): pass in on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:ee:50:02:31:0a, length 308
Is my conclusion right?

Roland
You do not have the required permissions to view the files attached to this post.

BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Re: Trouble with DHCP

Post by BurningRoli » Tue Sep 01, 2015 7:54 pm

no feedback ? :?

hany
Posts: 484
Joined: Wed Dec 10, 2014 5:20 pm

Re: Trouble with DHCP

Post by hany » Wed Sep 02, 2015 12:40 pm

Sorry for the late answer :)

The two default Murus PF rules regarding DHCP are not inverted. They are correct. Their purpose is to allow DHCP client connections.
What you need is to allow inbound DHCP server connections. You can create a specific Murus service for port 67 or use a custom rule like you already did.
Ports 67 and 68 are also included in BASIC SERVICES service.

BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Re: Trouble with DHCP

Post by BurningRoli » Sat Sep 05, 2015 2:09 pm

thanks hany,
you are right, from the client's point of view it is correct. Hold in the mind, there are serval server solutions e.g. Apple's server.app or your own MURUS SERVICES.
My wish: you should find a solution for all other DHCP Server users to get an easy configuration. I spent hours to find the problem.
Best regards

Post Reply