Firewall rules for WAN input - Ports 68/UDP and 546/UDP needed?

alpine944 · April 28, 2025, 11:59pm

Hi everyone,

I'm reviewing my firewall configuration on OpenWrt (using fw4) and had a question regarding the necessary rules for the WAN interface, specifically for DHCP client operation.

I know that:

UDP port 68 is used by the DHCPv4 client
UDP port 546 is used by the DHCPv6 client

and the default configuration has firewall rules that allow input on these ports on the WAN interface.

I've noticed that fw4 also includes rules that accept traffic matching established and related connections. Given this, is there any good reason not to disable the default firewall rules for UDP ports 68 and 546, given that it seems like the aforementioned connection tracking handles DHCP requests fine?

dave14305 · April 29, 2025, 1:22am

It depends if the same DHCP server responds to a renewal request, or if a broadcast is sent instead. The comments in the config refer to this old issue:

brada4 · April 29, 2025, 3:45am

DHCP request is sent to 255... while response comes from dhcp server IP which in firewall's understanding are two independent connections

system · May 9, 2025, 3:46am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.