DHCP lease dubplicate errors.
-
Hello everyone! I'm a newbie. My first post here so please bear with me.
I notice recently that my box has some lags & sluggish in serving my network. Going to System logs i found these errors like this:
dhcpd: uid lease 172.16.30.208 for client bc:72:b1:45:8e:0c is duplicate on 172.16.24.0/21
i have many similar to these right now.
Searching on the DHCP leases on status, I've found out that the client has two IP addresses
172.16.29.255 bc:72:b1:45:8e:0c android-fa17a2c4de428778 2013/07/26 19:39:56 2013/07/27 19:39:56 online active 172.16.30.208 bc:72:b1:45:8e:0c 2013/07/26 19:36:21 2013/07/26 19:39:56 online expired
It looks like PFs' DHCP server has not released/deleted the expired IP and issued a new IP and created a conflict on its own.
What i tried: stopped the DHCP service, cleared the dhcpd.leases on the db, and restarted the DHCP SERVICE again. it went well for 5hrs then the errors began to appear again.Is there other work around this? Is there a way to automatically delete all expired leases? or perhaps point me to the right thread that answers this?
Many thanks in advance.Im using PF with lusca and Captive portal for the neighborhood
running version 2.0.3-RELEASE (i386),
4gb of ram,
CPU E5800 @ 3.20GHz with
two hard drives, one for PF and the other for cache. -
Update: after observing several hours, i notice that a single android phone got 3 ip addresses
error log:Jul 26 22:42:35 dhcpd: uid lease 172.16.31.125 for client 38:16:d1:d1:57:4e is duplicate on 172.16.24.0/21
DHCP leases log:
172.16.30.227 38:16:d1:d1:57:4e GT-S5260 2013/07/26 22:42:35 2013/07/27 22:42:35 offline active 172.16.31.125 38:16:d1:d1:57:4e 2013/07/26 22:42:35 2013/07/26 22:42:35 online expired 172.16.27.33 38:16:d1:d1:57:4e 2013/07/26 22:42:35 2013/07/26 22:42:35 online expired
system log dhcp:
Jul 26 22:42:35 dhcpd: DHCPACK on 172.16.30.227 to 38:16:d1:d1:57:4e (GT-S5260) via em0 Jul 26 22:42:35 dhcpd: DHCPREQUEST for 172.16.30.227 (172.16.24.1) from 38:16:d1:d1:57:4e via em0 Jul 26 22:42:35 dhcpd: uid lease 172.16.31.125 for client 38:16:d1:d1:57:4e is duplicate on 172.16.24.0/21 Jul 26 22:42:35 dhcpd: DHCPNAK on 192.168.2.102 to 38:16:d1:d1:57:4e via em0 Jul 26 22:42:35 dhcpd: DHCPREQUEST for 192.168.2.102 (192.168.2.3) from 38:16:d1:d1:57:4e via em0: wrong network. Jul 26 22:42:35 dhcpd: DHCPACK on 172.16.31.125 to 38:16:d1:d1:57:4e (GT-S5260) via em0 Jul 26 22:42:35 dhcpd: DHCPREQUEST for 172.16.31.125 (172.16.24.1) from 38:16:d1:d1:57:4e via em0 Jul 26 22:42:35 dhcpd: DHCPACK on 172.16.27.33 to 38:16:d1:d1:57:4e (GT-S5260) via em0 Jul 26 22:42:35 dhcpd: DHCPREQUEST for 172.16.27.33 (172.16.24.1) from 38:16:d1:d1:57:4e via em0 Jul 26 22:42:35 dhcpd: uid lease 172.16.31.125 for client 38:16:d1:d1:57:4e is duplicate on 172.16.24.0/21
Whats causing this and how to prevent this?
Anyone? -
I also have like that:
Jul 27 13:37:38 kernel: arp: 192.168.1.236 moved from 742b:22:38:a1 to 90:4c:e5:89:ed:25 on em1
Jul 27 13:37:02 kernel: arp: 192.168.1.236 moved from 90:4c:e5:89:ed:25 to 742b:22:38:a1 on em1
Jul 27 13:36:48 kernel: arp: 192.168.1.236 moved from 742b:22:38:a1 to 90:4c:e5:89:ed:25 on em1
Jul 27 13:36:09 kernel: arp: 192.168.1.236 moved from 90:4c:e5:89:ed:25 to 742b:22:38:a1 on em1
Jul 27 13:35:58 kernel: arp: 192.168.1.236 moved from 742b:22:38:a1 to 90:4c:e5:89:ed:25 on em1
Jul 27 13:35:31 kernel: arp: 192.168.1.236 moved from 90:4c:e5:89:ed:25 to 742b:22:38:a1 on em1
Jul 27 13:35:27 kernel: arp: 192.168.1.236 moved from 742b:22:38:a1 to 90:4c:e5:89:ed:25 on em1
Jul 27 13:35:20 kernel: arp: 192.168.1.236 moved from 90:4c:e5:89:ed:25 to 742b:22:38:a1 on em1
Jul 27 13:26:39 kernel: arp: 192.168.1.134 moved from e0:b9:a5:68:5b:32 to a8:92:2c:d2:ac:cd on em1
Jul 27 13:26:11 kernel: arp: 192.168.1.6 moved from d4:87:d8:9e:d7:a3 to 00:e0:b1:07:ac:da on em1:(
-
No problem with various Android devices… You did not post any information about your DHCP server configuration. Make sure the pool is large enough to to accommodate the number of devices and the lease time short enough.
-
Thanks for your reply.
Here is the configuration of the dcp:
Subnet 172.16.24.0
Subnet mask 255.255.248.0
Range 172.16.26.1 to 172.16.31.254
Default lease time 86400
Maximum lease time 2592000The rest are on default settings.
I've adjusted the the default lease time since the default value is too short and can cause a lot of errors since the dhcp server doesn't free up the expired IP addresses as i have observed.
What do you recommend? what else should i try or adjust?
-
Too short??? Geez, drop the insane lease time a whole lot. Absolutely zero need to provide 30 day leases to mobile phones!!!
-
The errors reported above was on default lease time settings.
The reason why i adjusted the lease times recently because i have a lot of duplicate lease errors. As i have stated earlier the DHCP server doesn't release or delete the expired IP address while at the same time issuing another new IP to the same MAC. This resulted in duplicate lease errors. As you can see on the error logs above, a single droid phone got 3 IP addresses.
For several months the default lease time is what i used. Default lease time = 3600 maximum = 18000, and resulted in many duplicate lease errors. But adjusting the length of time, i got fewer duplicate errors. I know this just a temporary solution until i can find a way how PF's DHCP server can automatically delete or release expired IPs.
For now i'm manually deleting duplicate expired leases. :-[
-
You clearly are doing something special there. I'd suggest to disable the captive thing and see how it goes.
-
Thanks for the suggestion.
However disabling the captive portal now is not an option since i have several clients that need authenticating on this network.
What do you mean that I'm doing something special?
I'm running PF with Captive portal and Squid (that's just ordinary). Can you point out whats your hypothesis as to what im doing wrong here, if that's what you meant?
if this info is relevant, im using this adapters:
Intel PRO 1000MT Dual Port server adapter -
You don't have a machine that is inadvertantly connected to the network via a wired interface and wifi at same time do you?
742b:22:38:a1 74DE2B Liteon Technology Corporation (probably wireless N knowing Liteon)
90:4c:e5:89:ed:25 904CE5 Hon Hai Precision Ind. Co.,Ltd. (Probably wired maybe on a foxconn board)
Got something like that in your network?
-
You don't have a machine that is inadvertantly connected to the network via a wired interface and wifi at same time do you?
742b:22:38:a1 74DE2B Liteon Technology Corporation (probably wireless N knowing Liteon)
90:4c:e5:89:ed:25 904CE5 Hon Hai Precision Ind. Co.,Ltd. (Probably wired maybe on a foxconn board)
Got something like that in your network?
Yes i do have 15 PCs and Access Points wired to the lan (no wireless at the same time though), all of them are entered on the Passthru-Mac of the Captive portal, all recently on static IP configuration with a subnet of /24, all are entered also in the DHCP Static Mappings on DHCP server. Is there wrong in this setup?
More info:
PF Gateway 172.16.24.1
Enabled DHCP server on LAN interface
Subnet 172.16.24.0
Subnet mask 255.255.248.0
Available range 172.16.24.1 - 172.16.31.254
Range 172.16.26.1 - 172.16.31.254 (for dynamic clients on hotspot/wifi)
Static clients 172.16.24.1 /24All duplicate lease errors happens on the dynamic wifi clients.
-
All duplicate lease errors happens on the dynamic wifi clients.
Hence why I told you to disable the captive thing. Seriously, I don't get why's this thing so popular. It's heavily broken, and especially with smartphones. Nothing works till you open a browser. Internet != web. Need authentication? Fine, use RADIUS or some other standard thing,
-
I understand why people would want something like captiveportal. If they run a hotel or some public hotspot within easy access of a bunch of wifi hitch-hikers. But if I ran it, it would have to be a matter of need like that. Not a situation where I know the same 20 or 30 people / machines using it.
It would need to be a very chaotic coming and going of people and seldom the same guy twice scenario to make me want it."Range 172.16.26.1 - 172.16.31.254 (for dynamic clients on hotspot/wifi)"
Do you really have that many wireless clients? Why not a simple /24?
You seem to have allocated a pretty enormous space for all of this.
And with this subnet - 172.16.24.0
and this mask 255.255.248.0
Might complicate things abit.
This can't be done simpler?3 ports, 1 for WAN, 1 for LAN 1 for OPT1 wireless (With LAN and OPT1 on seperate subnets each getting a simple /24)
Then use captive portal on LAN and OPT1. (If you absolutely must have it)
I might even add another OPT2 so that I have "LAN" interface unmolested by captiveportal for myself. Call it an isolate admin subnet.I'm simple minded. I like simple networks with clear simple divisions to the extent that its not too expensive or hardware intensive.
-
All duplicate lease errors happens on the dynamic wifi clients.
Hence why I told you to disable the captive thing. Seriously, I don't get why's this thing so popular. It's heavily broken, and especially with smartphones. Nothing works till you open a browser. Internet != web. Need authentication? Fine, use RADIUS or some other standard thing,
Thanks for the suggestion.
I did consider the radius server at one time, but i decide on Captive portal because of its simplicity in connecting clients. No need to encode client accounts on the radius server, and handling vouchers were viewed as a more simplified approach on customers that are transient, and can be easy sold off the shelf.The Access Points are located at the park with several Colleges nearby, the other on the terminal, i have other 2 of these in a busy neighboorhood.
However i may view the radius server as a good option if this can generate codes as well, without a need to track every transient clients details.
-
@ kejianshi,
Thank you for your kind reply.
The Access points are indeed located on a quite busy locations, and therefore will require a large range of IP addresses.
I also adore the elegance of simplicity.
Since im using 2 dual intel server nics, i segregated the lan clients and the wifi users before. the setup you described was quite identical to my setup before.
however, since my wifi controller is on the lan side of pf and i wish to manage the Access Points and other lan devices, I've decided to integrate both lan and wireless users. This enabled me to monitor my entire network on a single management pc. Im using Ubiquiti Unifi APs and several Airmax wireless bridges. This also able me to add APs on the same network as desired.
Just recently i decided to put all APs on static IPs and yesterday i only have 2 lease errors. looks like im doing something right here. will update you guys if this will do the trick. i still have some wireless bridges on the network to configure on static mode.
-
Ahhhhh - Yes. Its hard to control things with people coming and going. Where is this located? (just wondering)
-
After configuring all my wireless bridges to static ips and mapping them on PF, i still have few duplicate lease errors.
I'm pulling my hair off! >:( and im running out of options.
In addition, today another seemingly alarming log shows:Aug 2 17:24:26 kernel: arp: 172.16.26.20 moved from 34:6b:d3:4c:d0:26 to 94:db:c9:0e:23:82 on em0 Aug 2 17:24:26 kernel: arp: 172.16.26.20 moved from 94:db:c9:0e:23:82 to 34:6b:d3:4c:d0:26 on em0 Aug 2 16:00:43 kernel: arp: 172.16.31.14 moved from 34:6b:d3:4c:d0:26 to 8c:a9:82:ac:fc:50 on em0 Aug 2 16:00:43 kernel: arp: 172.16.31.14 moved from 8c:a9:82:ac:fc:50 to 34:6b:d3:4c:d0:26 on em0
Is someone mac spoofing the captive portal? Could this be the culprit of the duplicate errors? ???
-
If you are allowing access per MAC, then yes. MACs can easily be spoofed or even duplicated an many sites to get onto your network.
-
Agree. I think the captive portal associates the voucher codes with the clients mac address. Once they're paired after authentication that MAC address is granted a pass thru to access the internet. If someone knows a mac that is already authenticated and clone that to his device, he may be able to have a free connection.
Is this what it looks like in the logs? is my speculation not far fetch? are there any scenarios less suspicious?
-
Or the IPs are being handed out VIA DHCP so each time a previously known MACs IP is changed for some reason, you will see that also.
If you see the same MAC used simultaneously and switching back and forth alot its probably been spoofed. This is an unsercure, unencryped wifi?