DCHP not sending router/gateway to endpoint after fresh install

Derelict

@wildfrog What is listed as the Gateway in the LAN DHCP Server configuration?

If you really, really want to diagnose the problem do a packet capture on LAN for UDP port 67, 10000 packets and disconnect/reconnect the ethernet on that Mac. Particularly interested in the DHCPOFFER from the server.

Else it simply has to be something on that mac.

wildfrog

@derelict I think a packet capture is the next step.

I'm inclined to discount the issue being with the Mac because it functions properly with the Meraki MX84 it's currently connected to. It functions properly connected to a pfSense box with a v2.5 install. And while my test with v2.5.2 was a while ago, I seem to remember connecting a PC to it and also encountering similar problems. I'll also see if I can find a Windows box to test with.

It's only when the device has a fresh install of v2.5.2 and later does it encounter this problem.

I've also encountered this with more than one Protectli each of a different model.

Derelict

@wildfrog I cannot even speculate how many times I have installed/upgraded/changed pfSense with a DHCP server, testing with macs, windows, linux, phones, pretty much everything, on practically countless different devices and VMs and never seen that. Not once. And that's not counting the production sites that have never seen it either.

I would also investigate if there is anything such as DHCP snooping somewhere interfering.

The one thing you mention that I have never used is protectli hardware but that being the causation factor would surprise me almost as much as it being the ISC DHCP server in pfSense.

wildfrog

@derelict Right. I've definitely not done as many installs as you, but I'd never seen this before until I did a fresh install of 2.5.2, and later 2.6.

I think the oddest thing is that I don't get this behavior when installing a fresh v2.5. Just anything more recent. So it makes me wonder if something changed in this regard from 2.5 to the 2.5.1/2.5.2 build.

All that said, in a perfect world I'd be setting up a 2100 instead of building a Protectli box. But my clients are too big for a 1100 - but too small to justify a 4100. Supply chain is a thing.

jimp

There are a couple scenarios that can result in no gateway from DHCP.

• If the firewall running pfSense software has no gateways it won't add a gateway in DHCP. For example, if you set a static IP address on WAN but did not add/select a gateway on the WAN interface then it does not add a gateway in DHCP automatically. You can still put one in manually, but you should fix the gateway settings (Add one under System > Routing and select it under Interfaces > WAN)

• If the firewall only gets an IPv6 address+gateway and not IPv4 then it won't give an IPv4 gateway in DHCP automatically

• If someone puts the literal string none in the gateway field of the DHCP server settings on the interface it will be left out, but that would have to be done explicitly, it doesn't happen automatically.

There is also the potential that it's a client problem but that seems less likely than one of the above.

If you run a packet capture of the DHCP request and response on the LAN you can look at it in Wireshark and see if the firewall is sending the gateway to the client(s).

wildfrog

@jimp I'm not quite sure how any of those 3 scenarios apply since this is the behavior on the very first connection - before running the setup wizard or performing any configuration of any sort and with no WAN connected.

Do you suppose that with no WAN connected, it would trigger scenario #1? And if so, it would seem that this behavior changed from v2.5.1 and later since v2.5 works as expected.

hispeed

@jimp

I have the same problem with a fresh installation of pfsense 2.6.

So I need to fill out this:

If I don't and there a gateway the client recieves no gateway, traffic flows then only to the pfsense which is available under: 192.168.100.1 .

On Pfsense 2.4.5 which is running at the moment in productive at home I don't have to do that.

So I will try to capture that with wireshark.

hispeed

@hispeed

Ok I captured it on the client side one time with the gateway set and one time without.

When I don't set the gateway on the interface:

When I set the gateway:

So option 3 is not recieved at the client side and I assume that pfsense is not sending it, but why I don't know.

Derelict

@hispeed said in DCHP not sending router/gateway to endpoint after fresh install:

When I don't set the gateway on the interface:

What exactly does that mean?

It looks like you are showing us DHCPACKs. I'm looking for the server-to-client communications not client-to-server.

I see you obfuscated a MAC address. Not sure why you are hiding that. MAC addresses are local to the broadcast domain and might prove useful in diagnosing problems down near layer 2 like DHCP.

Can you capture the entire DHCP process and post the actual PCAP?

hispeed

@derelict

Yes I captured it but I send it to you via private message because it contains the domains. This capture is from the pfsense interface without the gateway filled out.

Derelict

@hispeed What does "Without the gateway filled out" mean? There is not a gateway set on the interface configuration itself?

A gateway should only be set on "WAN" or "Outside" interfaces. Are you saying the capture is on the "LAN" or "Inside" interface?

wildfrog

@derelict In line with my response to @jimp a couple days ago. . .are you saying that if the WAN gets no gateway information - either from DHCP or configured manually - that pfSense will not pass along internal gateway/router information to endpoints on the LAN (as pictured in the image in my OP)?

hispeed

@derelict

"Without the gateway filled out" -> This means I did not add 192.168.100.1 into the Gateway field in the DHCP Server on the LAN interface (other options). This means this field was empty.

Interface Lan it was always like this ( I never changed it for any test):

The capture was made on the pfsense with interfance "LAN". I disconected the VM and reconected it.

Info: IPv6 was deactivated I just activated for tests with IPv6.

hispeed

@wildfrog

I don't know if I recieve from this provider a gateway on the WAN interface. This is possible because my provider is special (Swisscom - Switzerland).
I also have to set DHCP Option 60 with VLAN 10 to recieve an IP address.

Derelict

@hispeed Personally, I would leave IPv6 alone until you get IPv4 working but that might just be me.

Derelict

@hispeed You don't have an IPv4 gateway there.

hispeed

@derelict

IPv4 is working fine when i add the pfsense gateway in the dhcp server on every interface.

Derelict

@hispeed I would specifically set a gateway to be sent by the DHCP server on the 192.168.100.1 interface (set 192.168.100.1 there) and see if that corrects the inside DHCP. Then I would work on why you are not getting a gateway from the upstream DHCP server at the ISP.

Derelict

@hispeed Did you mess about with anything here on the ISP interface?

hispeed

@derelict

Yes we have to use "Configuration Override" and add there:

interface "{interface}" {
send dhcp-class-identifier "100008,0001,,pfsense";
}

The whole set up took me around 100h with testing and setting up, so its made with love and they do everything you will never use a pfsense or any other router which is not from them.
Nobody knows why and it would be better for Switzerland if you teach Swisscom how they need to set up the network. Make and keep it simple. This is also the reason why will go offline in the future and nobody can fix it :D.

A friend will ask a friend tomorrow from the networking core team maybe I get an answer.