DHCP problem

cb831

I see the same thing - my ISP insist on having 300s leases which means that the lease must be renewed already after 150s.

When I snif the DHCP packages I notice that the "SENDING DIRECT" does not originate from port 68 like the normal broadcast. However my IPS DHCP server do answer the DIRECT renewal but the FW does not seam to pick it up and it falls back to broadcast after 7 attempts of direct. When it broadcast I sometimes loses 3s of communication :-( and now the problem starts as my wife gets 3s dropouts on the sip phone :-).

How can I verify if the FW picks up the direct reply ? I see in the log

dhclient[41748]: DHCPREQUEST on vr0 to 255.255.255.255 port 67
May 20 23:39:39 dhclient[41748]: DHCPACK from 79.142.231.1
May 20 23:39:39 dhclient[41748]: bound to 79.142.231.106 – renewal in 150 seconds.
May 20 23:42:09 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:42:09 dhclient[41748]: SENDING DIRECT
May 20 23:42:17 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:42:17 dhclient[41748]: SENDING DIRECT
May 20 23:42:28 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:42:28 dhclient[41748]: SENDING DIRECT
May 20 23:42:35 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:42:35 dhclient[41748]: SENDING DIRECT
May 20 23:42:57 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:42:57 dhclient[41748]: SENDING DIRECT
May 20 23:43:20 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:43:20 dhclient[41748]: SENDING DIRECT
May 20 23:43:56 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:43:56 dhclient[41748]: SENDING DIRECT
May 20 23:44:40 dhclient[41748]: DHCPDISCOVER on vr0 to 255.255.255.255 port 67 interval 8
May 20 23:44:40 dhclient[41748]: DHCPOFFER from 79.142.231.1
May 20 23:44:42 dhclient[41748]: DHCPREQUEST on vr0 to 255.255.255.255 port 67
May 20 23:44:42 dhclient[41748]: DHCPACK from 79.142.231.1
May 20 23:44:42 dhclient[41748]: bound to 79.142.231.106 – renewal in 150 seconds.
May 20 23:44:47 check_reload_status: rc.newwanip starting
May 20 23:44:49 php: : Informational: rc.newwanip is starting .
May 20 23:44:49 php: : rc.newwanip working with (IP address: 79.142.231.106) (interface: wan) (interface real: vr0).
May 20 23:47:12 dhclient[41748]: DHCPREQUEST on vr0 to 79.142.231.1 port 67
May 20 23:47:12 dhclient[41748]: SENDING DIRECT
May 20 23:47:19 dhclient[41748]: DHCPREQUEST on vr0

Is there anything wrong with my rules do I explicitely need to allow the incoming reply ?

Thanks
Claus

wallabybob

@cb831:

Is there anything wrong with my rules do I explicitely need to allow the incoming reply ?

If you see the DHCP reply in your sniffer I suggest you run a packet trace on your WAN interface to verify its being correctly received. Then see if the DHCP reply matches any of the firewall rules on your WAN. If so, you will need to add a rule to allow those replies. You could also look in the firewall log (Status -> System Logs, click on Firewall tab) to see the if firewall is dropping them with logging, but this is not coclusive because the firewall might be dropping them without logging.

cb831

What would the above log look like if ok ?

Something like

DHCPREQUEST on vr0 to 255.255.255.255 port 67 
DHCPACK from 79.142.231.1 
bound to 79.142.231.106 -- renewal in 150 seconds. 

DHCPREQUEST on vr0 to 79.142.231.1 port 67 
SENDING DIRECT 
bound to 79.142.231.106 -- renewal in 150 seconds. 

repeat above 3 every 150s

???

wallabybob

Sorry, I don't have a record of dhclient extending a lease in my system logs, but I would guess it would look something like what you provided. (My WAN link has its IP address provided by DHCP.)

cb831

Reading initial post I guess it should look like

Jan 31 00:07:32	dhclient[48305]: DHCPREQUEST on dc0 to 10.0.0.254 port 67
Jan 31 00:07:32	dhclient[48305]: SENDING DIRECT
Jan 31 00:07:32	dhclient[48305]: DHCPACK from 75.20.148.1
Jan 31 00:07:32	dhclient[48305]: bound to 75.20.151.141 -- renewal in 300 seconds.

and I do not get the ACK meaning that my FW does not recoqnize the ACK eventhough I can see it on the wire.

Any Ideas ?

wallabybob

@cb831:

Any Ideas ?

Something wrong with my earlier suggestions?

cb831

Certainly not :-)

But I did look into the logs and see that the FW does not recognize the direct dhcp ack.
I also checked the fw log and I see no drops (all my rules are logging including the default drop).
And I tried to allow anything from my DHCP server on the WAN interface.

But I still see the issue.

I tried to configure a CISCO 806 with ip address dhcp and it works like a charm. So problem must be that pfSense does not recoqnize the ack on the direct renew…
Is that a pfSense issue or an issue in the underlying FreeBSD ?

Thanks
Claus

cb831

Looks like this is the same issue

http://forum.pfsense.org/index.php?topic=19149.0;wap2

cb831

GOT IT:

There is an error in the FreeBSD implementation of dhclient. If I substitute the 70 dhclient with the 80 ditto the protocol runs smoothly

arc01fw03:/var#  ./dhclient -d sis3
DHCPREQUEST on sis3 to 255.255.255.255 port 67
DHCPACK from 79.142.231.1
bound to 79.142.231.106 – renewal in 150 seconds.
DHCPREQUEST on sis3 to 79.142.231.1 port 67
DHCPACK from 79.142.231.1
bound to 79.142.231.106 -- renewal in 150 seconds.

wallabybob

I don't understand what you mean by the 70 dhclient. Would you please explain?

cb831

I mean the /sbin/dhclient executable which runs the dhcp client logic.
If I replace this executable (which is based on FreeBSD 7.0 for pfSense 1.2.2) with the FreeBSD 8.0 executable it works as my previous post indicates.

As of now the 8.0 dhclient has renewed successfully without broadcast for 8h :-)

So now I just need to find out how to replace dhclient in /sbin which is R/O on my CFCARD. Right now i killed the /sbin/dhclient and run the 8.0 version out of /var on the pfSense command line.

Thanks

wallabybob

Understood, thanks.

Have you tried pfSense 1.2.3, which is rather more up to date than pfSense 1.2.2?

cb831

Actually I'm awaiting 2.0 but maybe this was a wrong strategy.

Also found http://www.pubbs.net/200902/freebsd/23740-dhclient-cant-renew-lease.html which suggests replacing the 7.0 dhclient with the 7.1 counterpart.

Is 1.2.3 FreeBSD 7.1 based ?

wallabybob

pfSense 1.2.3 is based on FreeBSD 7.2

cb831

I just installed 1.2.3 Nano 2G image on my CFCard and except for problems assigning interfaces to WAN and LAN and LAN IP address using the console (it ignored my input :-/) I managed to restore my configuration by assigning IP 192.168.1.2 to my own machine.

Now everything - including dhcp - seems to be fine :-)

Thanks for the input !!

Claus

cb831

UPDATE:

Upgrading to 1.2.3 was not enough to remove the failures renewing directly.
However substituting the /sbin/dhclient with the dhclient from FreeBSD 8.0 did the trick.

Thanks
Claus

Tuckie

Anyone have a copy of dhclient from 8.0 that they'd be willing to send me?

Thanks in advance, and much kudos to cb831!

edit: I got impatient so I downloaded the 220MB iso to extract the 77K file ;)

It appears to be working, I'm now getting:
Aug 16 17:30:35 dhclient[63382]: bound to 99.99.207.xxx – renewal in 300 seconds.
Aug 16 17:30:35 dhclient[63382]: DHCPACK from 99.99.206.xxx
Aug 16 17:30:35 dhclient[63382]: DHCPREQUEST on vlan0 to 10.0.0.1 port 67

Instead of:
Aug 16 17:11:03 dhclient[18353]: bound to 99.99.207.xxx – renewal in 300 seconds.
Aug 16 17:11:03 dhclient[18353]: DHCPACK from 99.99.206.xxx
Aug 16 17:11:03 dhclient[18353]: SENDING DIRECT
Aug 16 17:11:03 dhclient[18353]: DHCPREQUEST on vlan0 to 10.0.0.1 port 67

Hopefully it won't be dropping now.