Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HELP! Seemingly bizarre dhclient behavior on WAN

    2.4 Development Snapshots
    9
    29
    4662
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phil.Scarr last edited by

      The event I reported previously where the dhclient seemed to lose its mind happened again so I went and snatched the dhclient logs.  What's really strange is that there appears to be a DHCP offer on the WAN side for a 192.168.100.1 DHCP server.  There is no such server that I'm aware of, unless that's my cable modem…

      So you can see the reboot last night in blue, then the binding to the correct DHCP server from Charter but this this morning, this very strange interraction with a DHCP server on 192.168.100.1 in red.

      Jan 15 19:54:23 dhclient REBOOT
      Jan 15 19:54:24 dhclient 8638 bound to 96.42.26.125 – renewal in 9974 seconds.
      Jan 15 22:40:36 dhclient Creating resolv.conf
      Jan 15 22:40:36 dhclient RENEW
      Jan 16 02:40:36 dhclient Creating resolv.conf
      Jan 16 02:40:36 dhclient RENEW
      Jan 16 06:40:36 dhclient Creating resolv.conf
      Jan 16 06:40:36 dhclient RENEW
      Jan 16 07:24:28 dhclient 9468 exiting.
      Jan 16 07:24:28 dhclient 9468 connection closed
      Jan 16 07:24:50 dhclient PREINIT
      Jan 16 07:24:51 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:24:52 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:24:54 dhclient 91520 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 1
      Jan 16 07:24:54 dhclient 91520 DHCPNAK from 192.168.100.1  <–---  WTF is this???
      Jan 16 07:24:54 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:24:55 dhclient 91520 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 2
      Jan 16 07:24:56 dhclient 91520 DHCPOFFER already seen.
      Jan 16 07:24:56 dhclient 91520 DHCPOFFER from 192.168.100.1
      Jan 16 07:24:56 dhclient ARPSEND
      Jan 16 07:24:56 dhclient 91520 DHCPOFFER from 192.168.100.1
      Jan 16 07:24:58 dhclient 91520 bound to 192.168.100.10 – renewal in 30 seconds.
      Jan 16 07:24:58 dhclient Creating resolv.conf
      Jan 16 07:24:58 dhclient /sbin/route add default 192.168.100.1
      Jan 16 07:24:58 dhclient Adding new routes to interface: cpsw0
      Jan 16 07:24:58 dhclient New Routers (cpsw0): 192.168.100.1
      Jan 16 07:24:58 dhclient New Broadcast Address (cpsw0): 192.168.100.255
      Jan 16 07:24:58 dhclient New Subnet Mask (cpsw0): 255.255.255.0
      Jan 16 07:24:58 dhclient New IP Address (cpsw0): 192.168.100.10  <–--- And now this is the WAN IP
      Jan 16 07:24:58 dhclient ifconfig cpsw0 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255
      Jan 16 07:24:58 dhclient Starting add_new_address()
      Jan 16 07:24:58 dhclient BOUND
      Jan 16 07:24:58 dhclient 91520 DHCPACK from 192.168.100.1
      Jan 16 07:24:58 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:24:58 dhclient ARPCHECK
      Jan 16 07:25:28 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:30 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:32 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:35 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:41 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:49 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
      Jan 16 07:25:55 dhclient 92599 exiting.
      Jan 16 07:25:55 dhclient 92599 connection closed
      Jan 16 07:25:57 dhclient 28540 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:25:57 dhclient PREINIT
      Jan 16 07:25:59 dhclient ARPSEND
      Jan 16 07:25:59 dhclient 28540 DHCPOFFER from 96.42.26.1 <–--- This is the right DHCP server
      Jan 16 07:25:59 dhclient 28540 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 1
      Jan 16 07:25:59 dhclient PREINIT
      Jan 16 07:25:59 dhclient Deleting old routes
      Jan 16 07:25:59 dhclient EXPIRE
      Jan 16 07:26:01 dhclient BOUND
      Jan 16 07:26:01 dhclient 28540 DHCPACK from 96.42.26.1
      Jan 16 07:26:01 dhclient 28540 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
      Jan 16 07:26:01 dhclient ARPCHECK
      Jan 16 07:26:02 dhclient ifconfig cpsw0 inet 96.42.26.125 netmask 255.255.254.0 broadcast 255.255.255.255
      Jan 16 07:26:02 dhclient Starting add_new_address()
      Jan 16 07:26:02 dhclient Deleting old routes
      Jan 16 07:26:03 dhclient New Broadcast Address (cpsw0): 255.255.255.255
      Jan 16 07:26:03 dhclient New Subnet Mask (cpsw0): 255.255.254.0
      Jan 16 07:26:03 dhclient New IP Address (cpsw0): 96.42.26.125  <–--- And this is the right address
      Jan 16 07:26:04 dhclient Creating resolv.conf
      Jan 16 07:26:04 dhclient /sbin/route add default 96.42.26.1
      Jan 16 07:26:04 dhclient Adding new routes to interface: cpsw0
      Jan 16 07:26:04 dhclient New Routers (cpsw0): 96.42.26.1
      Jan 16 07:26:05 dhclient 28540 bound to 96.42.26.125 – renewal in 13037 seconds

      Can someone help me understand WTF is going on here?  Is my cable modem offering up an address it shouldn't?  Where is that 192.168.100.1 server coming from?  Any help debugging this would be greatly appreciated.  When it happens, the internet connection drops until it recovers.  Where should I look next?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        In the interface settings, try "Reject leases from" to reject any leases offered from that address. Some upstream devices can do that sort of thing.


        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          Phil.Scarr last edited by

          @phil.davis:

          In the interface settings, try "Reject leases from" to reject any leases offered from that address. Some upstream devices can do that sort of thing.

          Awesome, thanks.  I'll let you know if that works out but it looks to solve exactly what I'm seeing.

          "To make the DHCP client reject leases from an undesirable DHCP server, place the IP address of the DHCP server here. This is useful for rejecting leases from cable modems that offer private IP addresses when they lose upstream sync."

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            Pretty normal mostly with cable modems. Yeah, best to reject those leases.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Yep, it's common cable modem behavior. My modem, an older Motorola Surfboard, does this with that exact address. It's the reason I added that GUI field years ago.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                Phil.Scarr last edited by

                @jimp:

                Yep, it's common cable modem behavior. My modem, an older Motorola Surfboard, does this with that exact address. It's the reason I added that GUI field years ago.

                So it just did it again and the recovery time was much quicker, about 30 seconds instead of 2 minutes.  But I still want to know what's going on.  I guess I should call Charter and get them to test my line again.  My CM shouldn't be losing sync like this, a couple of times a day.

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Usually it's indicative of an upstream issue. Mine only does that when the upstream sync is lost.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • luckman212
                    luckman212 LAYER 8 last edited by

                    Wish there was a way to blanket reject any lease coming from an rfc1918 address but I checked the source code for dhclient and it looks like it only accepts individual IPs right now.

                    1 Reply Last reply Reply Quote 0
                    • P
                      Phil.Scarr last edited by

                      @luckman212:

                      Wish there was a way to blanket reject any lease coming from an rfc1918 address but I checked the source code for dhclient and it looks like it only accepts individual IPs right now.

                      Will it take multiple IPs?  So if for some strange reason there are 3 DHCP servers reachable but only 1 is real, can I put in a comma-separated list?

                      1 Reply Last reply Reply Quote 0
                      • luckman212
                        luckman212 LAYER 8 last edited by

                        @Phil.Scarr:

                        Will it take multiple IPs?

                        I am not sure- try it and then take a look at your /var/etc/dhclient_XXX.conf (for whichever wan) file to see if the config was written correctly.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User last edited by

                          I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

                          1 Reply Last reply Reply Quote 0
                          • P
                            Phil.Scarr last edited by

                            @webtyro:

                            I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

                            I assume that that would be something the cable company would have to do, right?  I don't have wireless on my CM, I have an access point on my LAN.

                            1 Reply Last reply Reply Quote 0
                            • P
                              Phil.Scarr last edited by

                              @webtyro:

                              I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

                              Oh, apparently not…  http://fascinated.fm/post/2379188731/getting-a-motorola-sbg6580-into-bridge-mode-on

                              Getting a Motorola SBG6580 into “Bridge” mode on TimeWarner Wideband

                              • Unplug coax cable from Motorola

                              • Hold down the white reset button on the back panel with a pen for 30s.  This resets all settings to factory defaults. The modem will be auto-reconfigured once you plug in the coax cable.

                              • When modem is back on plug in a computer with an Ethernet cable into the modem.

                              • Connect to http://192.168.0.1 and login with “admin” / “motorola”

                              • Now you will make some changes:

                              • Wireless -> Primary Network -> Disabled

                              • Basic -> Setup -> NAPT Mode -> Disabled

                              • Basic -> DHCP -> No

                              • Advanced -> Options -> Rg Passthrough -> Enable

                              • Advanced -> Options -> Passthrough Mac Addresses -> Add WAN MAC address of your router 6. Connect port 1 on the Motorola modem to the WAN port of your router.

                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                Doesn't matter. Even in bridge mode it hands that out when it loses upstream sync

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User last edited by

                                  @jimp:

                                  Doesn't matter. Even in bridge mode it hands that out when it loses upstream sync

                                  His log shows the DHCP attempt from the modem with the private address seems to me is possible causing the sync issue. Does it to you. I know my setup here using a bridged Actiontec is rock solid.
                                  I have to shut everything down overnight just to receive a new gateway. Sync may not be an issue with the modem out of DHCP service. What do you think. Worth a shot?

                                  1 Reply Last reply Reply Quote 0
                                  • jimp
                                    jimp Rebel Alliance Developer Netgate last edited by

                                    That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User last edited by

                                      @jimp:

                                      That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

                                      Bridge mode with a mind of its own. Pffft. Figures! Reset button be damned.

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        Phil.Scarr last edited by

                                        @jimp:

                                        That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

                                        From my limited research into this, there does seem to be a way to force the modem to stay in bridge mode all the time, whether it has sync or not…  But I haven't tried to set it up yet.

                                        http://fascinated.fm/post/2379188731/getting-a-motorola-sbg6580-into-bridge-mode-on

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          athurdent last edited by

                                          Nowadays cable providers tend to force the modem configuration on the device. It's most likely that all your local config modifications disappear at some point, at least after a reboot.
                                          Back in the days you could simply upload a different config file and the device would do 100 MBit insted of the 10 you payed for. The providers did not like this as much as the customers did, so… :)
                                          Just be glad that you still have a modem with bridge mode. Most of the providers here in Germany disable bridge mode completely.

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            A Former User last edited by

                                            @athurdent
                                            Where I am the ISP has a newer modem with bridge mode available but the older one I have they tried to hide the setting with CSS trickery. Reboots are no problem but if the ISP was still updating the firmware then you would lose your setting. Mine is just old enough they have not bothered with any firmware upgrades. Been solid for couple of years now. For this model I just use Firefox in Developer mode and change the CSS setting that hides the bridge mode checkbox, then quickly save my change.
                                            This is tricky because the browser refresh will put you back to square one so getting the CSS changed and saving my setting is under a time limit. Took a few attempts.
                                            If you are lucky maybe they are just hiding it from you. 
                                            Some models have pages with no link to hide it.;)

                                            1 Reply Last reply Reply Quote 0
                                            • H
                                              ha11oga11o last edited by

                                              Hello all,

                                              sory for bumping topic, but i really need to know is there possible to add multiple IPs to make the DHCP client reject leases from an undesirable DHCP server. Seems my isp has 5 or 6 different IPs now. Ihave nasty issues with Dynamic dns not been able to resolve public IP etc. Various problems ppls connecting to my gaming sessions. Slow response of PfSense GUI due checking hostname ip and such. Just please tell me how to add Ips.

                                              Many thnx in advance.

                                              1 Reply Last reply Reply Quote 0
                                              • jimp
                                                jimp Rebel Alliance Developer Netgate last edited by

                                                No, the client can only ignore one address.

                                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                Need help fast? Netgate Global Support!

                                                Do not Chat/PM for help!

                                                1 Reply Last reply Reply Quote 0
                                                • luckman212
                                                  luckman212 LAYER 8 last edited by

                                                  I admit my C skills are questionable, but I was looking at the source code of dhclient and it appears that a comma-delimited list of multiple ignore IPs would actually be valid here.

                                                  see: L945 of dhclient/clparse.c

                                                  If you guys agree that would be acceptable, I can make a patch & submit a pull request.

                                                  1 Reply Last reply Reply Quote 0
                                                  • jimp
                                                    jimp Rebel Alliance Developer Netgate last edited by

                                                    Give it a try and see if it works. The man page only claims a single address:

                                                         reject ip-address;
                                                                 The reject statement causes the DHCP client to reject offers from
                                                                 servers who use the specified address as a server identifier.
                                                                 This can be used to avoid being configured by rogue or
                                                                 misconfigured DHCP servers, although it should be a last resort -
                                                                 better to track down the bad DHCP server and fix it.
                                                    

                                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                    Need help fast? Netgate Global Support!

                                                    Do not Chat/PM for help!

                                                    1 Reply Last reply Reply Quote 0
                                                    • luckman212
                                                      luckman212 LAYER 8 last edited by

                                                      I just tested it on my end.  I patched interfaces.inc and interfaces.php (quick easy patch – no input validation, yet) and then saved a config with my "real" ignore IP in the middle, surrounded by 2 bogus IPs like so:

                                                      <dhcprejectfrom>1.2.3.4,192.168.100.1,5.6.7.8</dhcprejectfrom>
                                                      

                                                      I then rebooted my modem & tail'ed the output to see if the reject was working …

                                                      DHCPDISCOVER on igb2 to 255.255.255.255 port 67 interval 32
                                                      DHCPNACK from 192.168.100.1 rejected.
                                                      
                                                      

                                                      So it looks like this does actually work (despite what the FreeBSD docs say)  ;)
                                                      Should I make a real patch? I think IIRC the old GUI code would actually accept a list but somewhere along the way it was decided that this wasn't valid and it was changed… so the code might already be there in the old commits.

                                                      1 Reply Last reply Reply Quote 0
                                                      • jimp
                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                        What was allowed before and broke was a subnet (e.g. 192.168.0.0/24), and that definitely doesn't work.

                                                        If it works with a comma-separated list then sure, submit a PR (be sure to link to the thread and mention that it was tested)

                                                        You can find some validation code in the OpenVPN local/remote networks fields which already validates a list of IP addresses in this way. Though it also allows subnets, which need to be denied here, so it's not an exact copy.

                                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                        Need help fast? Netgate Global Support!

                                                        Do not Chat/PM for help!

                                                        1 Reply Last reply Reply Quote 0
                                                        • luckman212
                                                          luckman212 LAYER 8 last edited by

                                                          Ok great, I will send in a proper PR shortly.

                                                          1 Reply Last reply Reply Quote 0
                                                          • B
                                                            bogi last edited by

                                                            So I created an account so i could post to this thread.

                                                            I'm seeing this issue with Comcast in Chicago for the last couple of weeks.  I've been running the same cable modem/gateway in bridged mode with same pfsese box for almost two years now and don't remember my modem losing it upstream sync causing this before.

                                                            My question is….

                                                            When the Comcast uplink comes back online should the modem do a dhcp renew to the pfsense box?  Is that not happening or does pfsense not see the renew?

                                                            Guess I'm just wondering if it's somehing i should raise up with Comcast business support to see if they can fix it with a configration change of the modem?  Maybe a recent firmware update change the behaviour?  Or is their a cable modem you guys recommend that does not have this issue?

                                                            Thanks

                                                            1 Reply Last reply Reply Quote 0
                                                            • luckman212
                                                              luckman212 LAYER 8 last edited by

                                                              Sorry for the long delay for such a simple PR, but I got a little busy last few days :P
                                                              PR submitted: https://github.com/pfsense/pfsense/pull/3683

                                                              1 Reply Last reply Reply Quote 0
                                                              • First post
                                                                Last post