Messages

1

24.1 Legacy Series / Re: KEA dhcpv4 arp scan?

« on: March 16, 2024, 10:58:31 pm »

Yep or check which ports are toggling / which clients are having downtimes and then force them to use dhcp - im not going to do static mappings because they are fluctuating sadly (some routers) and they mostly deny ping on WAN so icmp is just not going to cut it.

So im going to deny them access to the network until they switch to dhcp.
(shit load of work to sort out those static clients because >700 clients)
Thanks tho!

2

24.1 Legacy Series / Re: KEA dhcpv4 arp scan?

« on: March 16, 2024, 09:07:00 pm »

Yep, i think ive just misread it COMPLETELY ^^

3

24.1 Legacy Series / Re: KEA dhcpv4 arp scan?

« on: March 16, 2024, 08:25:45 pm »

https://kea.readthedocs.io/en/kea-2.4.0/arm/dhcp4-srv.html#duplicate-addresses-dhcpdecline-support

"Such an unwelcome event can be detected by legitimate clients (using ARP or ICMP Echo Request mechanisms) and reported to the DHCPv4 server using a DHCPDECLINE message."

+

https://kb.isc.org/docs/why-doesnt-kea-support-ping-check

"Third, the DHCP protocol itself provides another, more reliable mechanism for this: the DECLINE message. Modern DHCP clients scan their local subnet (for example, using the ARP protocol) to detect whether the suggested address is already active on another device."


Rereading that, youre absolutely right. The clients can arp scan their local subnet to reach a DHCP DECLINE. But is there no server side sanity check? Because this thing handed out the same IP 4 times already... Do i now really have to investigate which clients have a static ip and give them a static entry so that the KEA DHCP can work his way around it? 

4

24.1 Legacy Series / KEA dhcpv4 arp scan?

« on: March 16, 2024, 04:54:13 pm »

Heya!

Is the new KEA DHCPv4 ARP scanning the network to check if the ip is already in use?
If yes, is the firewall ARP table  the same as the KEA ARP table?

Because I've got some IP collisions in my network that could've been easily avoided if KEA would ARP scan the network.

I've got one client who gets constantly offered an IP that's already in use and I can see it in the ARP table of the interface. Meaning I can see the MAC, IP, leasetime etc on the KEA DHCP but if i check the AR{ table of the interface, the IP is already occupied with another MAC on the same switch but a different port

I was switching from ISC to KEA hoping that KEA would ARP scan (as stated in their documentation) and just check that some static IPs are in place and would just avoid them but apparently it doesn't.

Cheers & Thanks in advance

5

22.1 Legacy Series / Re: TCP Connections denied per deny default

« on: August 23, 2022, 02:07:33 am »

Well i solved it. Dont know why, but now it works.

System > Settings > Tunables :

net.inet.udp.checksum   UDP Checksums

net.inet.tcp.tso                   TCP Offload Engine

both set to 1.

Now it works flawlessly.

Cheers.

6

22.1 Legacy Series / [SOLVED] TCP Connections denied per deny default

« on: August 07, 2022, 10:04:37 am »

Heya,

im stumbling into a really weird one here.

Ive got some tcp connections that are going through and some that just arent. Just directly blocked by deny default via floating rules. (Can see it in the live log from the firewall) But there are ALLOW all rules for the clients to connect to the internet.

My setup:

ISP <---> OPNsense <-> Switches <-> Clients

Ive got a couple VLANS for the clients, VLANs for mgmt.
The clients are able to connect to the internet and are passed through the OPNsense firewall (so that works). They can reach most of the web, but if they try to reach certain websites, its denied by default via floating rules.

Denied instantly on Websites like Whatsapp, Facebook, Protonmail and so on.....

ISP is doin the NAT for us.

Not using DNS from OPNsense.
Not using any Webproxy or something. Its just plain routing.

Ive tried to set firewall -> settings -> advanced : firewall optimization to conservative (was normal) like suggested in another post, and it wasnt helping.

Thanks in advance!