Change TTL-value of DHCP Requests
-
Glad it fixed your issue, it was fun for me to get a freebsd up and running I can compile stuff on in the future ;)
You know the security issue –- hmm I wonder?? Guess we could up the ttl and see what is the min to work, if its like 64 then most like a security thing.
I would love to know how many hops its away ;) It just blows my mind that you could be 16 hops away, that just nuts!! And seems like piss poor network design to me as well. But without a understanding of their network - maybe its 17 hops and that is the best way to setup what they want? But seems unlikely..
Just finally glad we got you working.. Now should report this to freebsd and actually get it fixed, I wonder others out there just don't get an IP and give up?? I was pretty impressed that you noticed the ttl being low, I am curious if I would of spotted that if I was having a sim issue. I now for sure will if I ever see such a problem in the future!
-
I don't know if it's a security issue or not - because my ISP hasen't responded to my support-ticket yet (if they ever will), but I'm also thinking it would be a pretty piss-poor network design if the DHCP could actually be more than 16 hops away…. But then again I have been working with computers and network for so long time, that nothing actually surprises me anymore. Since your modified dhclient solved the problem, it seems likely that the TTL have been the issue (unless the ISP quietly have been doing some stuff regarding my support-ticket - but i don't think so) and the most likely scenario would then be some sort of firewall blocking odd-requests (and since the majority of systems send out requests with 64/128 TTL, anything else is considered abnormal and killed)....
If I ever find the answer, if they respond, and I can say for sure that it was the hops or a security issue - I'll update this tread so that we can find pice of mind on this issue :-P
In regard of reporting this, since a vast majority of people are just plugging their pfsense behind ISP routers (unbridged) or have ISP with less rigid/picky security systems, nor running advanced setups including both VLAN's and virtualization, then the TTL of 16 have been sufficient through earlier releases and no need for change have been noticed nor reported. But, as you say, for all of those who have been trying to get a DHCP through a bridged modem, directly from their ISP and NOT succeded, and then gave up after trying "everything" - this actually might be the overlooked solution.
I can see no requiered reason for the dhclient to use TTL 16 when the default for all other traffic is either 64 or 128 - so this for sure is one thing that could/should make it into a new release of pfsense - or they could atleast make it something you can change easily with an optionsetting in the gui, or a config file :-)
Me for sure is happy that I can now focus 100% on config and further setup, instead of wiresharking and troubleshooting network/vlan traffic. It have been fun in some odd way, and I've probably once again learned something.... at least that even the smallest and most unlikely things, might be the big difference ;-)
-
Yeah I can see no reason for the 16 either, other OSes are not using such a low ttl for dhcp. I would be curious what netbsd or openbsd are using.
Maybe one of the developers for pfsense can help us with the official way of submitting the bug/issue and fixed in freebsd. What I can tell you is I updated my pfsense yesterday and its back to the original dhclient - so if you update your going to have to replace your dhclient again.
If for some reason they want to leave the default at 16, then it should be fixed so that the options of changing it works.
-
What I can tell you is I updated my pfsense yesterday and its back to the original dhclient - so if you update your going to have to replace your dhclient again.
Np, one thing I've definitely have learned over the years is the value of backup. Your modified dhclient, is ofcourse backed up, and duplicated both on my NAS, and somewhere in the cloud (Livedrive), just in case I have to do a reinstall/update of pfsense some time in the future…. ;-)
Now, I'm off to battle the next phase in my setup - getting OpenVPN to work with ActiveDirectory and DuoSecurity Radius Proxy (2 factor auth). Hopefully that wil go smoother than getting DHCP to work ;-)
-
I have submitted this as bug to freebsd, just waiting on confirmation that it was taken, will post link to report as soon as I get it here in this thread.
Ok the problem has been posted - you can follow it here
http://www.freebsd.org/cgi/query-pr.cgi?pr=170279
