DHCP Server running, but not doing anything

theuken

I've built a pfsense instance on a VM which serves the purpose to sequester 4 local /26 VLANs to be used by customers over the web.
The VM has got 5 network interfaces. 4 networks are the customer networks, while the 5th network provides the Internet access and a gateway to certain equipment to be used selectively by customers
The firewall portion is working perfectly and the networks have been verified.
Unfortunately DHCP isn't working in the customer networks.
I've assigned interfaces with DHCP ranges, enabled the DHCPD service and the log looks OK.

Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Config file: /etc/dhcpd.conf
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Database file: /var/db/dhcpd.leases
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: PID file: /var/run/dhcpd.pid
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Internet Systems Consortium DHCP Server 4.4.2-P1
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Copyright 2004-2021 Internet Systems Consortium.
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: All rights reserved.
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: For info, please visit https://www.isc.org/software/dhcp/
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Wrote 0 class decls to leases file.
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Wrote 0 leases to leases file.
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Listening on BPF/em2/00:50:56:92:fa:09/10.62.179.0/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Sending on BPF/em2/00:50:56:92:fa:09/10.62.179.0/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Listening on BPF/em1/00:50:56:92:4e:d5/10.62.179.64/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Sending on BPF/em1/00:50:56:92:4e:d5/10.62.179.64/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Listening on BPF/em0/00:50:56:92:8b:78/10.62.179.128/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Sending on BPF/em0/00:50:56:92:8b:78/10.62.179.128/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Listening on BPF/vmx1/00:50:56:92:c2:c1/10.62.179.192/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Sending on BPF/vmx1/00:50:56:92:c2:c1/10.62.179.192/26
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Sending on Socket/fallback/fallback-net
Oct 4 13:51:53 muvadm-pfsense1 dhcpd[35618]: Server starting service.

Unfortunately I can't see any DHCP-related traffic on the networks, and of course no leases.

Any ideas ?

johnpoz

@theuken said in DHCP Server running, but not doing anything:

Unfortunately I can't see any DHCP-related traffic on the networks

Well then dhcpd wouldn't do anything would it ;)

If the interface was seeing dhcp requests/discovers etc.. Then it would respond.. So sniff on one of these interfaces and have a client on that L2 network do a dhcp discover.. If pfsense doesn't see it then no dhcpd not going to do anything.

When you enable dhcpd on an interface, hidden rules are created that allow for dhcp traffic. So doesn't matter what rules, or lack of rules you might have on an interface - if dhcp is enable it would be allowed.

Maybe you have dhcp snooping misconfigured in your switching infrastructure, or something your VM host, which I assume from that vmx1 interface is esxi?

Gertjan

@theuken

Before you actually open your pfSense device and locate the correct interface plug, I'll explain the "snif" word :

Goto Diagnostics > Packet Capture (that's where the sniffing is done)

According to Google DHCP port numbers :

DHCP uses UDP port 67 on the server side and UDP port 68 on the client side. DHCP also has two versions: DHCPv4 and DHCPv6 to support IPv4 and IPv6, respectively. These two versions, much like the two versions of IP, are very different and are therefore considered separate protocols and use separate ports.

Knowing all this : let's enter the details :

Select the interface - for me it was igc1
You can select "UDP" as DHCP uses only UDP.
Use "67 68" as the ports to scan.

Hit the green start button.

Now, connect a device (that uses DHCP !) to the interface.

I did just that : I saw popping up :

The first line came from my device, it was the DHCP DISCOVER.
The second line was the pfSense, the DHCP server, sending it a proposal : "192.168.2.6".

The answer, as already given above : if nothing shows up, then the traffic never reached pfSense (the interface).

You probably have to look one level higher : the VM ....

theuken

In fact I've done this check in a different way:

I've moved a VM into this VLAN, verified the network interface and then enabled DHCP on the respective interface while running Wireshark
All related to DHCP I see are DHCP Discover broadcast messages - but no reply from the DHCP server.
The network is ok. I can ping the default gateway etc,

johnpoz

@theuken said in DHCP Server running, but not doing anything:

interface while running Wireshark

Wireshark on the client is pretty useless in such a situation - client could be sending it all day long, doesn't mean pfsense ever saw it.

You need to do a packet capture on pfsense under the diag menu as @Gertjan shows in his post, feel free to run wireshark on the client at the same time to validate the client actually sent it.. But if pfsense interface where dhcpd is listening never sees a discover, then its never going to send an offer..

By the way you don't need both ports.. 67 or 68 is going to be involved in any dhcp - so you just need 1 of those ports.