Hundreds of DHCP Requests?

chris32lr

That's what I was thinking. Couldn't this be slowing everything down because of the frequency?

chris32lr

I'm now seeing this:
Interface: WAN
Source: 10.14.0.1
Destination 224.0.0.1
Protocol: IGMP

They show up about once a minute.

Slam

I'm now seeing this:
Interface: WAN
Source: 10.14.0.1
Destination 224.0.0.1
Protocol: IGMP

They show up about once a minute.

I get that too, its my modem, but I dont get the dhcp stuff :) I would log in to the modem and see whats going on in there if you still get the dhcp requests.

chris32lr

I can't login to the modem because it's the ISP's

chris32lr

Anyone else have any idea what could be going on? Also, do I have DNS setup correctly since our DNS server is our windows server? I have the check box unchecked that "allow DNS server list to be overriden by DHCP/PPP on WAN" and I have DNS Forwarders disabled.

wallabybob

What sort of Internet link do you have? xDSL? Cable?

My understanding is that cable is a broadcast medium meaning you could be seeing traffic from your neighbours.

You could reduce the overhead of logging those DHCP requests by adding a specific firewall rule to ignore DHCP requests on WAN.

@chris32lr:

Also, do I have DNS setup correctly since our DNS server is our windows server? I have the check box unchecked that "allow DNS server list to be overriden by DHCP/PPP on WAN" and I have DNS Forwarders disabled.

That looks right. Have you checked on a DHCP client?

johnpoz

Well normally you would not see those packets in the firewall log because they would be allowed by the built in rules when set for dhcp on wan.. I would assume.

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

Not installing DHCP server firewall rules for WAN which is configured for DHCP.

But since your static these rules might be created? You can look in /tmp/rules.debug for all the rules being used.

Either should not be logged I wouldn't think because there is going to be a lot of dhcp noise on a public internet connection quite often.. I for example see quite a bit of it just doing a capture - but none of it shows up in log

14:26:26.293869 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300
14:26:26.316969 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300
14:26:38.867621 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 304
14:26:42.708549 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 304
14:26:47.730643 IP 96.120.27.233.67 > 255.255.255.255.68: UDP, length 300

Thats 5 in 21 seconds or roughly 1 ever 4 seconds which is double what you say your seeing ;)

Now I would assume 96.120.27.233 is my isp dhcp server - but its quite possible for your isp to be using a private IP for their dhcp server as well. Now since your static its hard to see where you get your lease from. But if you can use dhcp you could then look in your leases file. You should be able to find it in /var/db you should see dhclient.leases.em1 with em1 being whatever your wan interface is.

Now in my lease I show
option dhcp-server-identifier 69.252.202.7;

And when I look at some of those packets I capture I can see that yes in fact that is my isp dhcp server relay at 96.120 - see attached. And its acks to fellow isp users on my same network.. So seeing dhcp packets on your wan interface is quite normal.

The odd part is why are they being logged in your firewall rules? Are you blocking private, this could be logging them since its coming from a private IP. Take a look at some of the packets to satisfy your curiosity to what they are exactly.. Once you realize its just common internet noise prob redo your firewall rules not to log such noise. Same sort of thing would go for your IGMP packets your seeing.. Your going to see quite a bit of that noise on the internet.. Normally shouldn't be logging it.

Or as mentioned it could be coming from your modem, again it would just be noise that you shouldn't be logging.. As stated take a look to see what it is via your fav analyzer, wireshark is FREE and works great for this sort of thing.

dhcpinfo.jpg_thumb

chris32lr

Thanks for the replies. It's a cable modem.

The only thing that is logging right now is the default block bogon networks. I don't have block private networks on. I don't have anything else logged. I don't want to turn DHCP on in WAN because we have a website hosted internally and need the IP to be static. As long as everything works ok, I'm fine with it, it's just alarming how frequent it is which also varies, sometimes I get two or three a second.

Good call on wireshark, I'll give that a shot. Thanks!

johnpoz

And how many uses do you think are on the same segment as you? I am on cable and the broadcast domain is a /21, thats what 2046 possible boxes asking for IPs, renewing IPs - and I wouldn't put it past them to be broadcasting to more than the /21

And what is the lease time? Then people rebooting, connecting different devices, how many have actual pc connected - now you could be seeing applications ask for dhcp info, wpad, etc.

Its noise! Look at it with wireshark to satisfy you and then just put in a rule to not log it.

cmb

That's perfectly normal for any cable ISP.