locked
Windows 7 firewall add exception for inbound DHCP on public and private networks RRS feed

  • Question

  • Hi

    we have put in place corporate wifi and we have been experiencing a problem where the laptop would not obtain a DHCP address when trying to connect to corporate wi-fi

    The problems appears to be windows firewall blocking the inbound DHCP request as the defined network at that point is either public or private. If we then also plugged the network cable in the network would change to domain and would then change the firewall policy from standard to domain and in doing so allow the DHCP to work and the client would get an IP.

    we have a centralized DHCP server and we use relay agents on the routers at sites to help issue the DHCP addresses

    has anyone come across this before and if so what Inbound exception did you put in. I was planning on using GPO to push the exception out and set this on the standard firewall policy.

    This is what i was thinking of adding into the standard firewall policy.

    67:UDP:10.226.192.1,10.226.194.1,10.226.196.1,10.226.197.1,10.226.198.1,10.226.199.1,10.226.200.1,10.226.201.1,10.226.202.1,10.226.203.1,10.226.204.1,10.226.205.1,10.226.206.1,10.226.207.1,10.226.208.1,10.226.209.1,10.226.210.1,10.226.212.1,10.226.214.1,10.226.215.1,10.226.216.1,10.226.218.1,10.226.220.1,10.226.28.202,10.226.40.202:enabled:Inbound DHCP
    
    
    68:UDP:10.226.192.1,10.226.194.1,10.226.196.1,10.226.197.1,10.226.198.1,10.226.199.1,10.226.200.1,10.226.201.1,10.226.202.1,10.226.203.1,10.226.204.1,10.226.205.1,10.226.206.1,10.226.207.1,10.226.208.1,10.226.209.1,10.226.210.1,10.226.212.1,10.226.214.1,10.226.215.1,10.226.216.1,10.226.218.1,10.226.220.1,10.226.28.202,10.226.40.202:enabled:Inbound DHCP

    Tuesday, May 24, 2016 3:04 PM

All replies

  • Windows firewall does not block DCHP requests. Use Wireshark to find out what is going wrong:

    https://www.wireshark.org/


    Best regards, George

    Wednesday, May 25, 2016 3:36 PM
  • as you suggested I installed wireshark on the DHCP server and the client and enable the firewall logs and i can see inbound drops on the firewall log.

    I can see the discover and the offer but do not see any request from the client. I then disabled the firewall service and restarted the client and the client connects with no problem at all.

    I would have included the logs but i don't have the laptop any more and the problem only occurs now and again.

    will try and get another laptop with the problem and this time post logs

    thanks

    Jason

    Wednesday, May 25, 2016 3:44 PM
  • Then something is wrong with that computer. Can you try with another (preferably Win7)?

    No need to post long logs.


    Best regards, George


    Wednesday, May 25, 2016 5:39 PM
  • This has happened on multiple machines. The workaround at the moment is to plug into wired and and connect to the corporate wi-fi and this works

    Thursday, May 26, 2016 8:14 AM
  • Hi,

    We haven’t heard from you in a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,
    Tao


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, June 1, 2016 7:59 AM
  • Hi

    so I have managed to get another machine which is experiencing the issue and have the firewall.log and wireshark pcap.

    you can notice from firewall log that packets are getting dropped:

    2016-06-16 16:32:11 DROP UDP 10.226.216.1 10.226.216.105 67 68 347 - - - - - - - RECEIVE

    I also have a wireshark capture which shows the offer from the DHCP server but not sure how I can upload that

    #Version: 1.5
    #Software: Microsoft Windows Firewall
    #Time Format: Local
    #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    
                                                                                                                                                                                                                    2016-06-16 16:32:07 DROP 89 10.226.216.1 224.0.0.5 - - 64 - - - - - - - RECEIVE
    2016-06-16 16:32:08 ALLOW UDP 169.254.222.136 169.254.255.255 137 137 0 - - - - - - - SEND
    2016-06-16 16:32:08 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:09 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:09 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:10 DROP 2 10.226.216.66 224.0.0.22 - - 40 - - - - - - - RECEIVE
    2016-06-16 16:32:10 ALLOW UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - SEND
    2016-06-16 16:32:10 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:10 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:11 ALLOW UDP fe80::3dfd:44e7:3dc4:de88 ff02::1:3 58628 5355 0 - - - - - - - SEND
    2016-06-16 16:32:11 ALLOW UDP 169.254.222.136 224.0.0.252 63386 5355 0 - - - - - - - SEND
    2016-06-16 16:32:11 DROP UDP 169.254.222.136 224.0.0.252 63386 5355 52 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 169.254.222.136 224.0.0.252 63386 5355 52 - - - - - - - RECEIVE
    2016-06-16 16:32:11 ALLOW UDP 0.0.0.0 255.255.255.255 68 67 0 - - - - - - - SEND
    2016-06-16 16:32:11 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 10.226.216.1 10.226.216.105 67 68 347 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 169.254.222.136 224.0.0.252 63386 5355 52 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 169.254.222.136 224.0.0.252 63386 5355 52 - - - - - - - RECEIVE
    2016-06-16 16:32:11 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:11 ALLOW 2 169.254.222.136 224.0.0.22 - - 0 - - - - - - - SEND
    2016-06-16 16:32:11 DROP 2 169.254.222.136 224.0.0.22 - - 48 - - - - - - - RECEIVE
    2016-06-16 16:32:11 ALLOW ICMP :: ff02::1:ffc4:de88 - - 0 - - - - 135 0 - SEND
    2016-06-16 16:32:11 ALLOW ICMP fe80::3dfd:44e7:3dc4:de88 ff02::2 - - 0 - - - - 133 0 - SEND
    2016-06-16 16:32:11 ALLOW ICMP fe80::3dfd:44e7:3dc4:de88 ff02::16 - - 0 - - - - 143 0 - SEND
    2016-06-16 16:32:11 ALLOW UDP 127.0.0.1 239.255.255.250 57278 1900 0 - - - - - - - SEND
    2016-06-16 16:32:11 ALLOW UDP fe80::3dfd:44e7:3dc4:de88 ff02::1:2 546 547 0 - - - - - - - SEND
    2016-06-16 16:32:11 DROP 2 169.254.222.136 224.0.0.22 - - 48 - - - - - - - RECEIVE
    2016-06-16 16:32:12 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:12 ALLOW ICMP fe80::3dfd:44e7:3dc4:de88 ff02::1 - - 0 - - - - 136 0 - SEND
    2016-06-16 16:32:12 DROP 2 10.226.216.66 224.0.0.22 - - 40 - - - - - - - RECEIVE
    2016-06-16 16:32:12 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:13 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:14 ALLOW UDP fe80::3dfd:44e7:3dc4:de88 ff02::1:3 53537 5355 0 - - - - - - - SEND
    2016-06-16 16:32:14 ALLOW UDP 169.254.222.136 224.0.0.252 64471 5355 0 - - - - - - - SEND
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 224.0.0.252 64471 5355 56 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 224.0.0.252 64471 5355 56 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 224.0.0.252 64471 5355 56 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 224.0.0.252 64471 5355 56 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:14 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:15 ALLOW UDP fe80::3dfd:44e7:3dc4:de88 ff02::1:3 59585 5355 0 - - - - - - - SEND
    2016-06-16 16:32:15 ALLOW UDP 169.254.222.136 224.0.0.252 50457 5355 0 - - - - - - - SEND
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 224.0.0.252 50457 5355 53 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 224.0.0.252 50457 5355 53 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 224.0.0.252 50457 5355 53 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 224.0.0.252 50457 5355 53 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:15 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:16 DROP UDP 0.0.0.0 255.255.255.255 68 67 328 - - - - - - - RECEIVE
    2016-06-16 16:32:16 DROP UDP 10.226.216.1 10.226.216.105 67 68 347 - - - - - - - RECEIVE
    2016-06-16 16:32:16 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:16 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:17 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:17 DROP 89 10.226.216.1 224.0.0.5 - - 64 - - - - - - - RECEIVE
    2016-06-16 16:32:18 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:19 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    2016-06-16 16:32:19 DROP UDP 169.254.222.136 169.254.255.255 137 137 78 - - - - - - - RECEIVE
    

    Monday, June 20, 2016 9:56 AM
  • Yes! Your computer didn't get an IP address from the DHCP server. The proof is the address 169.254.222.136 which is an 'automatic address'. It's a reserved scope just as the private scopes 192.168.0.0 etc.

    You need to troubleshoot the DCHP / firewall issue on the DHCP machine.

    To manually test from the affected machine, open a CMD window and run:

    ipconfig /renew

    If successful you should get an IP address from within the DCHP scope.


    Best regards, George

    Monday, June 20, 2016 11:09 AM
  • Hi

    did a renew and i don't get an IP address from the DHCP server the the firewall log is below and I can see what looks likes offers from 10.226.216.1 which is the DHCP relay agent. These are getting dropped

    2016-06-20 12:31:51 DROP UDP 10.226.216.1 10.226.216.109 67 68 347 - - - - - - - RECEIVE

    2016-06-20 12:31:52 DROP UDP 10.226.216.126 224.0.0.251 5353 5353 121 - - - - - - - RECEIVE

    2016-06-20 12:31:54 DROP UDP 10.226.216.1 10.226.216.109 67 68 347 - - - - - - - RECEIVE

    2016-06-20 12:31:56 DROP 89 10.226.216.1 224.0.0.5 - - 64 - - - - - - - RECEIVE

    when I look on the server I can see the offer. I can also see that offer arriving at the client.

    because  the machine cannot get an IP it defaults to using the automatic address.

    just to clarify the 10.226.x.x network you are seeing is our work network.

    hope this helps

    thanks

    Monday, June 20, 2016 11:42 AM
  • Can you manually change the wireless network type to Domain? Here's how:

    https://support.microsoft.com/en-us/kb/2578723


    Best regards, George

    Monday, June 20, 2016 11:47 AM