Packet to bogus giaddr
-
Hi All,
I am on pfsense CE 2.7.2, and recently I have been noticing a problem with DHCP messages that would route through pfSense.
I have somewhat of a strange setup, but this is to get around some feature limitations that I have on other routers in my network. Essentially, I have an instance of vyos running behind my edge pfSense firewall instance. The vyos instance, has an IP address in each of the vlans that are in my network that are not routed on pfSense itself, instead on a Nokia service router (7210). Due to some limitations with ipv4 and ipv6, I could not set the dhcp relay on that platform, so vyos is doing the dhcp relay.
So the packet flow will look as such:
end device dhcp ---> broadcast --> vyos relays packet to DHCP server --> dhcp server replies to gateway address ---> packet routed to pfSense ---> pfSense has route to destination Giaddress (the DHCP's destination IP address)
This has been working for a long time, but has seemed to have changed possibly in 2.7.2? What I noticed was at random machines on some vlans would stop receiving an address. I found these logs in pfSense's DHCP
Jan 3 17:15:44 dhcrelay 30171 Packet to bogus giaddr 192.168.11.2.
The 192.168.11.2 is not an IP on pfSense, but I do have a route to this network via FRR and a eBGP peer. So instead of routing it, as the traffic should be allowed by rules, it appears pfSense is intercepting it. I do fully understand this again, is weirder as the traffic is asymmetric through pfSense, but before this behavior was never noticed.
What I have noticed as well, that I have the dhcp relay function running for some networks which I route directly on pfSense. If I shut that service down, it does not log anymore, but the packets are still silently dropped then.