2 bridged networks / DHCP problem

hchady · Apr 25, 2007, 9:53 PM

Hi,

I am using pfsense to authenticate users on a wireless campus network (network 1) with dhcp /static map / deny unknown clients enabled. (network used by staff only)

On the campus there are another wireless network (network 2) that also use captive portal for authentication with a separate radius server. it have also its independant dhcp server. (this network is an open network with some restrictions and everbody can use it : student, staff…etc

on the network 1, I have installed a transparent wireless bridge to bridge these 2 networks.

when a registred client connects to network 1, it gets its lease from pfsense DHCP server 1... OK
when an unknown client connect to network 1, it never get a lease from the DHCP of the network 2. if i disable pfsense dhcp, unknown clients can get their leases from DHCP 2.
in system long i see a DHCPREQUEST message : wrong network

normally i should not have this problem with 2 dhcp.
so any body have an idea ?

N.B. i have tried this setup 1 month ago and it was working correctely, and unkown clients gets their leases from dhcp 2

thanks

gbenoit · Apr 26, 2007, 3:49 PM

Do you see DHCPDISCOVER request on both DHCP server ?

On my side, how it seems to work :

1 - laptop makes DHCPDISCOVER request
2 - both dhcp server send a DHCPOFFER
3 - laptop makes a DHCPREQUEST with the first offered IP it received (let's say DHCP 1)
4a - DHCP 1 confirm with a DHCPACK
4b - DHCP 2 logs "unknow lease"

So laptop is connected through DHCP 1

Nota : DHCP 2 says unknow lease and not wrong network because both are sharing the same IP network (but distributing only half of the network range).

On which DHCP server do you see "wrong network" message ?

hchady · Apr 26, 2007, 4:15 PM

on DHCP 1 (134.214.0.0/22) pfsense record these logs :

Apr 26 18:10:23 dhcpd: DHCPDISCOVER from 00:90:96:20:98:2d via rl0: network 134.214.0/22: no free leases
Apr 26 18:10:23 dhcpd: DHCPREQUEST for 134.214.232.32 (134.214.100.6) from 00:90:96:20:98:2d via rl0: wrong network.
Apr 26 18:10:23 dhcpd: DHCPNAK on 134.214.232.32 to 00:90:96:20:98:2d via rl0
Apr 26 18:10:24 dhcpd: DHCPDISCOVER from 00:90:96:20:98:2d via rl0: network 134.214.0/22: no free leases
Apr 26 18:10:24 dhcpd: DHCPREQUEST for 134.214.232.32 (134.214.100.6) from 00:90:96:20:98:2d via rl0: wrong network.
Apr 26 18:10:24 dhcpd: DHCPNAK on 134.214.232.32 to 00:90:96:20:98:2d via rl0

I don't have access to the logs of DHCP2 (134.214.100.6), but it seems that it offer the IP 134.214.232.32 to the client.
if I restart or stop the pfsense DHCP, the client gets the IP 134.214.232.32 directely.

note that DHCP 1 cannot offer a lease for an unknown client because the option deny unknown option is checked.

So any idea ?

gbenoit · Apr 26, 2007, 5:06 PM

OK, maybe the DHCPNACK cancels the DHCPACK from the other dhcp server.

As you're using public IPs, maybe it will be difficult, but if you can try to extend the subnet of the DHCP 1 (let's say from /22 et /16), to include the network of the second DHCP server in the same network as the first (same network, but still different ranges), in order to see if the "unknow lease" only instead of the DHCPNACK message should solve the issue…

Because DHCPNACK is sent to client, but unknow lease is only log, and no message is sent back to client.

DHCPNACK is used to say to a laptop coming from another wifi network : "hey, you're dhcp renew is not valid on this wifi lan ! you're no more on your home wifi network"

hchady · Apr 26, 2007, 5:10 PM

i think that it is something related to dhcp-authoritative option that is not enabled may be on DHCP 2 (Windows 2K3 server)

gbenoit · Apr 26, 2007, 5:30 PM

And I still think it might be a DHCPNACK issue :D

hchady · Apr 26, 2007, 5:54 PM

hmmm !! ok

hchady · May 2, 2007, 11:16 AM

is there a solution for this ?

jeroen234 · May 3, 2007, 7:17 AM

using only 1 dhcp server

gbenoit · May 3, 2007, 8:49 AM

Map wireless lan on different VLAN, or try to share the same network, and dhcp distributing on 2 different ranges.

hchady · May 3, 2007, 11:40 AM

the problem that i have 2 differents servers for authentication, and a captive portal on each network
so is there a way to let user choose between the server, or the domain ?

i.e. there is a way to have local authentication and radius or NT domaine (or LDAP) authentication on the same captive portal page ?
in this way each user can choice his domain

hoba · May 3, 2007, 1:27 PM

No. Maybe you can try to simplyfiy your setup a bit. It seems to be rather complex.