Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 4740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Selectively dropping DHCP on a single vlan interface with rule_id=0

Greg Oliver

Hi,

I implemented a new network and set DHCP up on it.  I have a wired device that gets DHCP all of the time and a wireless device that is rejected by rule_id_0 every time.

2018-04-13 05:08:45Firewallmessageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port4.255" out_interface="" src_mac="98:22:ef:dc:c6:9f" src_ip="0.0.0.0" src_country="" dst_ip="255.255.255.255" dst_country="" protocol="UDP" src_port="68" dst_port="67" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature"

I do not even have a firewall rule_id 0 that is visible from the GUI, but from what I gather - it is built in somewhere.

Does someone know why this happens?  Successful device first, failure second..  (capture from Sophos)

Success::

tcpdump: 05:04:08.541151 Port4.255, IN: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:88:6b:8f:45:98, length 300, xid 0xd74be678, secs 6, Flags [none]
      Client-Ethernet-Address 70:88:6b:8f:45:98
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Requested-IP Option 50, length 4: 192.168.255.101
        Parameter-Request Option 55, length 18:
          Subnet-Mask, BR, Time-Zone, Classless-Static-Route
          Domain-Name, Domain-Name-Server, Hostname, YD
          YS, NTP, MTU, Option 119
          Default-Gateway, Classless-Static-Route, Classless-Static-Route-Microsoft, Static-Route
          Option 252, NTP
        Client-ID Option 61, length 23: hardware-type 255, 6b:8f:45:98:00:04:ff:93:53:e8:0f:ea:43:93:bb:0f:d7:94:41:60:9a:c5
    0x0000:  ffff ffff ffff 7088 6b8f 4598 0800 4510  ......p.k.E...E.
    0x0010:  0148 0000 0000 8011 3996 0000 0000 ffff  .H......9.......
    0x0020:  ffff 0044 0043 0134 f9eb 0101 0600 d74b  ...D.C.4.......K
    0x0030:  e678 0006 0000 0000 0000 0000 0000 0000  .x..............
    0x0040:  0000 0000 0000 7088 6b8f 4598 0000 0000  ......p.k.E.....
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0110:  0000 0000 0000 6382 5363 3501 0332 04c0  ......c.Sc5..2..
    0x0120:  a8ff 6537 1201 1c02 790f 060c 2829 2a1a  ..e7....y...()*.
    0x0130:  7703 79f9 21fc 2a3d 17ff 6b8f 4598 0004  w.y.!.*=..k.E...
    0x0140:  ff93 53e8 0fea 4393 bb0f d794 4160 9ac5  ..S...C.....A`..
    0x0150:  ff00 0000 0000                           ......
05:04:08.541380 Port4.255, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.255.1.67 > 192.168.255.101.68: BOOTP/DHCP, Reply, length 300, xid 0xd74be678, secs 6, Flags [none]
      Your-IP 192.168.255.101
      Client-Ethernet-Address 70:88:6b:8f:45:98
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: 192.168.255.1
        Lease-Time Option 51, length 4: 85839
        Subnet-Mask Option 1, length 4: 255.255.255.0
        Domain-Name Option 15, length 12: "homeunix.com"
        Domain-Name-Server Option 6, length 4: 192.168.255.1
        Default-Gateway Option 3, length 4: 192.168.255.1
    0x0000:  7088 6b8f 4598 00ec accf 0043 0800 4510  p.k.E......C..E.
    0x0010:  0148 0000 0000 8011 b9dc c0a8 ff01 c0a8  .H..............
    0x0020:  ff65 0043 0044 0134 e573 0201 0600 d74b  .e.C.D.4.s.....K
    0x0030:  e678 0006 0000 0000 0000 c0a8 ff65 0000  .x...........e..
    0x0040:  0000 0000 0000 7088 6b8f 4598 0000 0000  ......p.k.E.....
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0110:  0000 0000 0000 6382 5363 3501 0536 04c0  ......c.Sc5..6..
    0x0120:  a8ff 0133 0400 014f 4f01 04ff ffff 000f  ...3...OO.......
    0x0130:  0c68 6f6d 6575 6e69 782e 636f 6d06 04c0  .homeunix.com...
    0x0140:  a8ff 0103 04c0 a8ff 01ff 0000 0000 0000  ................
    0x0150:  0000 0000 0000                           ......
05:04:14.490943 Port4.255, IN: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 70:88:6b:8f:45:98, length 300, xid 0x29324d7d, Flags [none]
      Client-Ethernet-Address 70:88:6b:8f:45:98
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Requested-IP Option 50, length 4: 192.168.255.101
        Parameter-Request Option 55, length 18:
          Subnet-Mask, BR, Time-Zone, Classless-Static-Route
          Domain-Name, Domain-Name-Server, Hostname, YD
          YS, NTP, MTU, Option 119
          Default-Gateway, Classless-Static-Route, Classless-Static-Route-Microsoft, Static-Route
          Option 252, NTP
        Client-ID Option 61, length 23: hardware-type 255, 6b:8f:45:98:00:04:ff:93:53:e8:0f:ea:43:93:bb:0f:d7:94:41:60:9a:c5
    0x0000:  ffff ffff ffff 7088 6b8f 4598 0800 4510  ......p.k.E...E.
    0x0010:  0148 0000 0000 8011 3996 0000 0000 ffff  .H......9.......
    0x0020:  ffff 0044 0043 0134 4107 0101 0600 2932  ...D.C.4A.....)2
    0x0030:  4d7d 0000 0000 0000 0000 0000 0000 0000  M}..............
    0x0040:  0000 0000 0000 7088 6b8f 4598 0000 0000  ......p.k.E.....
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0110:  0000 0000 0000 6382 5363 3501 0332 04c0  ......c.Sc5..2..
    0x0120:  a8ff 6537 1201 1c02 790f 060c 2829 2a1a  ..e7....y...()*.
    0x0130:  7703 79f9 21fc 2a3d 17ff 6b8f 4598 0004  w.y.!.*=..k.E...
    0x0140:  ff93 53e8 0fea 4393 bb0f d794 4160 9ac5  ..S...C.....A`..
    0x0150:  ff00 0000 0000                           ......
05:04:14.491088 Port4.255, OUT: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.255.1.67 > 192.168.255.101.68: BOOTP/DHCP, Reply, length 300, xid 0x29324d7d, Flags [none]
      Your-IP 192.168.255.101
      Client-Ethernet-Address 70:88:6b:8f:45:98
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: 192.168.255.1
        Lease-Time Option 51, length 4: 85833
        Subnet-Mask Option 1, length 4: 255.255.255.0
        Domain-Name Option 15, length 12: "homeunix.com"
        Domain-Name-Server Option 6, length 4: 192.168.255.1
        Default-Gateway Option 3, length 4: 192.168.255.1
    0x0000:  7088 6b8f 4598 00ec accf 0043 0800 4510  p.k.E......C..E.
    0x0010:  0148 0000 0000 8011 b9dc c0a8 ff01 c0a8  .H..............
    0x0020:  ff65 0043 0044 0134 328f 0201 0600 2932  .e.C.D.42.....)2
    0x0030:  4d7d 0000 0000 0000 0000 c0a8 ff65 0000  M}...........e..
    0x0040:  0000 0000 0000 7088 6b8f 4598 0000 0000  ......p.k.E.....
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0110:  0000 0000 0000 6382 5363 3501 0536 04c0  ......c.Sc5..6..
    0x0120:  a8ff 0133 0400 014f 4901 04ff ffff 000f  ...3...OI.......
    0x0130:  0c68 6f6d 6575 6e69 782e 636f 6d06 04c0  .homeunix.com...
    0x0140:  a8ff 0103 04c0 a8ff 01ff 0000 0000 0000  ................
    0x0150:  0000 0000 0000                           ......


Failure::

tcpdump: 05:08:18.991129 Port4.255, IN: IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 98:22:ef:dc:c6:9f, length 300, xid 0x5a01a844, Flags [none]
      Client-Ethernet-Address 98:22:ef:dc:c6:9f
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        Parameter-Request Option 55, length 18:
          Subnet-Mask, BR, Time-Zone, Classless-Static-Route
          Domain-Name, Domain-Name-Server, Hostname, YD
          YS, NTP, MTU, Option 119
          Default-Gateway, Classless-Static-Route, Classless-Static-Route-Microsoft, Static-Route
          Option 252, NTP
        Client-ID Option 61, length 23: hardware-type 255, ef:dc:c6:9f:00:04:ff:93:53:e8:0f:ea:43:93:bb:0f:d7:94:41:60:9a:c5
    0x0000:  ffff ffff ffff 9822 efdc c69f 0800 4510  ......."......E.
    0x0010:  0148 0000 0000 8011 3996 0000 0000 ffff  .H......9.......
    0x0020:  ffff 0044 0043 0134 981e 0101 0600 5a01  ...D.C.4......Z.
    0x0030:  a844 0000 0000 0000 0000 0000 0000 0000  .D..............
    0x0040:  0000 0000 0000 9822 efdc c69f 0000 0000  ......."........
    0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0110:  0000 0000 0000 6382 5363 3501 0137 1201  ......c.Sc5..7..
    0x0120:  1c02 790f 060c 2829 2a1a 7703 79f9 21fc  ..y...()*.w.y.!.
    0x0130:  2a3d 17ff efdc c69f 0004 ff93 53e8 0fea  *=..........S...
    0x0140:  4393 bb0f d794 4160 9ac5 ff00 0000 0000  C.....A`........
    0x0150:  0000 0000 0000                           ......

Thanks for any insight!

-Greg



This thread was automatically locked due to age.
  • 0

    Hi,

     

    Thanks for the dump!

    Do you use static DHCP mapping on XG?

    Is 98:22:ef:dc:c6:9f used in the DHCP mapping?

     

    Cheers

  • 0 in reply to LuCar Toni

    This subnet has no static mappings, but another subnet has a static mapping for both devices included here. 

     

    I think this may be an issue with the cheap ass Zyxel switch I bought.

     

    My setup is ISP router with all packets forwarded to Sophos on a direct connection (DMZ which moves the WAN IP to the DMZ host).  Somehow, the DHCP request is also hitting the Sophos WAN port - which I assume is why it is dropping it.  I di=o not see how since the WAN port on Sophos is not connected to the switch at all.

     

    I am out for the wweekend, but will be looking at this again Sunday night and trying other thigs to narrrow it down.  I do this type of stuff for a living, so will let you know how I solve it.

     

    Thanks,

     

    Greg

  • 0 in reply to Greg Oliver

    Just getting to revisit this -

     

    So like i figured the Zyxel switch (very cheap PoE+ switch for powering cameras and my APs), is sending out the port 67/68 traffic on both the vlan it came in on as well as the pvid. 

     

    Zyxel is going to make a new firmware (someday), but is there some way I can disable rule 0?  I really do not like firewalls that do things behing my back anyhow, but if I can disable it temoprarily (or just the duplicate packet rule it is hitting), that is good for me.

     

    Thanks,

     

    Greg