I have a pfSense instance (NetGate SG-series), with setup:
- 802.11q enabled
- LAN ports 1 (
LANP) and 2 (LANB) with VLAN assignments
- Interfaces assigned and enabled
LANP:
- (1, 5t) tag configuration
- Static IP configuration
- DHCP server bound to this interface
- Block BOOTP 67-68 from any source to the secondary
LANB server's static IP
- Allow BOOTP 67-68 and tag
bootp_lanp
- Allow all traffic from LANP subnet to any destination
- Connected to a single-host network with a node running a DHCP client
LANB:
- (2, 5t) tag configuration
- DHCP client IP configuration
- Connected to a single-host network with a static-IP node running a DHCP server
- Block any traffic tagged
bootp_lanp
LANP and LANB are bridged. The bridge interface is assigned but has no firewall rules, and the tunables are their default (as in, pfil is on for the member and off for the bridge).
This is supposed to act as an L2 firewall so that the node on LANP receives DHCP service from the pfSense instance and not the secondary server connected to LANB, but that doesn't happen.
If LANB is disconnected, the LANP DHCP service functions successfully, but if LANB is connected, the secondary DHCP server always wins. The BOOTP block rule even registers state activity on LANP but nothing is actually blocked, because the node on LANP still receives DHCP service from the secondary LANB server.
Nothing I have tried is able to block this traffic. How do I block this traffic and force precedence of the pfSense DHCP server instance?
