Messages

1

23.1 Legacy Series / Re: l2tp over dhcp didnt send renew packets correctly

« on: July 13, 2023, 12:22:09 pm »

Hey
My last changes fix my issue. So, disabling the « force gateway » rule, and adding static routes for L2TP endpoint and DHCP servers through the main interface is one solution.

Dont know if it's something it can be improved or not, as it's a specific setup.

2

23.1 Legacy Series / Re: l2tp over dhcp didnt send renew packets correctly

« on: July 12, 2023, 03:11:48 pm »

On this day, With my tcpdump and firewall view, I can see that
- packet is firstly sent to the good interface with correct datas
- but changed by packetfilter rule

My main ISP need to send DHCP packets with VLAN priority 6, and this option is set by a pf rule, but it's not the good one that matches, even if it's a quick rule.
I suppose that the rule for L2TP link is modifying my packet, I dont know how to exclude the dhcp query from this rule…


I started a new test :
- disable force gateway on « Firewall > Settings > Advanced »
- add a static route to my L2TP endpoint to use the Gateway on my main ISP (without that, it causes a loop)
- add a static route to the DHCP server to use the gateway on my main ISP

Disabling force gateway removes the rules that probably causes my issue.

3

23.1 Legacy Series / Re: l2tp over dhcp didnt send renew packets correctly

« on: July 11, 2023, 07:21:44 pm »

So, just adding a route is not enough to fix my issue.

I will run a custom tcpdump on physical interface to see dhcp packets

4

23.1 Legacy Series / Re: l2tp over dhcp didnt send renew packets correctly

« on: July 11, 2023, 09:36:12 am »

Try using a floating rule setting the desired interface

I tried this one, but the automatic rules applies before the manual floating rules.

I just added a custom route on the routing table to force the good gateway to join the next-server on my dhcp lease.
There is also a quick rule for dhcp queries (to set vlan priority) on the automatic rules, before the one that set the gateway. I hope the new routing entry will made this rule to match and skip the other one. (I'm not so clear…)

5

23.1 Legacy Series / Re: l2tp over dhcp didnt send renew packets correctly

« on: July 10, 2023, 06:04:22 pm »

I made a live packet capture during the renew today, and there is something I didnt understand.

When the renew time occurs, I see :
- a packet sent to the known dhcp server on the firewall live view but on the l2tp interface (not the good one) with label « let out anything from firewall host itself (force gateway) »
- multiple dhcp requests seen on a packet capture to the known dhcp server, but on the vlan interface (the good one) but no response

After few minutes, I click on the renew button on the interface overview, and I see on live view the good packet sent.

So I suppose there is something wrong with packetfilter rules for DHCP queries, but I dont know exactly what's happening.

When I see the automatic floating rules, the rule to force the gateway is defined here, but I dont know how to set a custom quick rule before the automatic ones.

6

23.1 Legacy Series / l2tp over dhcp didnt send renew packets correctly

« on: July 09, 2023, 10:04:13 pm »

Hello,

I've a WAN connection using DHCP to my main ISP (Orange FR) through a VLAN interface, that works correctly.

Over this connection, I'm using a L2TP point-to-point connection to a non-profit ISP, and all my IPv4/IPv6 web trafic is routed into the L2TP connection.

But every 24h, when the main DHCP lease expires, I lost the main WAN link, that breaks the whole internet access.

I started a packet capture on all the wan interfaces (physical, vlan, l2tp) for all dhcp packets (udp port 67) during the renew, and I see only the packet on the vlan interface, not on the main one

I suppose that something is blocking or modifying the DHCP packets when the L2TP link is up (as it not uses the main gateway).

I started a second packet capture to the next-server seen on /var/db/dhcp.leases file to check if I see somewhere else (answers will be tomorrow)

Is there someone having the same configuration ?
Thanks

7

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 11, 2023, 07:33:01 pm »

Code: [Select]

2023-04-11T19:21:36 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-11T19:21:34 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2023-04-10T12:04:53 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-10T12:04:51 Error dhcp6c transmit failed: Can't assign requested address
2023-04-10T12:04:50 Notice dhcp6c RTSOLD script - Starting dhcp6 client


I dont have this error
you can see on /var/log/system/*.log if it's present in the past days

8

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 11, 2023, 07:12:17 pm »

Hi,

first, I also confirm that the 2 patchs d08a425759190 and 3ed4f6d2 are working for me. I just had my renew without any issue.

I reverted and applied 2e4a1ea98d74, removed the vlan-pcp option from the modifiers, defined the priority to 6, and applied (that causes a dhclient restart)
after that :
- pfctl rules are ok, the same that with the 2 old patches
- /var/etc/dhclient_wan.conf contains the vlan-pcp option
- after a restart, I correctly got my dhcp lease.

so, it looks good ! see you tomorrow to confirm that the new patch is correct.

many thanks for the job !

9

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 10, 2023, 10:49:55 pm »

we sort of have that already with option modifers

yes, but it's not so user friendly, and if we need to generate a pf rule, it will be easier with the same field that already exists for ipv6
easy to develop, easy to use, sounds good to me

10

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 10, 2023, 10:08:48 pm »

just to say, I tested lot of cases, and as I seen, the vlan-pcap option is still mandatory even if I have a firewall rule.
maybe because the broadcasted packages uses a custom bpf filter that breaks the « set priority » option on a rule.

I'm waiting for tomorrow with the latest patch.
but if it works, I suppose that a good thing would be to have a « vlan priority » on dhcpv4 like on dhcpv6, that sets « vlan-pcp » on dhclient config file and update the automatic rule.

thanks all for your help on this issue, I definitively like opnsense team and community

11

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 10, 2023, 05:55:45 pm »

If you share the filters I can also do a capture
My renewal is at noon tomorrow

Seems it's not possible from the GUI,
but on SSH, you can try it :

Code: [Select]

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp
replacing igb5 by the main public interface (not the vlan interface)

Note: I just done lot of tests, and it seems that priority set by PF rule is not shown on the capture… I seen a renew using priority 0 but correctly answered (without a rule, it breaks the connection).

12

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 10, 2023, 05:53:24 pm »

something interesting

without the patch :

Code: [Select]

root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps keep state label "b8e1da9ac60ce8edb8e5a84bc5cec53e"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"

and with the patch

Code: [Select]

root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"

I can see the patch correctly set the prio to 6 on the default rule
but it's not a quick rule, maybe another one interfer.

13

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 10, 2023, 05:23:37 pm »

Hello,

My DHCP renew didnt worked today, with the patch.
I tried to capture the packets with vlan informations but my tcpdump filter was not correct.

I will made other tests with tcpdump and try to capture my renewal tomorrow.

edit: it seems that this tcpdump command works to capture dhcp packets with vlan informations

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp

I need to capture on the main interface (igb5 for me) not on vlan0.832

14

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 09, 2023, 08:46:43 pm »

I just need confirmation for the 'adv_dhcp_send_options' used for DHCP IPv4 -- I'm assuming vlan-pcp is set there (to the same value as IPv6 priority).

Not sure to understand, but on my setup, I added `vlan-pcp 6` on DHCPv4 `Option Modifiers`field on the GUI.

15

23.1 Legacy Series / Re: DHCP lease not renewing on Orange FR

« on: April 09, 2023, 07:21:07 pm »

Skool May be able to capture the packets to confirm

When capturing trafic from the GUI, there is no vlan information. (maybe we can add something like `-e vlan` on tcpdump)

I missed my today's renew to test the patch, I will try it tomorrow.

About IPv6, maybe the existing rule already works : https://github.com/opnsense/core/blob/master/src/etc/inc/filter.lib.inc#L371

Edit: I disabled my rule, applied the patch and I can see these rules on pfctl -sr
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"

so it looks good. I will confirm it tomorrow.