DHCP from wrong interface
-
I have a setup with 2 lan type interfaces, LAN and OPT1. Each is connected to a separate bank of switches. The LAN side DHCP server is setup to provide addreses in the 192.168.187.0/24 subnet and the OPT1 interface has a DHCP server that distributes addresses in the 192.168.189.0/24 subnet. There is no physical interconnection between the networks (one is for PCs and the other is for IP phones). This has worked without issue for 6 or more months, however, recently a couple of users have had problems and I found this was because they had an ip address in the 189 subnet rather than the 187 subnet. I thought that someone had made some type of interconnect but can not find anything. I see the following in the log:
Aug 20 15:38:19 dhcpd DHCPDISCOVER from 3c:97:0e:bb:27:8e via igb1
Aug 20 15:38:19 dhcpd DHCPDISCOVER from 3c:97:0e:bb:27:8e via igb3
Aug 20 15:38:20 dhcpd DHCPOFFER on 192.168.187.12 to 3c:97:0e:bb:27:8e (xxxx) via igb1
Aug 20 15:38:20 dhcpd DHCPOFFER on 192.168.189.101 to 3c:97:0e:bb:27:8e (xxxx) via igb3
Aug 20 15:38:20 dhcpd DHCPREQUEST for 192.168.187.12 (192.168.187.254) from 3c:97:0e:bb:27:8e (xxxxx) via igb3: wrong network.
Aug 20 15:38:20 dhcpd DHCPNAK on 192.168.187.12 to 3c:97:0e:bb:27:8e via igb3
Aug 20 15:38:20 dhcpd DHCPREQUEST for 192.168.187.12 (192.168.187.254) from 3c:97:0e:bb:27:8e (xxxxx) via igb1
Aug 20 15:38:20 dhcpd DHCPACK on 192.168.187.12 to 3c:97:0e:bb:27:8e (xxxxx) via igb1
Aug 20 15:38:20 dhcpd DHCPDISCOVER from 3c:97:0e:bb:27:8e (xxxxx) via igb3
Aug 20 15:38:20 dhcpd DHCPOFFER on 192.168.189.101 to 3c:97:0e:bb:27:8e (xxxx) via igb3
reply with unaltered, existing lease for 192.168.189.24It looks as if the DHCP servers are both offering addresses on the LAN side of the network. Both DHCP servers are setup with the defaults and with a /24 subnet. Any thoughts on what can be causing this behavior?
-
@kitdavis said in DHCP from wrong interface:
Aug 20 15:38:19 dhcpd DHCPDISCOVER from 3c:97:0e:bb:27:8e via igb1
Aug 20 15:38:19 dhcpd DHCPDISCOVER from 3c:97:0e:bb:27:8e via igb3Clearly that is WRONG... you are seeing discover on both interfaces.. This points to a cross connections between your physical networks.
-
That is what I thought and was afraid of... I went through all of the switches and connections in the rack and there is no cross connect. I wanted to verify that there was no problem in pfsense that would create this behavior. Obviously some user somewhere in the building has come up with an "innovative" approach to plugging in a device. This means I now need to go office to office looking for the culprit...
-
Definitely sounds like a cross-connect between switches, probably at a user's desk location.
Also, I read that one of those networks/interfaces was exclusively for IP-based phones. If you're in luck, those phones probably have the same starting MAC address (e.g., first 6 characters) if they are from the same manufacturer. If so, you can try using the MAC address restrictions in the DHCP server settings to only issue IPs to phones. IIRC, the setting is called "MAC address control" under /services_dhcp.php.
-
@kitdavis said in DHCP from wrong interface:
That is what I thought and was afraid of... I went through all of the switches and connections in the rack and there is no cross connect. I wanted to verify that there was no problem in pfsense that would create this behavior. Obviously some user somewhere in the building has come up with an "innovative" approach to plugging in a device. This means I now need to go office to office looking for the culprit...
What switches & VOIP phones do you use ?
-
what switches do you have? Can you not track down which interface a mac is connected to? If the switches are smart/managed you should be able to use say the above example mac and track down where your cross connection is happening.
-
@kitdavis said in DHCP from wrong interface:
3c:97:0e
3c:97:0e = Wistron InfoComm(Kunshan)Co.,Ltd.
https://www.wireshark.org/tools/oui-lookup.html
Not that it helps looks like Wistron are an OEM.
-
@kitdavis said in DHCP from wrong interface:
3c:97:0e:bb:27:8e
I wonder if you'll see anything in the DHCP packet if you do a packet capture and view it in wireshark.
tcpdump -i igb1 ether host 3c:97:0e:bb:27:8e and port 67 -w capture.pcap
tcpdump -i igb1 ether host 3c:97:0e:bb:27:8e and port 67 -vvv
-
Yeah in that case if you have decent switches you can do something like:
show mac-address VLAN XXX
orshow mac-address | inc 3c:97:0e
and see what ports the switch thinks that MAC address is on and maybe find it. Might need to run it on multiple switches.Or something of that nature.
-
Thanks for all of the suggestions - I looked at the mac addresses attached to all of the switches yesterday and didn't find the culprit. It is intermittent -- it happened to two users late last week and then again yesterday. (and I am pretty sure it happened twice before that - but wasn't recognized for the problem it is) I suspect it is some portable device that someone brings to the office and plugs in for a period of time. As long as nothing requests a new address things keep working. Hopefully the next time it happens I'll be in the area and can do some packet captures for some additional information.