DHCP not working / self-assigned IP address
-
Not really that difficult, just time consuming really, and requires a box with a CF reader.
I've got copies of the Netgate images here somewhere, I'll see if I can image them to a VM and try that instead.
-
Good news, and bad news.
Good news is I finally reproduced it and have a fix. The bad news it that it is specific to your configuration :-)
When you are using routers in a CARP pair, you can't use Proxy ARP VIPs. These were syncing into the backup config as empty <vip>tags, which was tricking the DHCP server there into thinking it should be primary.
So DHCP didn't work because they both thought they were primary.
The fix could either be to switch to 'other' type VIPs, and define them on both master and backup, or switch them to CARP if you can. Proxy ARP can't work on both routers in a failover configuration.
The other fix – if you really need proxy arp on the main unit -- is to patch services.inc to handle the empty tags better. I have a patch if you need it.</vip>
-
Thank you for discovering this. Seems like a bug to me. Is this only for the Netgate installation, or does it happen with a standard installation also?
i don't know if can use the type "Other" VIP. i have these public IP addresses which will be tied to various hostnames. the public IP address will need to be mapped to various internal IP addresses, depending on what service is accessed. will "Other" VIP's function this way?
-
It happened with the normal images as well once I looked deeper. I don't know why it was OK when I first restored your configuration, but it's possible that dhcpd hadn't reloaded after the empty tags sync'd over.
If your other IPs are in the same subnet as WAN, use CARP. If you have another subnet of IPs and those IPs are routed to your WAN IP, an 'other' type will work.
Using proxy arp IPs with CARP isn't considered a valid configuration, which is why nobody else seems to have hit this.
-
ok… i will try changing them all to CARP VIPs tonight, if possible, and let you know how it fares.
-
i changed them all to CARP VIPs but, still no luck. i put each address into it's own VHID group number but i used the same password for all of them… the password doesn't seem to matter anyway. on 'status -> dhcp leases' the state is still "recover". i notice that if i go to 'status -> CARP', the status for all of the public VIPs is "MASTER" on both the master and backup firewalls. i'm sorry i obviously don't know what i'm doing ;) but i'll learn in time. i'll send ya my current configs. is there any way i make the firewall config accessible from outside the datacenter? then i don't keep having to make trips back and forth each time....
-
I restored the new configuration files you sent, and all of the CARP IPs show up properly; master on master, and backup on backup. The DHCP daemon came up properly this time too, in a normal state on both sides.
However, I did notice that the WAN IP is set to the same IP address on both of them (x.x.x.16) when it should be different on each box (if you want to use .16 as the shared IP, it must also be a CARP IP), and also the subnet mask of all those CARP IPs should be /28, not /32.
-
i don't get why the config works for you but not for me… i even tried rebooting the two boxes and still everything shows up as MASTER. maybe i'll ask the datacenter support staff to look at it.
-
When you tried that unmanaged switch, did you try it on the WAN, the LAN, or both? CARP relies on broadcasts (as does DHCP) so if their switches are blocking anything like that it can be an issue.
If your WANs are on your ISP's switch/network and not in its own VLAN, it's also possible your VHIDs might be conflicting or they may be blocking some broadcast traffic there.
As for accessing the router remotely, it should be as easy as (a) switching the webgui to use HTTPS under system > general (for security reasons), and (b) adding a firewall rule on WAN that allows TCP traffic in to the destination of "WAN Address" on port 443 (pick https from the list or type in 443). Then you should be able to access the WebGUI from anywhere.
Moving it to another port (and using that port in the rule) would be even better, something like 4433, 44433, etc. A VPN would be ideal but is much harder to setup.
-
Thanks for the info. I'll talk to the ISP about it. I am planning on setting up a VPN in the future.
-
my ISP asked me to reiterate that i am only using one uplink, i.e. only the WAN port on the master is plugged in. is that having an adverse effect on the setup?
secondly, they told me they use HSRP to provide redundant gateways and want to know: is it possible to allow traffic to pass between both WAN ports (possibly using the sync port) without being molested?
thanks
-
That would be why they both show as master on WAN then, both units would need to be plugged in on WAN and LAN for all of that to work properly.
The traffic for WANs has to happen on the WAN link, they both need plugged in; it can't go over another interface. It's handled via broadcasts.
HSRP is another type of redundant protocol like CARP/VRRP, so you may still need to make sure your VHIDs don't collide with the IDs they are using.
-
ok.. everything seems to be up and running. i appreciate all the help that was provided. the ISP figured out how to get my two uplinks working by creating a VLAN or something. granted, the uplinks are not too redundant (just plugged into separate blades on the switch), but the setup is finally working!!