DHCP (again)

[Guest]

[baptistul]

hi DonZ .i'd read your posts and I understood nothing;let me explain:at first your posts looks as somebody cry for help,but latter your post looks as you are a Comodo expert,but you are not;time ago i posted somrthing,you told me to do something,thing wich was clearly wrong.don't be sorry with me,but i advise you to be more careful.have a good time.

[Dch48]

I remember having problems with my router when I first started using it. It did not work correctly with the default MAC address of 192.168.1.1-- After reading some help files and troubleshooting posts, I changed it to 192.168.2.1  and it has worked correctly ever since.

[DonZ]

So far DHCP is initializing OK with IP 192.168.1.1.

I did have to change the DHCP rules to "out UDP source any port 68 dest. 255.255.255.255 port 67" and create a separate inbound rule "in UDP source any port 68 dest. 255.255.255.255 port 67. " When I created that inbound rule, I saw the DHCP Offer entry in my Comodo log appear with the source IP showing 192.168.1.1.

I also kept the in/out rule to my router gateway IP rule but haven't seen any log activity for that lately.

[DonZ]

I guess I should have checked the forum for old DHCP postings. Here is a dosey of one 13 pages long:
http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/problems_with_acquiring_or_renewing_the_ip_address-t6758.0.html.

Looks like Comodo has had issues with DHCP for some time. What I gleaned from the above link posting is that you have to allow DHCP access to router plus to the 255.255.255.255 broadcast address. Also in past versions of Comodo, some of the miscellaneous attack detection settings have been shown to cause problems with DHCP on some routers. All I am glad is I have finally got DHCP working for my PC since without it, access to my router by ISP was not working correctly. My router system logs now are uncluttered and free of error messages.

[DonZ]

I spent the last few days researching the Comodo theads on this forum on the subject of routers. There appear to be be two camps. The first says access to the router should never be allowed or allowed only under very controlled circumstances. The second camp states that access to the router should be allowed and also defined in your trusted Comodo network.

I did some further experimenting and based on those results and prior ones, I say if you use DHCP, you have to allow access to your router. Now a couple important points. The first is you have to be able to trust your router. Minimally it must support NAT and it has to set on in the router. If the router has a statefull inspection option, that should be turned on. Lastly, if it has a firewall set it on also and preferably to stealth mode. If all three router options are on, nothing bad inbound will get past the router. If you cannot trust your router since none of these features are present, then your better off not using DHCP and instead, assign a static IP address to you PC network card.

As far as Comodo and DHCP goes, I set my trusted network to 192.168.1.0 - 192-168.1.255. This includes all the DHCP IP addresses the router can assign, 1 - 253. It also includes the gateway address of the router, 254, and finally the broadcast address of the router , 255. I then eliminated all the special global and application rules I previously set up for DHCP since thet were no longer needed.

One puzzeling issue that remains is every time I connect to the Net via IE, the first thing that appears in Comodo log is a DHCP entry with a source IP of 192.168.1.1 port 68 dest 255.255.255.255 port 67. I can't tell if this is inbound or outbound since Comodo logs do not show direction. This type of DHCP activity is usually a DHCP offer or acknowledgement which would indicate it's inbound activity.

 

[Dch48]

I never made any rules and everything works fine. I just let it set up my network at installation and that was it. I never had to change any router settings or make any kind of rules for traffiic from or to it. The only thing that happens with me is that when I awake the machine from standby, sometimes it takes up to 60 seconds before I can connect to any web site or to my email. That is a minor annoyance but something that never happened when I was still  using Norton Internet Security 2009.

[Quill]

One puzzeling issue that remains is every time I connect to the Net via IE, the first thing that appears in Comodo log is a DHCP entry with a source IP of 192.168.1.1 port 68 dest 255.255.255.255 port 67. I can't tell if this is inbound or outbound since Comodo logs do not show direction. This type of DHCP activity is usually a DHCP offer or acknowledgement which would indicate it's inbound activity.

Source = Where it's coming from
Destination = Where it's going to

DHCP clients originate an initial DHCP request from 0.0.0.0 port 68 to 255.255.255.255 port 67.

DHCP servers respond by sending and offer from (what ever it's IP address is9) port 67 to 255.255.255.255 port 68.

A renewal request would be:

(What ever the IP address of the client is) port 68 to (what ever the address of the DHCP server is) port 67.

There are situations where this behaviour would deviate, such as when the original DHCP server cannot be found or when DHCP lease of the client expires.

[DonZ]

Dch48 - If I don't create special DHCP rules, the PC assigns a APIPA address in the 169.254.x.x range. After a period of time a private 192.268.x.x address is assigned to my network card. As you stated, this causes a delay and in my case it's more than 60 secs.; more like 3 - 4 mins. The main problem is when this occurs, it screws up my DHCP server on the Netopia router for some reason. The DHCP server also controls assignment of the DNS server on the router.

Quill - The server port on my Netopia router is port 67. All incoming from DHCP has always been from port 68 to port 67 on my PC.  I have previous verified this when I was running other firewalls including XP's. I assume the router is sender from it's client port and receiving to it's server port. Below is an excerpt from my router log:

8/10/09 06:23:18 PM L3      DHCP: Initializing Service
8/10/09 06:23:18 PM L3      DHCP: Setup Server On UDP Port 67
8/10/09 06:23:18 PM L3      DHCP: Setup Client On UDP Port 68
8/10/09 06:23:18 PM L3      DNS: initializing service
8/10/09 06:23:18 PM L4      DNS: nameserver address is 0.0.0.0
8/10/09 06:23:18 PM L3      SNMP: initializing service over UDP
8/10/09 06:23:18 PM L3      DIA: Diagnostics service initializing
8/10/09 06:23:18 PM L3      FW: initializing service
8/10/09 06:23:18 PM L3      SSL: Initializing Service
8/10/09 06:23:18 PM L3      SSL: Installed Verisign, Equifax & Thawte Root CA certificates
8/10/09 06:23:18 PM L3      SSL: Initialization Success

[Quill]

Your router is both a DHCP client and a DHCP server. Your LAN clients get their addresses using port 68 as the source and port 67 as the destination. in just the same way, your router has to obtain an external IP address for communication on The WAN.

[DonZ]

When I get home from work today, I will post a section from my old WIN XP SP3 firewall log that clearly shows inbound port 68 being blocked from 192.168.x.x to port 67 dest. 255.255.255.255. These trans. can only be DHCP offer, renewal, or ack..

I have yet to see anything in my Comodo firewall log for inbound activity other than ICMP or the DHCP activity from port 68 to port 67 dest. 255.255.255.255  for which I coded specific allow rules.

As far as I am concerned DHCP outbound from a client is from port 68 (bootpc) to DHCP server (router or stand alone box) port 67 (bootps).  The source address is either 0.0.0.0 or 192.168.x.x DHCP assigned IP address and the dest. address is 255.255.255.255 broadcast address or the router gateway/DHCP server IP address.

DHCP inbound is from a router gateway/DHCP Server port 68 (bootpc) to client port 67 (bootps). The source address is either 0.0.0.0 or 192.168.x.x DHCP assigned IP address and the dest. address is 255.255.255.255 broadcast address or the router gateway/DHCP server IP address.

I have observer the router address being used in place of the broadcast address when my PC resumes from stand-by and TCP/IP wakes up and reinitializes

As noted above, DHCP does not conform to stateful addressing concepts.

ref.: http://support.microsoft.com/?kbid=169289&sd=RMVP

[Quill]

When I get home from work today, I will post a section from my old WIN XP SP3 firewall log that clearly shows inbound port 68 being blocked from 192.168.x.x to port 67 dest. 255.255.255.255. These trans. can only be DHCP offer, renewal, or ack..

More likely extraneous traffic. If you're on a cable network you will see other peoples requests unless you block it.


From the DHCP rfc

DHCP uses UDP as its transport protocol.  DHCP messages from a client
   to a server are sent to the 'DHCP server' port (67), and DHCP
   messages from a server to a client are sent to the 'DHCP client' port
   (68). A server with multiple network address (e.g., a multi-homed
   host) MAY use any of its network addresses in outgoing DHCP messages.

http://www.faqs.org/rfcs/rfc2131.html

http://technet.microsoft.com/en-us/library/cc749902.aspx

BOOTP (Bootstrap Protocol) is a protocol that lets a network user be automatically configured (receive an IP address) and have an operating system booted (initiated) without user involvement.

BOOTPC = Client
BOOTPS = Server

[DonZ]

For starters, I use DSL and my ISP is AT&T aka Bellsouth.net.

I have also seen those same articles and depending on your network configuration, they are somewhat correct when referring to a separate DHCP server box on your internal network. However, when you are connecting to a router on your LAN that creates a virtual DHCP server internally, the rules change. It might also have something to do with the two network interfaces that exist on a router; one for the LAN side and one for the WAN side. Every article I have seen for other software firewalls interfacing with a router state rules for DHCP outbound from port 68 to port 67 and for inbound port 68 to 67.

Below is the last entries for my WIN XP Pro SP3 firewall log prior to my conversion to Comodo's 3.9 firewall. My network card IP address at that time was 192.168.1.97:

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2009-05-30 13:45:59 DROP UDP 192.168.1.97 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2009-05-30 13:46:02 DROP UDP 192.168.1.97 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2009-05-30 14:35:28 DROP TCP 91.199.212.149 192.168.1.97 443 1357 40 FA 2175705189 3605759766 7504 - - - RECEIVE
2009-05-30 14:35:29 DROP TCP 91.199.212.149 192.168.1.97 443 1359 40 FA 2168744904 4235835981 7504 - - - RECEIVE
2009-05-30 14:35:43 DROP TCP 91.199.212.149 192.168.1.97 443 1365 40 FA 2201221352 3707414692 6432 - - - RECEIVE
2009-05-30 14:36:12 DROP TCP 91.199.212.149 192.168.1.97 443 1369 40 FA 2223985115 2625777508 6672 - - - RECEIVE
2009-05-30 14:36:41 DROP TCP 91.199.212.149 192.168.1.97 443 1372 40 FA 2262665390 2523772532 6456 - - - RECEIVE
2009-05-30 14:39:53 DROP TCP 91.199.212.149 192.168.1.97 443 1379 40 FA 2450552395 1317354079 6432 - - - RECEIVE
2009-05-30 14:40:24 DROP TCP 91.199.212.149 192.168.1.97 443 1383 40 FA 2489259353 3949317636 6432 - - - RECEIVE
2009-05-30 14:40:50 DROP TCP 91.199.212.149 192.168.1.97 443 1387 40 FA 2521763466 2304694916 7672 - - - RECEIVE
2009-05-30 14:50:06 DROP TCP 85.255.19.28 192.168.1.97 443 1498 48 SA 879239458 84969609 4224 - - - RECEIVE
2009-05-30 14:50:30 DROP TCP 85.255.19.28 192.168.1.97 443 1498 48 SA 879239458 84969609 4224 - - - RECEIVE
2009-05-30 15:01:34 DROP UDP 192.168.1.97 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2009-05-30 15:01:37 DROP UDP 192.168.1.97 255.255.255.255 68 67 328 - - - - - - - RECEIVE

   

[DonZ]

Hopefully, this is my last post to this thread since I finally got DHCP to work right! Trumpets, flourishes, and all that crap!

First thing I additionally did was apply the Microsoft hotfix, KB953761, that I mentioned in a previous post in this thread. This hotfix only applies to XP SP3  - to correct the DHCP server offer option 43 problem.

Next, I activiated uPnP on my router. I was hesitant to do that given uPnP's hacking record but I also know enough about network to know many routers require it for full functionality.

I then rebuilt TCP/IP and did some additional fooling around with network settings. In the process of fooling around, I finally got uPnP configured properly on my PC as evidenced by a Comodo alert informing me it was learning on 239.255.*.*. I also observed additional uPnP crap in my Comodo logs. I did not observe any bad guy port 5000 or 1900 UDP nPnP inbound traffic in the logs.  I take that with a grain of salt since I am convinced that Comodo's inbound logging capability leaves a lot to be desired.

Finally, I stripped out any special DHCP firewall rules I previously created leaving only the trusted network rules Saul suggested in a prior post in this thread. As far as my Trusted Network goes, it's my LAN including my router gateway and the .255 broadcast IP, the AIPPA IP range, and finally the 239.255.*.* uPnP IP range.  

[DonZ]

As I somewhat expected, I finally resolved my DHCP problems and Comodo had nothing to do with the problem. After doing a lot of research and examining my .inf file for my installed nForce4 ethernet driver, I came to the conclusion that something was hosed in that driver. This driver was from the latest nForce4 15.23 release from the nVidia web site. I uninstalled it and reinstalled the ethernet driver from the nForce4 package from my motherboard manufacturer, MSI, web site. Low and behold, all the DHCP issues disappeared.

Moral of this long story is new is not necessarily better. This is especially true of ethernet drivers since motherboard manufacturers do a lot of custom stuff to onboard NIC chips. Mine happens to be a Marvell Yukon chip.

[Tags:]