DHCP lease time and firewall?

homerouter · July 16, 2022, 8:19am

I have some units there are set as DHCP.
After they show up in MT “DHCP leases” i change them to static. Then i edit the entry to have an ip out of the DHCP range, all is ok, they get the IP assigned.
Now in the firewall i have NO “confirm rules” for the Input chain UDP port 67, and i see a lot traffic asking for UDP port 67 (all units have got there ip, as i understand it happened before the firewall).
After i made a Accept rules for the input UDP to port 67, the client ask in time interval with the leases time.

Question is:
All run nice without the accept rules in the input chain to port 67, but all client ask a lot some with 1-2 second interval?
Will it be best to made the accept rules in the input chain to port 67? (after i done it, client only ask every 3-10 minutes, not the lease time?).
What is best lease time for the ip i made static, for now it is 10 minutes?

pe1chl · July 16, 2022, 8:41am

The DHCP server does not respect the firewall. It does not matter what you set for handling of UDP port 67/68 packets, the DHCP server will always work.
So I would suggest that unless you have a “default drop” rule with logging (and you do not want it to log DHCP traffic) to not bother about a special rule for DHCP.

Most clients will ask for a DHCP release at half the interval set for the DHCP server. So when you set it to like 1d (1 day) it will renew every 12 hours.
When a client is asking every 1-2 seconds that likely means it does not understand the answer. That sometimes happens, lots of DHCP software is very broken.