DSM DHCP server

[Gerard]

My ds718+ is acting as a dhcp server. All is working fine but I would like to see if I can fine tune the firewall rules, and tighten up security.

currently the fw rule is setup to allow DHCP ports, but from ANY/ALL ip addresses. If I were to limit the ip to my local subnet (192.168.1.0), the clients don’t renew their IP address when their ip lease expires. This is due to the clients’ 192.168.1.x IP address expiring and then I’d imagine it gets one of those 169.x.x.x IP address or something similar.

To resolve this, can I limit the ip subnets down to a specific list? Or, is it ok to leave the fw rule as any IP address?

 

[Gerard]

@Rusty any idea?

 

[fredbert]

Dynamic Host Configuration Protocol - Wikipedia

en.m.wikipedia.org

Have a look at the Operation section. The UDP packets exchanged between client and server mostly adopt non-subnet IP addresses.

I would look at your perimeter firewall to secure access as the DHCP service makes no distinction between LAN devices. If you’re wanting to tighten up on devices connecting to the physical LAN then you can look to a switch that supports 802.1X and build support for switch port authentication. At home I wouldn’t do it and WiFi is making it less likely for business client devices, leaving exposed infrastructure interfaces (for access points, printers) that could benefit from 802.1X.

 

[Gerard]

My Ds718 is acting as the local lan DHCP server. In DSM firewall I have to set the UDP DHCP Server firewall rule to source IP ALL. I had changed this rule to source IP to my local subnet 192.168.1.0, however my local devices don't renew their dhcp IP lease. As soon as I set the rule back to source IP ALL, they renew. I assume this is because when a dhcp IP address on a devices expires, it turns into the 169.x.x.x address.

Should I just allow DHCP rule to my local subnet and 255.255.255.255 subnet for this rule? "The DHCP client broadcasts a DHCPDISCOVER message on the network subnet using the destination address 255.255.255.255"

I'm trying to prevent having a DHCP rule with source IP 'ALL' I want to scale ALL to be more specific.

 

[fredbert]

To be honest, I've not tried applying stricter firewall rules for my DHCP server, which is on my router. There's no harm in trying to limit the access using the info in that Wiki page since you can rollback to an All rule if it doesn't work.

From what I see though, DHCP client requests are within the LAN and only traverse the LAN edge if you run a DHCP relay (often via your infrastructure routers/switches to a centralised IPAM, IP address mgmt, solution). Other than via DHCP relay the perimeter firewall should be blocking all but the necessary inbound connections yo the LAN devices and so you should not be getting any DHCP requests at the server from anywhere but the LAN devices.