Configure DHCP to listen on LAN not on WAN

openx · November 30, 2019, 10:13pm

Hello,
I have an EdgeRouter X with OpenWrt 18.06.5.
WAN port is connected with static IP to the ISP gateway in DMZ and LAN ports to my LAN stuffs.
In -/etc/config/dhcp- I've added -list interface 'lan'- with the result that DNS port 53 is't listening anymore on WAN IP but DHCP is still listening also on WAN
udp 0 0 0.0.0.0:67 0.0.0.0:* 1282/dnsmasq
udp 0 0 :::547 :::* 2165/odhcpd
Maybe the firewall block connection from internet to ports 67 and 547 but I feel more confortable if thise services listen only on LAN and not on WAN.
How can I configure also DHCP to listen only on LAN ad I did for DNS?
Is ther any security issue leaving DHCP listening on 0.0.0.0:67 and :::547?
Thank you.

trendy · November 30, 2019, 10:25pm

By default the firewall will block everything on wan except pings and replies to dhcp discoveries. If you have not specifically allowed dhcp or dns, then it is blocked.
Post here the whole configuration to check if you missed anything:
uci show dhcp

openx · November 30, 2019, 11:00pm

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].interface='lan'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

So I should not worry about attack from internet to port udp 67 and udp6 547?
Thank you.

trendy · December 1, 2019, 12:20am

No, it is fine as it is.

mk24 · December 1, 2019, 12:41am

If you're running a static IP on WAN you can take the DHCP reply rules out of /etc/config/firewall. Though I don't think that packets sent there will do anything especially without an DHCP client running.