Problem with DHCP from WAN interface
This may be posted in the wrong section, but since my installation is on a VMware, I post it here, in case this may turn out to be the problem. OK, first som basic info about my installation:
VMware-host: HP Proliant DL585 G2
Core-switch: D-Link DGS 1210-16 (VLAN's enabled: WAN_100, LAN_500, LAN_800, DMZ_200, iSCSI_400, MGMT_300)
The VMware-host and the switch itself is resided in the VLAN 300 area, AKA: Management
On the VMware-host the vswitch0 is defined with one single nic (I know this is not optimal - but I couldn't get around to drag 4 lan cables through the entire house, and out into the servere-room in the garage - one cable was enough! :-) - all VLAN's are defined as portgroups, named equal to the VLAN config on the switch)
Btw; Im running ESXi 5.0 U1
Pfsense 2.01 is installed on a local VM, and given 4 nics; WAN, LAN, LAN, DMZ
LAN1 is defined as 10.0.1.1/24 with DHCP enabled
LAN2 is defined as 184.108.40.206/24 with DHCP enabled
DMZ is defined as 192.168.254.1/24 with no DHCP
WAN is defined as DHCP
My ISP modem is bridged (Zyxel P2812) and connected to PORT1 (untagged member of WAN_100. Port 16 is tagged member)
My LAPTOP is connected to PORT3 (untagged member LAN_500, PORT 16 is tagged member)
MY PC is connected to PORT 10 (untagged member LAN_800, PORT 16 tagget member)
My Management-pc is connected to port 15 (untagged member MGMT_300, PORT 16 tagged member)
vSwitch0 is connected to vmnic0 which in turn is cabled to port 16
OK, my results:
LAPTOP gets DHCP from pfsense, and can communicate with PFsense WEBadmin
PC gets DHCP from pfsense on the other VLAN
Management-pc can administer both Switch and VMware-host, but ofcourse not the pfsense itself nor see the laptop or PC….
So seems everything is working, except the KEY factor of having pfsense at all..... I have no internet..... because the WAN interface is stuck at 0.0.0.0
So what to do? If I understand this correctly, pfsense will send a DHCP request, which eventually will hit the WAN_100 portgroup o vswitch0, get tagged with VLAN 100, and sent out on vmnic0, which in turn is connected to port 16, tagged member of WAN_100 VLAN on the switch. Untagged member here is Port1 so the request will exit here untagged and hit the Zyxel.... the response will inturn go back to the core-switch, get tagged with VLAN 100 and be routed back to VMware and the portgroup.... atleast it works this way for all the other vlans.... so why is DHCP for WAN not working?? There's nothing blocking DHCP reuests in my setup, as DHCP works from both VLAN 500 and VLAN 800....
Seems to me the problem is either pfsense, or the Zyxel not receiving the packet, or responding correctly??
probably a PVID wrong or some other detail
No, I have doublechecked the VLAN config xxx number of times, and I am 100% sure that that portion of the setup is working. All other VLAN's are working, and are set up exactly the same way, so it sure would be strange if that was the problem. The ISP's modem-box is connected to PORT 1 on the switch, and port 1 is untagged member of VLAN 100, and port 16 is tagged member. The PVID of PORT 1 is 100….. DHCP from on the other VLAN's to the pfsense works great. It's just pfsense's dhcp request to the ISP that never gets thru.... Looks like I have to pull out my Wireshark and dig deeper.... :-)
Just to verify the VLAN setup I've now successfully set up the Pfsense behind an old D-Link router using static IP….. Double routing is not optimal, but just in order to test the traffic-flow it works. The D-link receives DHCP from my ISP, and the pfsense is connected to this over the WAN interface with a static IP. Traffic flows and internet is reached.... So this atleast verifies that the VLAN and network is NOT the issue here.
The pfsense is nevertheless not able to request DHCP directly from the ISP modem, nor directly from the D-Link.... so the problem is isolated to DHCP and just for the WAN interface (static IP works)..... Clients however connected to pfsense can request DHCP from the LAN interfaces just fine, so DHCP seems to work fine over the VLAN's and thru VMware's vswitch..... So why not for tha WAN? Is TTL or anything handled differently with pfsense dhcp requests to WAN? I just cant seem to find the reason for this to not WORK, and it's pretty frustrating....
Anyone having solved issues with WAN and DHCP, feel free to post your comments ;-)
I have now just run a couple of new tests n this system, and tcpdump shows that the WAN interface is sending DHCPRequests on the em0 interface with the virtual MAC of my WAN interface card, and Using Wireshark I have confirmed that the requests are located as traffic on PORT 16 (my trunk-port on the coreswitch, tagged with VLAN 100 - indicating that the requests are actually leaving the ESXi server and raching internal physical network - with correct source MAC and destination FF:FF:FF:FF:FF), and they are also showing in the captures from PORT 1, in untagged form (the port connected to my router). On PORT 1 i can also see DHCPOFFER packets, beeing broadcast from my router to FF:FF:FF:FF:FF, but not directly to the MAC of my pfsene WAN (em0 interface).
The DHCPOFFER packets I can not recall seeing in the PORT16 TRUNK, and they never reach ESXi - this might be a coincidence, but I dont think so. - Seems Requests are sent all the way to port 1, but offers, are not sent back - they stay on PORT 1….. Thus, when using static IP connection works, so there is no issues with the VLAN setup - so I'm a bit confused as to why the offers are not trasfered over the VLAN to ESXi....
OK, I feel i'm a little closer to success now, because I was just able to pull a DHCP from my internal D-link (it seems my switch had some default security settings that blocked the DHCP offers (broadcasts) from the dlink - turned that off, and voila), but this still gives me the same connection as running with static IP behind it, which means double NAT and double routers. - But now i KNOW DHCP works from pfsense via my switch and VLAN setup and thats a step forward.
When trying to connect pfsense directly to my bridged modem (directly to my ISP which is my main goal), wireshark shows DHCP packets arriving, but there are no response. Since my modem is bridged, this is not dealing with DHCP, meaning that my DHCP requests from pfsense, are sent all the way to my ISP's internal network and their DHCP service. I don't know how many hops there are inbetween, but I'm a bit concerned that the short TTL=16 on pfsense's DHCP requests is getting them killed along the way…..
Is there some way to increase the TTL of the DHCP Requests from PFsense WAN interface to something more recilient? maybe TTL=64 or TTL=128? That atleast will eliminate this as beeing the error....
Feel the solution is right around the corner now..... almost there :-)
I've got a similar problem, but it is intermittent (i.e sometimes pfSense will acquire an address via DHCP, and sometimes it won't). Let me know if you find out how to change the TTL, maybe ask your ISP (it might be controlled at their end) please do let us know if it solves the issue.
The TTL is not controlled at my ISP's end. I know this because I wireshark the packets at several locations in my own network. The DHCP requests are generated at the WAN interface on pfSense, and straigt out when sniffed on the vswitch portgroup, the packets have a TTL value of 16, then at the TRUNK port going from ESXi to physical coreswitch, the packets are identical, still with a TTL-value of 16, then on the other end of the switch, leaving untagged on the same port which is directly connected to my ISP, the packets are still TTL=16….. then ofcourse, I can't sniff them any further, but since the packets are generated by my pfsense and sniffed internally at my equipment BEFORE reaching the bridged modem, I see no way that the ISP can intefere ??? - But since i get not response, and D-link and a tested Windows PC get IP without problems, I have to belive that the packets actually never reach the DHCP server, and that the TTL might be the cause....
I do not know what happens on my ISP's network, and maybe I can ask them for a supportcase where they trace my packets based on MAC to see where they go, and what happens, but according to my ISP im running a pretty NON-standard home network which is a BIT more technical than their target audience, and they are pretty non-technical supportpersons, only educated in what to ask, and then blame it all on the customer if all else fails.... so talking to them is like taking to a brickwall for several minutes, only to be responend with "øh", "eh" and other strange sounds before they either ask me to please run a supported config (meaning to use their crappy Zyxcel modem) or they send me on a round-robin chase from support-person to support-person, and they're all alike. :-( - But I might get lucky and get a decent support-guy on the other end, so I might give it a try....
I'm having nearly the same problem, although I'm not allocating VLAN's yet. If I use my linksys router between the pfsense VM and cable modem and set an IP statically it works, using dhcp and/or removing the linksys router kills any chance of getting a dhcp IP from my ISP
Check out the other thread on this - I have uploaded a modified dhclient that has ttl set for 128 vs 16. Still not understanding why it would be set so low? Why not just use the OS default setting for ttl. For freebsd that would be 64.