Messages

Hey
My last changes fix my issue. So, disabling the « force gateway » rule, and adding static routes for L2TP endpoint and DHCP servers through the main interface is one solution.

Dont know if it's something it can be improved or not, as it's a specific setup.

On this day, With my tcpdump and firewall view, I can see that
- packet is firstly sent to the good interface with correct datas
- but changed by packetfilter rule

My main ISP need to send DHCP packets with VLAN priority 6, and this option is set by a pf rule, but it's not the good one that matches, even if it's a quick rule.
I suppose that the rule for L2TP link is modifying my packet, I dont know how to exclude the dhcp query from this rule...


I started a new test :
- disable force gateway on « Firewall > Settings > Advanced »
- add a static route to my L2TP endpoint to use the Gateway on my main ISP (without that, it causes a loop)
- add a static route to the DHCP server to use the gateway on my main ISP

Disabling force gateway removes the rules that probably causes my issue.

So, just adding a route is not enough to fix my issue.

I will run a custom tcpdump on physical interface to see dhcp packets

Try using a floating rule setting the desired interface

I tried this one, but the automatic rules applies before the manual floating rules.

I just added a custom route on the routing table to force the good gateway to join the next-server on my dhcp lease.
There is also a quick rule for dhcp queries (to set vlan priority) on the automatic rules, before the one that set the gateway. I hope the new routing entry will made this rule to match and skip the other one. (I'm not so clear...)

I made a live packet capture during the renew today, and there is something I didnt understand.

When the renew time occurs, I see :
- a packet sent to the known dhcp server on the firewall live view but on the l2tp interface (not the good one) with label « let out anything from firewall host itself (force gateway) »
- multiple dhcp requests seen on a packet capture to the known dhcp server, but on the vlan interface (the good one) but no response

After few minutes, I click on the renew button on the interface overview, and I see on live view the good packet sent.

So I suppose there is something wrong with packetfilter rules for DHCP queries, but I dont know exactly what's happening.

When I see the automatic floating rules, the rule to force the gateway is defined here, but I dont know how to set a custom quick rule before the automatic ones.

Hello,

I've a WAN connection using DHCP to my main ISP (Orange FR) through a VLAN interface, that works correctly.

Over this connection, I'm using a L2TP point-to-point connection to a non-profit ISP, and all my IPv4/IPv6 web trafic is routed into the L2TP connection.

But every 24h, when the main DHCP lease expires, I lost the main WAN link, that breaks the whole internet access.

I started a packet capture on all the wan interfaces (physical, vlan, l2tp) for all dhcp packets (udp port 67) during the renew, and I see only the packet on the vlan interface, not on the main one

I suppose that something is blocking or modifying the DHCP packets when the L2TP link is up (as it not uses the main gateway).

I started a second packet capture to the next-server seen on /var/db/dhcp.leases file to check if I see somewhere else (answers will be tomorrow)

Is there someone having the same configuration ?
Thanks

Code Select Expand


2023-04-11T19:21:36 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-11T19:21:34 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2023-04-10T12:04:53 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-10T12:04:51 Error dhcp6c transmit failed: Can't assign requested address
2023-04-10T12:04:50 Notice dhcp6c RTSOLD script - Starting dhcp6 client


I dont have this error
you can see on /var/log/system/*.log if it's present in the past days

Hi,

first, I also confirm that the 2 patchs d08a425759190 and 3ed4f6d2 are working for me. I just had my renew without any issue.

I reverted and applied 2e4a1ea98d74, removed the vlan-pcp option from the modifiers, defined the priority to 6, and applied (that causes a dhclient restart)
after that :
- pfctl rules are ok, the same that with the 2 old patches
- /var/etc/dhclient_wan.conf contains the vlan-pcp option
- after a restart, I correctly got my dhcp lease.

so, it looks good ! see you tomorrow to confirm that the new patch is correct.

many thanks for the job !

we sort of have that already with option modifers

yes, but it's not so user friendly, and if we need to generate a pf rule, it will be easier with the same field that already exists for ipv6
easy to develop, easy to use, sounds good to me :)

just to say, I tested lot of cases, and as I seen, the vlan-pcap option is still mandatory even if I have a firewall rule.
maybe because the broadcasted packages uses a custom bpf filter that breaks the « set priority » option on a rule.

I'm waiting for tomorrow with the latest patch.
but if it works, I suppose that a good thing would be to have a « vlan priority » on dhcpv4 like on dhcpv6, that sets « vlan-pcp » on dhclient config file and update the automatic rule.

thanks all for your help on this issue, I definitively like opnsense team and community :)

If you share the filters I can also do a capture
My renewal is at noon tomorrow

Seems it's not possible from the GUI,
but on SSH, you can try it :

Code Select Expand

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp

replacing igb5 by the main public interface (not the vlan interface)

Note: I just done lot of tests, and it seems that priority set by PF rule is not shown on the capture... I seen a renew using priority 0 but correctly answered (without a rule, it breaks the connection).

something interesting

without the patch :

Code Select Expand


root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps keep state label "b8e1da9ac60ce8edb8e5a84bc5cec53e"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"


and with the patch

Code Select Expand


root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"


I can see the patch correctly set the prio to 6 on the default rule
but it's not a quick rule, maybe another one interfer.

Hello,

My DHCP renew didnt worked today, with the patch.
I tried to capture the packets with vlan informations but my tcpdump filter was not correct.

I will made other tests with tcpdump and try to capture my renewal tomorrow.

edit: it seems that this tcpdump command works to capture dhcp packets with vlan informations

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp

I need to capture on the main interface (igb5 for me) not on vlan0.832

I just need confirmation for the 'adv_dhcp_send_options' used for DHCP IPv4 -- I'm assuming vlan-pcp is set there (to the same value as IPv6 priority).

Not sure to understand, but on my setup, I added `vlan-pcp 6` on DHCPv4 `Option Modifiers`field on the GUI.

Skool May be able to capture the packets to confirm

When capturing trafic from the GUI, there is no vlan information. (maybe we can add something like `-e vlan` on tcpdump)

I missed my today's renew to test the patch, I will try it tomorrow.

About IPv6, maybe the existing rule already works : https://github.com/opnsense/core/blob/master/src/etc/inc/filter.lib.inc#L371

Edit: I disabled my rule, applied the patch and I can see these rules on pfctl -sr
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"

so it looks good. I will confirm it tomorrow.