[Solved] Allow-DHCP rules not working

Hi,

I am trying to set up rules, that allow DHCP, DNS and ICMP against the OpenWrt gateway IPs of some vlans. I have defined zones for each vlan and I have set the for these zones to Input => reject, Output => accept and Forward => reject, since I want do block all traffic for these zones that I don't explicitly allow in the Traffic rules.

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot

So in order to enable the basic router stuff on these interfaces, I created a firewall rule to allow DNS, DHCP and ICMP:

config rule
        option src 'iot'
        option target 'ACCEPT'
        list dest_ip '10.30.0.1'
        option dest_port '53 67-68'
        option name 'Allow-rule'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

But for some reason the rule never works. No client gets assigned an IP when connecting. Only when I set Input => allow for the whole zone, the rule works. Can someone tell me what goes wrong here?

Without having seen your settings just a quick try:
remove:

list dest_ip '10.30.0.1'

Reboot afterwards

Also not 100% sure if this is allowed (multiple ports in this way)

option dest_port '53 67-68'

Hi,

I removed the destination IP like you suggested and it started working. An IP was handed out immediately to my client. That made me look with tcpdump what is going on. I saw the DHCP request via 255.255.255.255 and I added this IP as destination instead. Also this seems to work. This is kinda weird, I never saw that I have to allow this IP to allow DHCP.

You should not need any ip address as this is an INPUT rule ment for the router itself.

This is all you need

config rule
	option name 'allow-iot-dns'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'allow-iot-dhcp'
	list proto 'udp'
	option src 'iot'
	option dest_port '67'
	option target 'ACCEPT'

P.S. The DHCPDISCOVER message is send to the broadcast address (255.255.255.255) as the DHCP client does not know where the DHCP server is located

The problem is that I have several gateway IPs, like 10.10.0.1, 10.20.0.1, 10.30.0.1, ... and I don't want these IPs to be reachable from the other networks, but only the single gateway IP belonging to that network.

Sure but you have only one DHCP server per subnet :slight_smile:

Thanks for your reply. Adding a source zone for the the rule does not work for me, I guess since the client has no IP yet, and therefore is not assigned to a zone yet.

Edit: Ok, it works with the iot zone specifically, but not with a zone grouping all lans together to a single zone.

No I think that cannot work.
DHCP is done on its own subnet specified by the source zone

1 Like

Ok then I think I've figured it out. Thanks to both of you!

1 Like

I was wondering why it was not 255.255.255.0 but I thought you two might be talking about something ecentric.

Glad you solved it :slight_smile:

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: