HELP! Seemingly bizarre dhclient behavior on WAN

Phil.Scarr

The event I reported previously where the dhclient seemed to lose its mind happened again so I went and snatched the dhclient logs.  What's really strange is that there appears to be a DHCP offer on the WAN side for a 192.168.100.1 DHCP server.  There is no such server that I'm aware of, unless that's my cable modem…

So you can see the reboot last night in blue, then the binding to the correct DHCP server from Charter but this this morning, this very strange interraction with a DHCP server on 192.168.100.1 in red.

Jan 15 19:54:23 dhclient REBOOT
Jan 15 19:54:24 dhclient 8638 bound to 96.42.26.125 – renewal in 9974 seconds.
Jan 15 22:40:36 dhclient Creating resolv.conf
Jan 15 22:40:36 dhclient RENEW
Jan 16 02:40:36 dhclient Creating resolv.conf
Jan 16 02:40:36 dhclient RENEW
Jan 16 06:40:36 dhclient Creating resolv.conf
Jan 16 06:40:36 dhclient RENEW
Jan 16 07:24:28 dhclient 9468 exiting.
Jan 16 07:24:28 dhclient 9468 connection closed
Jan 16 07:24:50 dhclient PREINIT
Jan 16 07:24:51 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:24:52 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:24:54 dhclient 91520 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 1
Jan 16 07:24:54 dhclient 91520 DHCPNAK from 192.168.100.1  <–---  WTF is this???
Jan 16 07:24:54 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:24:55 dhclient 91520 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 2
Jan 16 07:24:56 dhclient 91520 DHCPOFFER already seen.
Jan 16 07:24:56 dhclient 91520 DHCPOFFER from 192.168.100.1
Jan 16 07:24:56 dhclient ARPSEND
Jan 16 07:24:56 dhclient 91520 DHCPOFFER from 192.168.100.1
Jan 16 07:24:58 dhclient 91520 bound to 192.168.100.10 – renewal in 30 seconds.
Jan 16 07:24:58 dhclient Creating resolv.conf
Jan 16 07:24:58 dhclient /sbin/route add default 192.168.100.1
Jan 16 07:24:58 dhclient Adding new routes to interface: cpsw0
Jan 16 07:24:58 dhclient New Routers (cpsw0): 192.168.100.1
Jan 16 07:24:58 dhclient New Broadcast Address (cpsw0): 192.168.100.255
Jan 16 07:24:58 dhclient New Subnet Mask (cpsw0): 255.255.255.0
Jan 16 07:24:58 dhclient New IP Address (cpsw0): 192.168.100.10  <–--- And now this is the WAN IP
Jan 16 07:24:58 dhclient ifconfig cpsw0 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255
Jan 16 07:24:58 dhclient Starting add_new_address()
Jan 16 07:24:58 dhclient BOUND
Jan 16 07:24:58 dhclient 91520 DHCPACK from 192.168.100.1
Jan 16 07:24:58 dhclient 91520 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:24:58 dhclient ARPCHECK
Jan 16 07:25:28 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:30 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:32 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:35 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:41 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:49 dhclient 1073 DHCPREQUEST on cpsw0 to 192.168.100.1 port 67
Jan 16 07:25:55 dhclient 92599 exiting.
Jan 16 07:25:55 dhclient 92599 connection closed
Jan 16 07:25:57 dhclient 28540 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:25:57 dhclient PREINIT
Jan 16 07:25:59 dhclient ARPSEND
Jan 16 07:25:59 dhclient 28540 DHCPOFFER from 96.42.26.1 <–--- This is the right DHCP server
Jan 16 07:25:59 dhclient 28540 DHCPDISCOVER on cpsw0 to 255.255.255.255 port 67 interval 1
Jan 16 07:25:59 dhclient PREINIT
Jan 16 07:25:59 dhclient Deleting old routes
Jan 16 07:25:59 dhclient EXPIRE
Jan 16 07:26:01 dhclient BOUND
Jan 16 07:26:01 dhclient 28540 DHCPACK from 96.42.26.1
Jan 16 07:26:01 dhclient 28540 DHCPREQUEST on cpsw0 to 255.255.255.255 port 67
Jan 16 07:26:01 dhclient ARPCHECK
Jan 16 07:26:02 dhclient ifconfig cpsw0 inet 96.42.26.125 netmask 255.255.254.0 broadcast 255.255.255.255
Jan 16 07:26:02 dhclient Starting add_new_address()
Jan 16 07:26:02 dhclient Deleting old routes
Jan 16 07:26:03 dhclient New Broadcast Address (cpsw0): 255.255.255.255
Jan 16 07:26:03 dhclient New Subnet Mask (cpsw0): 255.255.254.0
Jan 16 07:26:03 dhclient New IP Address (cpsw0): 96.42.26.125  <–--- And this is the right address
Jan 16 07:26:04 dhclient Creating resolv.conf
Jan 16 07:26:04 dhclient /sbin/route add default 96.42.26.1
Jan 16 07:26:04 dhclient Adding new routes to interface: cpsw0
Jan 16 07:26:04 dhclient New Routers (cpsw0): 96.42.26.1
Jan 16 07:26:05 dhclient 28540 bound to 96.42.26.125 – renewal in 13037 seconds

Can someone help me understand WTF is going on here?  Is my cable modem offering up an address it shouldn't?  Where is that 192.168.100.1 server coming from?  Any help debugging this would be greatly appreciated.  When it happens, the internet connection drops until it recovers.  Where should I look next?

Thanks!

phil.davis

In the interface settings, try "Reject leases from" to reject any leases offered from that address. Some upstream devices can do that sort of thing.

Phil.Scarr

@phil.davis:

In the interface settings, try "Reject leases from" to reject any leases offered from that address. Some upstream devices can do that sort of thing.

Awesome, thanks.  I'll let you know if that works out but it looks to solve exactly what I'm seeing.

"To make the DHCP client reject leases from an undesirable DHCP server, place the IP address of the DHCP server here. This is useful for rejecting leases from cable modems that offer private IP addresses when they lose upstream sync."

doktornotor

Pretty normal mostly with cable modems. Yeah, best to reject those leases.

jimp

Yep, it's common cable modem behavior. My modem, an older Motorola Surfboard, does this with that exact address. It's the reason I added that GUI field years ago.

Phil.Scarr

@jimp:

Yep, it's common cable modem behavior. My modem, an older Motorola Surfboard, does this with that exact address. It's the reason I added that GUI field years ago.

So it just did it again and the recovery time was much quicker, about 30 seconds instead of 2 minutes.  But I still want to know what's going on.  I guess I should call Charter and get them to test my line again.  My CM shouldn't be losing sync like this, a couple of times a day.

jimp

Usually it's indicative of an upstream issue. Mine only does that when the upstream sync is lost.

luckman212

Wish there was a way to blanket reject any lease coming from an rfc1918 address but I checked the source code for dhclient and it looks like it only accepts individual IPs right now.

Phil.Scarr

@luckman212:

Wish there was a way to blanket reject any lease coming from an rfc1918 address but I checked the source code for dhclient and it looks like it only accepts individual IPs right now.

Will it take multiple IPs?  So if for some strange reason there are 3 DHCP servers reachable but only 1 is real, can I put in a comma-separated list?

luckman212

@Phil.Scarr:

Will it take multiple IPs?

I am not sure- try it and then take a look at your /var/etc/dhclient_XXX.conf (for whichever wan) file to see if the config was written correctly.

A Former User

I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

Phil.Scarr

@webtyro:

I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

I assume that that would be something the cable company would have to do, right?  I don't have wireless on my CM, I have an access point on my LAN.

Phil.Scarr

@webtyro:

I do not know if your cable modem can be put into bridge mode but it is worth finding out. You may lose wireless but ideally you want everything behind pfsense anyway. If the modem is creating a problem just bridge right through it. Speed could see increase also.

Oh, apparently not…  http://fascinated.fm/post/2379188731/getting-a-motorola-sbg6580-into-bridge-mode-on

Getting a Motorola SBG6580 into “Bridge” mode on TimeWarner Wideband

• Unplug coax cable from Motorola

• Hold down the white reset button on the back panel with a pen for 30s.  This resets all settings to factory defaults. The modem will be auto-reconfigured once you plug in the coax cable.

• When modem is back on plug in a computer with an Ethernet cable into the modem.

• Connect to http://192.168.0.1 and login with “admin” / “motorola”

• Now you will make some changes:

• Wireless -> Primary Network -> Disabled

• Basic -> Setup -> NAPT Mode -> Disabled

• Basic -> DHCP -> No

• Advanced -> Options -> Rg Passthrough -> Enable

• Advanced -> Options -> Passthrough Mac Addresses -> Add WAN MAC address of your router 6. Connect port 1 on the Motorola modem to the WAN port of your router.

jimp

Doesn't matter. Even in bridge mode it hands that out when it loses upstream sync

A Former User

@jimp:

Doesn't matter. Even in bridge mode it hands that out when it loses upstream sync

His log shows the DHCP attempt from the modem with the private address seems to me is possible causing the sync issue. Does it to you. I know my setup here using a bridged Actiontec is rock solid.
I have to shut everything down overnight just to receive a new gateway. Sync may not be an issue with the modem out of DHCP service. What do you think. Worth a shot?

jimp

That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

A Former User

@jimp:

That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

Bridge mode with a mind of its own. Pffft. Figures! Reset button be damned.

Phil.Scarr

@jimp:

That's just how these Moto Surfboard/Arris modems work. They bridge when they have sync and when they don't have sync they hand out a private address. Presumably so you can hit the modem and troubleshoot.

From my limited research into this, there does seem to be a way to force the modem to stay in bridge mode all the time, whether it has sync or not…  But I haven't tried to set it up yet.

http://fascinated.fm/post/2379188731/getting-a-motorola-sbg6580-into-bridge-mode-on

athurdent

Nowadays cable providers tend to force the modem configuration on the device. It's most likely that all your local config modifications disappear at some point, at least after a reboot.
Back in the days you could simply upload a different config file and the device would do 100 MBit insted of the 10 you payed for. The providers did not like this as much as the customers did, so… :)
Just be glad that you still have a modem with bridge mode. Most of the providers here in Germany disable bridge mode completely.

A Former User

@athurdent
Where I am the ISP has a newer modem with bridge mode available but the older one I have they tried to hide the setting with CSS trickery. Reboots are no problem but if the ISP was still updating the firmware then you would lose your setting. Mine is just old enough they have not bothered with any firmware upgrades. Been solid for couple of years now. For this model I just use Firefox in Developer mode and change the CSS setting that hides the bridge mode checkbox, then quickly save my change.
This is tricky because the browser refresh will put you back to square one so getting the CSS changed and saving my setting is under a time limit. Took a few attempts.
If you are lucky maybe they are just hiding it from you. 
Some models have pages with no link to hide it.;)

ha11oga11o

Hello all,

sory for bumping topic, but i really need to know is there possible to add multiple IPs to make the DHCP client reject leases from an undesirable DHCP server. Seems my isp has 5 or 6 different IPs now. Ihave nasty issues with Dynamic dns not been able to resolve public IP etc. Various problems ppls connecting to my gaming sessions. Slow response of PfSense GUI due checking hostname ip and such. Just please tell me how to add Ips.

Many thnx in advance.

jimp

No, the client can only ignore one address.

luckman212

I admit my C skills are questionable, but I was looking at the source code of dhclient and it appears that a comma-delimited list of multiple ignore IPs would actually be valid here.

see: L945 of dhclient/clparse.c

If you guys agree that would be acceptable, I can make a patch & submit a pull request.

jimp

Give it a try and see if it works. The man page only claims a single address:

     reject ip-address;
             The reject statement causes the DHCP client to reject offers from
             servers who use the specified address as a server identifier.
             This can be used to avoid being configured by rogue or
             misconfigured DHCP servers, although it should be a last resort -
             better to track down the bad DHCP server and fix it.

luckman212

I just tested it on my end.  I patched interfaces.inc and interfaces.php (quick easy patch – no input validation, yet) and then saved a config with my "real" ignore IP in the middle, surrounded by 2 bogus IPs like so:

<dhcprejectfrom>1.2.3.4,192.168.100.1,5.6.7.8</dhcprejectfrom>

I then rebooted my modem & tail'ed the output to see if the reject was working …

DHCPDISCOVER on igb2 to 255.255.255.255 port 67 interval 32
DHCPNACK from 192.168.100.1 rejected.

So it looks like this does actually work (despite what the FreeBSD docs say)  ;)
Should I make a real patch? I think IIRC the old GUI code would actually accept a list but somewhere along the way it was decided that this wasn't valid and it was changed… so the code might already be there in the old commits.

jimp

What was allowed before and broke was a subnet (e.g. 192.168.0.0/24), and that definitely doesn't work.

If it works with a comma-separated list then sure, submit a PR (be sure to link to the thread and mention that it was tested)

You can find some validation code in the OpenVPN local/remote networks fields which already validates a list of IP addresses in this way. Though it also allows subnets, which need to be denied here, so it's not an exact copy.

luckman212

Ok great, I will send in a proper PR shortly.

bogi

So I created an account so i could post to this thread.

I'm seeing this issue with Comcast in Chicago for the last couple of weeks.  I've been running the same cable modem/gateway in bridged mode with same pfsese box for almost two years now and don't remember my modem losing it upstream sync causing this before.

My question is….

When the Comcast uplink comes back online should the modem do a dhcp renew to the pfsense box?  Is that not happening or does pfsense not see the renew?

Guess I'm just wondering if it's somehing i should raise up with Comcast business support to see if they can fix it with a configration change of the modem?  Maybe a recent firmware update change the behaviour?  Or is their a cable modem you guys recommend that does not have this issue?

Thanks

luckman212

Sorry for the long delay for such a simple PR, but I got a little busy last few days :P
PR submitted: https://github.com/pfsense/pfsense/pull/3683