DHCP not working / self-assigned IP address
-
In the web GUI: Status -> System logs, click on the DHCP tab, should show entries like: DHCPREQUEST … from <mac address="" of="" your="" laptop's="" nic=""> via <pfsense lan="" interface="" name="">followed by a DHCPOFFER.</pfsense></mac>
no, nothing showed up in the log. there were entries in it but, since the time has not been synced, i wasn't sure when they occurred. so, i cleared the log and tried replugging in my laptop to the LAN port on the first pfsense box. after my laptop obtained the 'self-assigned address', i manually assigned it a 172 IP, and refreshed the DHCP log in pfsense. there were no events logged.
On your laptop, if your give the shell command tcpdump -i eth0 you should see the DHCP requests and responses.
here is the output of that command. i started the command, then plugged in the cable, then killed the command shortly after obtaining the self-assigned address.
-
Do you have DHCP server enabled on the pfSense LAN interface? Does the pfSense LAN interface have a static IP address?
The tcpdump output you posted shows a number of DHCP requests with no response (e.g. 20:15:27.264460 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 08:00:46:e4:a9:3e (oui Unknown), length 300)
It also shows a number of ARP requests for 172.17.67.3 with no response. This suggests that 172.17.67.3 is not connected to your laptop. Is 172.17.67.3 the IP address of the pfSense LAN interface? If not, what has IP address 172.17.67.3 and why is your laptop trying to talk with it?
You seem to have tried a number of different configurations and its now not clear to me what is what. I suggest you work with:
pfSense LAN IP: 192.168.1.x/24 with DHCP server enabled and a DHCP address range from 192.168.1.x/24
pfSense LAN NIC connected to switch connected to laptop. (Its not certain that straight through cables will work without the switch so use a switch to reduce the unknowns.)
Restart pfSense. On pfSense console start a trace: tcpdump -i re0 -port 67 (where you will have to replace re0 by the system name of your LAN interface, it will be something like re0 or vr0 or vr1 or …)
THEN restart laptop. If laptop doesn't get IP address from pfSense take a look at the pfSense console. You should see a DHCP request like the one above and a response. If you don't see that then check the pfSense interface is UP and RUNNING and check you have the switch plugged into the correct port on the pfSense box. -
172.17.67.3 is the address for the second pfsense box, the backup. it is connected to the first pfsense box, 172.17.67.2, via OPT1 interface.
i guess i'll verify the DHCP server is enabled and try your other suggestions when i go back to the datacenter :\ i had the LAN interface on both pfsense boxes plugged into the switch, which is where all of the computers are plugged into but, when i ran that tcpdump command, it was picking up traffic from the other computers so, i just plugged my laptop directly into the LAN interface on the first pfsense box.
-
172.17.67.3 is the address for the second pfsense box, the backup. it is connected to the first pfsense box, 172.17.67.2, via OPT1 interface.
Then I suspect that you plugged the laptop into the OPT1 interface (which would explain why there was no response to the ARP who-has 172.17.67.3 from 172.167.67.2 and no DHCP response). Note that the default firewall rules block access from OPT1 - hence your laptop wouldn't be able to access the internet if it was plugged into OPT1 (unless you deliberately created firewall rules to allow that).
Since you don't seem to be able to use the second pfSense box at present, why not remove it so you have a basic configuration which should be easier to get working. Then when you get a bit more experience and confidence and the additional equipment you can go on to bigger things.
-
If you have DHCP failover configured (check the failover peer IP address) and DHCP can't reach its failover peer, it does not hand out addresses. It may be that you are hitting this.
-
172.17.67.3 is the address for the second pfsense box, the backup. it is connected to the first pfsense box, 172.17.67.2, via OPT1 interface.
Then I suspect that you plugged the laptop into the OPT1 interface
i definately plugged into the LAN interface.
Since you don't seem to be able to use the second pfSense box at present, why not remove it so you have a basic configuration which should be easier to get working. Then when you get a bit more experience and confidence and the additional equipment you can go on to bigger things.
That's true, but the pfsense boxes came configured like this from Netgate. i guess i can look into resetting them back to defaults or something, but i'm sure that'll just open up another can of worms for me ;)
I will check on the other things tonight, if possible, at the datacenter.
-
That's true, but the pfsense boxes came configured like this from Netgate. i guess i can look into resetting them back to defaults or something, but i'm sure that'll just open up another can of worms for me ;)
I will check on the other things tonight, if possible, at the datacenter.
…and I'm the one who made their embedded images they put on those devices ;)
If you have a switch on LAN and both units are plugged into LAN, it should start to work. Otherwise, disable DHCP failover.
-
If you have a switch on LAN and both units are plugged into LAN, it should start to work. Otherwise, disable DHCP failover.
yes, that's what i did to begin with.
the two units are connected to each other via the OPT1 interfaces, the two LAN interfaces are plugged into the same switch, and my laptop and the other computers are plugged into the switch as well. our single uplink is plugged into the WAN interface on the first (master) pfsense box. i can access the webgui of the master pfsense by using 172.17.67.2 and i can access the webgui of the backup by using 172.17.67.3, and when i use 172.17.67.1 it goes to the master. i'm pretty sure the failover IP in the DHCP settings was set to 172.17.67.3, maybe it should be 172.17.67.1?
-
No, the failover IP in DHCP should point to the real LAN IP of the other box. So on the main unit, it points to the LAN IP of the backup, and vice versa.
If you go to Status > DHCP Leases, what does the failover status at the top show?
-
i made sure that the DHCP server settings matched on each unit, save for the "failover IP", which was set to 172.17.67.3 on the master (172.17.67.2) and 172.17.67.2 on the backup (172.17.67.3). in the DHCP leases, this is what i saw:
Diagnostics: DHCP leases Failover Group My State Since Peer State Since "dhcp0" recover 2000/09/19 16:19:48 unknown-state 2000/09/19 16:19:48DHCP still wasn't working. when i removed the failover IP settings from both units, DHCP started working, but both units were separately handing out leases…..
-
Hmm, that definitely is the problem then.
But with the failover IPs set appropriately and both units seeing each other on LAN IPs, it should have been working. Can you ping the LAN IP of each box from the other?
Did the CARP IP on LAN show up as MASTER/BACKUP properly?
-
Did the CARP IP on LAN show up as MASTER/BACKUP properly?
What do you mean by this, where do i check it?
I will try using the "ping host" option from the console for you when i get back to the datacenter…
-
Status > CARP.
-
i was able to ping the backup from the master, and vice-versa.
CARP status on 172.17.67.2:
Carp Interface Virtual IP Status carp0 172.17.67.1 MASTER pfSync nodes: 1a0b57df 2203c3b2 2e13f44eCARP status on 172.17.67.3:
Carp Interface Virtual IP Status carp0 172.17.67.1 BACKUP pfSync nodes: 3196ee34 ce7021a3 -
What do your LAN rules look like on both boxes?
Anything in the DHCP tab of the system logs on either side?
-
What do your LAN rules look like on both boxes?
according to my config files:
<rule><type>pass</type> <descr>Default LAN -> any</descr> <interface>lan</interface> <source> <network>lan</network> <destination><any></any></destination></rule>after looking through the config files, i noticed this:
<interfaces>[...] <opt1><descr>Sync</descr> <if>vr2</if> <bridge><enable><ipaddr>192.168.2.2</ipaddr> <subnet>24</subnet> <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1></interfaces>likewise, the backup has 192.168.2.3 in it. should those be addresses in my 172.17.67.0/24 subnet? should they be unique, like 172.17.67.4 and .5, or should they match the LAN IP address of each unit?
-
LAN rule should be fine then…
As for the other part, that's the sync interface, which needs its own subnet.
The DHCP traffic doesn't use the sync interface, it stays completely on LAN.
-
I restored the configurations you sent me onto a pair of VMs and my DHCP worked OK. I pulled an IP, and the status was normal. So it's not making a whole lot of sense why it isn't working for you as-is. I still have a couple more things to test though.
What kind of a switch do you have on LAN? Was anything else plugged into it besides the netgate boxes and your laptop?
-
What kind of a switch do you have on LAN? Was anything else plugged into it besides the netgate boxes and your laptop?
The switch is a Cisco SGE2000. Two other servers and their LOM interfaces are plugged into the switch…. so, 7 ports are being used on the switch if you count my laptop.
-
I just made a VM CARP pair with NanoBSD images and restored your configuration there and it also worked. (My previous test was with full install VMs)
Is there something on the switch that might be impairing DHCP? Can you try a cheap "dumb" switch (non-managed) temporarily to see if it behaves differently? The servers aren't trying to also be DHCP servers, are they?
In every case I tried, I was able to pull an IP, and when I checked the DHCP leases, the failover status on both was "normal".
