0

Description of the issue: I've created a rule inside pFsense to block any traffic directed at RFC1918 originating from my OPT1 network, and it works fine. Now when I open terminal on OPT1 network PC I cannot ping any IP on my OPT1 network, including DNS, and DHCP. I tested that using ping program from command line like so:

ping 192.168.57.1

To let the PC connect to the internet after such manipulations, I've had to manually set the gateway, the DNS server, and IP of the client PC, and again it works, but this time it's a surprise for me, for in my understanding the client on the OPT1 network should not be able to talk to the gateway on its local net because of the blocking rule. So could anyone please explain to me how this works? Also if anyone could please point me to an article of how networks without DHCP work would be appreciated.

To make things clearer, I'll attach the screenshots of the client configuration in this case, and of pFsense rule in question.

pFsense configuration:
pFsense configuration

client configuration:
client configuration

Improve this question
4
  • You write "how networks without DHCP work would be appreciated.". I haven't used pfsense, but if you want to see a network without DHCP.. Take a simple setup no firewall. Just some computers connected to a NAT router with a modem in there. Connect to the "NAT router". turn DHCP off. Then go to one of the computers you have and manually tell it what the local IP address of the NAT router is, and what that computer's IP is. And set the subnet mask. And then you've done the job of DHCP manually yourself.
    – barlop
    Commented Nov 28, 2023 at 16:17
  • I cannot ping any IP on my OPT1 network are you sure? I don't think you'd have any problem reaching any host (in the same broadcast domain) with an IP in 192.168.57.0/24 except (maybe) 192.168.57.1 (unless the pfsense uses more than that for itself). (Unless your pfSense filters at switch level.)
    – Tom Yan
    Commented Nov 28, 2023 at 16:50
  • I'm surprised that it'd actually break DHCP. Sounds like the rule is even applied to outbound traffics from the router itself.
    – Tom Yan
    Commented Nov 28, 2023 at 17:07
  • You're right, when I added another PC on the network in question, I am able to get ping. I guess that means when I contact the gateway the firewall steps in, because when you ping an IP on the net other than the gateway the traffic actually doesn't need to go through the firewall or any routing for that matter.
    – Alexandr Tolub
    Commented Nov 28, 2023 at 17:25

1 Answer 1

Reset to default
3

To let the PC connect to the internet after such manipulations, I've had to manually set the gateway, the DNS server, and IP of the client PC, and again it works, but this time it's a surprise for me, for in my understanding the client on the OPT1 network should not be able to talk to the gateway on its local net because of the blocking rule.

The client does not talk to the gateway in the first place. When you're contacting remote systems, the gateway's IP address shows up absolutely nowhere in the IP packets. (They have 'source' and 'destination' fields, where the source is your PC and the destination is, well, the destination.)

Instead, the only purpose of the gateway IP address is so that the OS could resolve it to a layer-2 or MAC address (and then send Ethernet frames towards that MAC). The router uses the MAC header to recognize that the packet is directed towards it, then uses the IP header to recognize that it needs to forward the packet.

…This brings to another related point: The fact that the PC needs to direct packets towards the gateway by its MAC address implies that it can also direct packets towards any other MAC address. That is, packets between hosts in the same subnet will actually bypass the gateway and you cannot really control them using the gateway's firewall at all.

Also if anyone could please point me to an article of how networks without DHCP work would be appreciated.

It's unlikely that there would be such an article, because there's nothing special about the way networks work without DHCP. (It's quite the opposite.)

DHCP is not what makes networks "work" in general; all that it does is provide the initial configuration (IP address, DNS servers, gateway address). Once that information is obtained, the network doesn't use DHCP for anything else.

So if the network doesn't have DHCP to provide that information, then you provide it manually (like you did in your example), but the way the network functions doesn't change at all.

Improve this answer
6
  • I like this answer, but I need some more clarification. First of all, I wonder how the PC would get the MAC address of a certain IP, even if it's assigned one. Now I know that clients on the same network can find each other, and know each other's MAC addresses, but how would PC would link a MAC from local lan that it has found out itself, to the IP of gateway that was set statically? Another thing I wanted to know, is why would router that sits at the gateway address would even accept those requests in question, given that the rules prohibit packets with source field set as the same network?
    – Alexandr Tolub
    Commented Nov 28, 2023 at 16:39
  • Why would it need to link MAC addresses like that?
    – grawity_u1686
    Commented Nov 28, 2023 at 18:42
  • After your reply I realized what my mistake was. I thought something along the lines that gateway would need to be addressed by IP, but it really isn't. Clients can access its peers with MAC address within LAN, which in this case is a router, which will forward such packet somewhere else, and not drop it, because the Origin and Destination are not mentioning the router itself.
    – Alexandr Tolub
    Commented Nov 28, 2023 at 20:55
  • To answer your question. I thought that the PC client wouldn't know what MAC address to call to get to the gateway, if it didn't know of the IP address of it. Because that's all we gave the PC, is the IP.
    – Alexandr Tolub
    Commented Nov 28, 2023 at 21:00
  • But you did tell it the IP address of the gateway. Your screenshot has "IPv4 gateway: 192.168.57.1", so the PC can just translate it via ARP as usual. (And when contacting other hosts in the same subnet, it'll directly translate the target host's IP to a MAC.)
    – grawity_u1686
    Commented Nov 28, 2023 at 21:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .