Configure DHCP Snooping


As far as I understand ipfire currently does not support the dhcp snooping setting?

Is it possible to implement this somehow?

Looking up DHCP Snooping

it says that it is applied to switches.

I haven’t found anything related to setting up dhcp snooping on a firewall.


yes, it is used on switches, but Linux has a bridge… and maybe The correct way to do this is to use ebtable’s filter chain, both forward and output usually, with a ruleset matching UDP ports 67:68?

If it is impossible to fully implement it, is it possible to make notifications in the event log?

1 Like

DHCP Snooping at an switch makes sense… There are many ports and can filter and defense my DHCP.
By arp inspection at IPFire would make sense, to log or report, or cut the internet connection for that computer by Guardian.
Same matter as reported by an user with localdomain home “ipfire.home”.


I totally agree with you, but where I use ipfire, these are small companies that, unfortunately, have unmanaged switches… That’s why I had this idea.

I just want to know the possibility and rationality of implementing this functionality in ipfire… After all, a modern firewall protects not only the local network from threats from the Internet, but also allows you to track threats in the local network.

ebtables is an addon in IPFire so you can install it and define the rules that you require.

What those rules should be, I have no idea about. Reading about dhcp snooping what you need to create are rules thatr will identify your trusted dhcp servers that you want to be used for your network and to block any other dhcp servers on your network that are considered untrusted.

Until you mentioned it, I had not even heard about ebtables.

1 Like

but also allows you to track threats in the local network.

This is a job of switch, where the communication flow ex. between two ports.
You need managed switches with DHCP Snooping support… some “lite” switches at market do not support this. Else you need an L2plus or L3 switch.


@bonnietwin Thanks! I think the addon may be suitable… It will be necessary to further study this issue… It would be great if it was described in the wiki or implemented in a ipfire…

@trash-trash yes, this is the switch’s job, and, for example, mikrotik knows how to do it, and devices that don’t know how to do it, at least they only make mentions in the event log.

2 posts were split to a new topic: Initial wiki page for etables

Even if you implement DHCP snooping in IPFire, how do you demand all traffic through IPFire? In a switched network two devices can communicate directly, without the gateway ( with snooping ).

1 Like

@bbitsch Maybe…

Interesting implementation:

1 Like

I got this piece of hardware… And it has under the hood:
Intel(R) Atom™ CPU C2558 @ 2.41GHz (4 cores, 4 threads)

And it also has a built-in managed switch (which is displayed in the system as a eth6). All client devices will be connected to this switch and it makes sense to configure DHCP Snooping on it. And in general, the idea of combining a Firewall and a built-in switch is a great idea for a small office.