Help with DHCP blocking upstream

NethServer Version: 7.6.1810
Module: dnsmasq & Firewall

High Level:
My DHCP requests keep being answered by the Comcast Business Wireless Router that is upstream from my Nethserver. I have tried dropping DHCP from Green Zone to Red Zone, but I must be missing something in the Firewall rules as all nodes on the Intranet are getting their IPs from the Comcast Router and not the NethServer, and routing their internet traffic through the Comcast Router, not the NethServer. (External IP is recognized as Comcast Router’s not NethServers.

I have a Comcast Business Cable Modem with 13 usable static IPs. The WiFi and DHCP is enabled on the Comcast Router to serve as the guest network ( with minimal to no access to our Intranet ( which is behind the NethServer. I use the MAC Addresses and Ip reservations to provide “Static DHCP” IP Addresses. All of my hosts are getting their IPs from the Comcast router rather than the Neth server.

The NethServer has 1 embedded NIC which is connected to the Comcast router and set as the Red Zone, and a 4 Card NIC which has the first 3 interfaces Bridged and serve as the green zone. (I plan to setup the 4th port as a separate network for our Lab later)

Here is my Network Overview:

Here are my current Firewall Rules.

Here is my Network Config:

Any suggestions on how to adjust or add to the Firewall Rules so that anything in the Green Zone only sends DHCP to the NethServer and DHCP stays within the Green Zone would be appreciated.

I’m quite confused…
My setup has a similar structure to yours

Ok, i do not use bridge for Green.
But i don’t also need DHCP from the ISP router, therefore DHCP has no reason to listen on Red interface.

That’s default setting for NethServer with 2 network zones, if i add a Blue zone i would have a different configuration.

So… Why your DHCP server is listening on red?
Are you using it for Halo Guest Network?

1 Like

Thanks for replying. The bridge is there just so all 3 NIC interfaces (which each go to a switch) Work with the NethServer having 1 Internal Address.

The network (aka Halo) is served by the Comcast router for the guest network.

I actually did some more testing and restarted dnsmasq and neth server completely and made no difference.

I then took the Comcast router offline temporarily and tried renewing DHCP and failed still to get an address from the NethServer. So I am thinking my rules (just added the top 2 before posting) might be blocking the NethServer from giving an IP. About to remove all dhcp rules and try again to make sure I get at least some IPs from Neth. Prior to adding the rules the intranet nodes were getting a mix from the Neth and Comcast DHCP ranges.

In my opinion there’s something to be fixed in connection between comcast router and LAN/Green. Seems that the networks are mixed without any kind of separation… Maybe an extra cable not needed, maybe a misconfigured switch or vlan. Also verify bridge connections, they can bring data just like a switch, mixing connections between red zone and the green zone.
As far as i know, what you are describing is not supposed to happen, without any kind of further configuration on Netherver.

1 Like