SG-3100 fail to get WAN IP from Frontier fiber ONT

Gertjan

@mer said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Didn't the OP say that don't want to use the Arris router and they hooked a couple different things directly to the ONT (where the router normally is) and all but the SG3100 got an address?

Probably ;)
If wanted to be sure the SG-3100 was fine first.

@mer said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

SG3100 apparently worked fine connected to a cable modem

a cable modem is a technology. When I read ONT it's a mostly passif (?) box that converts "fibre to Ethernet". Entirely different tech.

The SG-3100 and SG-1100 use the identical DHCP client code. I presume the SG-1100 has also the 21.05.2.
So if one works, the other should work also. If the settings are identical, only the WAN MAC should be diffrenet. And even the MAC can be spoofed if needed.

jaredo

@mer Yes, all your comments to gertjan are correct. You are understanding me correctly.

I pulled the backup file, factory defaulted the SG-3100 to try to mimic the SG-1100. That didnt work.

When I plug in the ONT I do get the physical link light and a few blinks but then it goes solid. I should packet capture the WAN port (as you mention) to see what is really happening.

This 3100 is our office router for about a 1.5 years now. It works everyday and is working right now through the existing cable modem.

As for restarting DHCP - I rebooted ONT, router, disabled WAN port then re-enabled (multiple times, different combinations). I banged on it for 2.5 hours before starting this ticket. Did not disable / reenable DHCP service via the dashboard. Can try that but it would not be optimum after, lets say, a power outage having to do this every time.

I will packet capture next and see if there are any clues there.

Thanks for helping, I will post what I find.

jaredo

@gertjan The SG-1100 is probably not on latest firmware. That is a good point. It is sitting in stock in case we ever needed one. Maybe one or two revisions behind

I also tried spoofing the mac of the 3100 to the mac of the Arris router. Did not work.

For clarity - cable modem is what has been in the office for years, Frontier Fiber (and their ONT and Arris router) showed up on Friday as we are excited to get gig symmetrical service. Currently both active so I can go back and forth between ONT and modem.

Thank you for helping. Keep it coming.

Gertjan

@jaredo

The SG-1100 works, so "packet capture" the WAN port during DHCP negotiating.
Compare the results with the SG-3100.

mer

Didn't someone recently (within last 3 months or so) have a thread about having to tweak DHCP options before they got it to work? I don't recall the Netgate product or the WAN connection used, but I recall something about some DHCP options either added or tweaked.

jaredo

@mer I read an article about Frontier that said a hostname would be required for the ONT to give an IP. I dont know if this is true, I don't think the 1100 has anything specified in that field and who knows about the unifi.

I tried it. I put SG3100WAN as the hostname in the WAN DHCP Client Configuration section. That did not help. You can select advanced options and it gives fields for timing. I did not find anything online about what those should be so I left them at default (unchecked the advanced options checkbox).

If someone has the link to DHCP tweak thread, I will give those items a try. I will also packet capture this evening as it is a busy monday.

Gertjan

@mer said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Didn't someone recently ....

Don't know who it was, but he used the DHCP client used by OSense which permitted to used DHCP OPTIONS, needed by the ISP.

But .... if a SG-1100 works, the SG-3100 should work also. I'm pretty sure it's the same code.

Anyway : capturing would shows the details.

mer

@gertjan Agreed the code should be the same and pcap on each should make it obvious.

stephenw10

@gertjan said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

if a SG-1100 works, the SG-3100 should work also.

You would expect that. The big difference there is that the 1100 WAN is connected via the switch that will link to some things the raw NIC will not. So I would want to check the 3100 WAN interface link state directly in ifconfig.
Secondly, as implied above, this could just be a bad WAN port on the 3100 until it's proven working on something else. I would also try swapping the WAN and OPT NIC assignments and seeing if that changes anything.

The dhcp client will send the hostname configured in general setup by default. You shouldn't need any special options there. Most of the threads detailing that are for ISPs using MAC Encapsulated Routing.

Steve

jaredo

Packet capture data for Sg-3100. Here is the procedure used.

disconnect WAN cable from cable modem
start packet capture on WAN port in netgate router
plug WAN cable into ONT
end packet capture after a short time.

First few DHCP requests the 3100 asks for the last IP it had, which was a cable company IP, the ONT returns NAK each time, message is address not available (makes sense as it is not in Frontier's pool).

pcap 3100 NAK from ONT.png

3100 finally begins to send DHCP discover messages and for each one, the ONT replies with an offer with ip address within their pool. The 3100 does not accept the offer but just continues to send discover packets, each one replied to by the ONT with a valid offer.

pcap 3100 offer from ONT.png

I will post another post with SG-1100 data separate from this post for clarity.

Thank you for your help.

jaredo

Packet capture data from the SG-100 for comparison (this unit has no trouble getting an IP from the ONT). Same procedure as with the 3100.

disconnect WAN cable from cable modem
start packet capture on WAN port in netgate router
plug WAN cable into ONT
end packet capture after a short time.

Just one picture below with the following numbers explained

(1) 1100 request DHCP supplying the last known IP - the cable modem IP
(2) NAK from ONT with message 'address not available'
(3) 1100 sends DHCP discover packet (the 3100 tried requesting the same IP 4 times before moving on to discover)
(4) DHCP Offer from the ONT - displayed below for detail
(5) ACK from 1100 and were off to the races with ARPs, PINGs and NTP requests (not shown)

pcap 1100 offer from ONT.png

Thank you for your help with this and any insight you might give to resolve problem.

stephenw10

Is there anything logged in the 3100 dhcp log?

Are the replies coming into the correct MAC address?

Was the pcap filtered at all?

I note the DHCP offer to the 1100 appears to come from the relay agent IP but the offer to the 3100 from the DHCP server directly. Though I'm not sure what difference that could make.

Steve

jaredo

@stephenw10 said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Is there anything logged in the 3100 dhcp log?

Here is what I got from the log. Starts with when I disconnected the cable to the WAN port (from cable modem). You can see the 4 requests and then several discovers. Note after that it logs 'No DHCPOFFERS received'

Dec 20 16:16:34 STSpfSense dhclient[30428]: connection closed
Dec 20 16:16:34 STSpfSense dhclient[30428]: exiting.
Dec 20 16:17:09 STSpfSense dhclient[7665]: Cannot open or create pidfile: No such file or directory
Dec 20 16:17:09 STSpfSense dhclient[8333]: PREINIT
Dec 20 16:17:09 STSpfSense dhclient[7665]: DHCPREQUEST on mvneta2 to 255.255.255.255 port 67
Dec 20 16:17:11 STSpfSense dhclient[7665]: DHCPREQUEST on mvneta2 to 255.255.255.255 port 67
Dec 20 16:17:15 STSpfSense dhclient[7665]: DHCPREQUEST on mvneta2 to 255.255.255.255 port 67
Dec 20 16:17:19 STSpfSense dhclient[7665]: DHCPREQUEST on mvneta2 to 255.255.255.255 port 67
Dec 20 16:17:24 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 2
Dec 20 16:17:26 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 2
Dec 20 16:17:28 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 5
Dec 20 16:17:33 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 7
Dec 20 16:17:40 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 21
Dec 20 16:18:01 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 17
Dec 20 16:18:18 STSpfSense dhclient[7665]: DHCPDISCOVER on mvneta2 to 255.255.255.255 port 67 interval 7
Dec 20 16:18:25 STSpfSense dhclient[7665]: No DHCPOFFERS received.
Dec 20 16:18:25 STSpfSense dhclient[7665]: Trying recorded lease 67.xx.xx.xx
Dec 20 16:18:25 STSpfSense dhclient[16519]: TIMEOUT
Dec 20 16:18:25 STSpfSense dhclient[16721]: Starting add_new_address()
Dec 20 16:18:25 STSpfSense dhclient[16770]: ifconfig mvneta2 inet 67.xx.xx.xx netmask 255.255.252.0 broadcast 67.xx.xx.xx
Dec 20 16:18:25 STSpfSense dhclient[16867]: New IP Address (mvneta2): 67.xx.xx.xx
Dec 20 16:18:25 STSpfSense dhclient[17204]: New Subnet Mask (mvneta2): 255.255.252.0
Dec 20 16:18:25 STSpfSense dhclient[17367]: New Broadcast Address (mvneta2): 67.xx.xx.xx
Dec 20 16:18:25 STSpfSense dhclient[17600]: New Routers (mvneta2): 67.xx.xx.xx
Dec 20 16:18:26 STSpfSense dhclient[21176]: New Routers (mvneta2): 67.xx.xx.xx
Dec 20 16:18:27 STSpfSense dhclient[22685]: Deleting old routes
Dec 20 16:18:27 STSpfSense dhclient[7665]: No working leases in persistent database - sleeping.
Dec 20 16:18:27 STSpfSense dhclient[23293]: FAIL

@stephenw10 said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Are the replies coming into the correct MAC address?

Yes correct MAC assigned to mvneta2

@stephenw10 said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Was the pcap filtered at all?

No. I selected 'Enable promiscuous mode', left everything else at default, and set count to 0

stephenw10

Ok, to be clear, you have verified that WAN port connects as expected to some other DHCP server? On the 1100 LAN for example?

Did you try reassigning the 3100 WAN to mvneta0 (opt)?

Steve

Gertjan

@jaredo

This :

First few DHCP requests the 3100 asks for the last IP it had, which was a cable company IP, the ONT returns NAK each time, message is address not available (makes sense as it is not in Frontier's pool).

The dhclient actually receives the multiple NACKs ?
edit : me thinking : is it normal that client continues asking for a know - used before - IP ?
I mean, I've this impression that there is a one way communication ....

3100 finally begins to send DHCP discover messages and for each one, the ONT replies with an offer with ip address within their pool. The 3100 does not accept the offer but just continues to send discover packets, each one replied to by the ONT with a valid offer.

Again : (does it) look like he dhclient process never sees the DHCP answers.

But they are there, the capture is clear about it. The captures are taken from pfSense, right ?

jaredo

@stephenw10 said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Ok, to be clear, you have verified that WAN port connects as expected to some other DHCP server? On the 1100 LAN for example?
Did you try reassigning the 3100 WAN to mvneta0 (opt)?
Steve

The WAN port has been plugged into for more than a year, and remains plugged into a cable modem. This is our office and we have been running it flawlessly everyday now. Frontier fiber was installed on friday. We attempt to make frontier work but remain with cable until this is figured out. Both services (cable modem, fiber ONT) are next to each other in our server room.

I have not tried assigning mvneta0, I can try that. You say re-assign. I never assigned 2 over 0, I ran the wizard and started with that base setup more than a year ago. I believe the wizard assigned 2 to WAN.

jaredo

@gertjan said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

The dhclient actually receives the multiple NACKs ?
edit : me thinking : is it normal that client continues asking for a know - used before - IP ?
I mean, I've this impression that there is a one way communication ....

Yes, the 3100 makes 4 attempts at request for known IP and gets 4 NAKs. The 1100 we are using as the 'control' makes 1 request for known IP, gets 1 NAK and then makes DHCP request.

@gertjan said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

The captures are taken from pfSense, right ?

Yes. under Diagnostics > Packet Capture with the settings 'Enable promiscuous mode', left everything else at default, and set count to 0

stephenw10

Ah, OK. Then if the OPT port is not used I would just set that as DHCP and connect the finer to it instead. See if it pulls a lease there.

Are you running Snort or Suricata in blocking mode? Has it somehow blocked the DHCP server IP? (which should not be possible)

Steve

mer

Under Interfaces, WAN the section "DHCP Client Configuration" have you compared this section between the 3100 and 1100? Mine is blank, on mine, but if you check the "Advanced Configuration" box, you get some more items, a new section "Lease Requirements and Requests". Again on mine, it's blank, but perhaps there is a difference on your 3100 and 1100.

Gertjan

@jaredo said in SG-3100 fail to get WAN IP from Frontier fiber ONT:

Yes, the 3100 makes 4 attempts at request for known IP and gets 4 NAKs. The 1100 we are using as the 'control' makes 1 request for known IP, gets 1 NAK and then makes DHCP request.

Exactly.
The 1100 tries to validate the old know IP, get a - just one - 'NAK' and behaves accordingly : it goes for a 'discover'.
The 3100 goes for the old IP ..... a NAK comes in, but the 3100 repeats itself, as if it is ignorant of the NAK. After some time, the 3100 takes note 'of the silence' (!) and switches to 'discover' which is the normal procedure.

Just to be sure : shut down the firewall completely for a moment.
I guess it's "pfctl -d".
The info - the NAKs etc from the opposite side are coming in, as the capture shows.