l2tp over dhcp didnt send renew packets correctly

Started by skool, July 09, 2023, 10:04:13 PM

Previous topic - Next topic
July 09, 2023, 10:04:13 PM Last Edit: July 10, 2023, 02:10:31 PM by skool
Hello,

I've a WAN connection using DHCP to my main ISP (Orange FR) through a VLAN interface, that works correctly.

Over this connection, I'm using a L2TP point-to-point connection to a non-profit ISP, and all my IPv4/IPv6 web trafic is routed into the L2TP connection.

But every 24h, when the main DHCP lease expires, I lost the main WAN link, that breaks the whole internet access.

I started a packet capture on all the wan interfaces (physical, vlan, l2tp) for all dhcp packets (udp port 67) during the renew, and I see only the packet on the vlan interface, not on the main one

I suppose that something is blocking or modifying the DHCP packets when the L2TP link is up (as it not uses the main gateway).

I started a second packet capture to the next-server seen on /var/db/dhcp.leases file to check if I see somewhere else (answers will be tomorrow)

Is there someone having the same configuration ?
Thanks

July 10, 2023, 06:04:22 PM #1 Last Edit: July 10, 2023, 06:12:58 PM by skool
I made a live packet capture during the renew today, and there is something I didnt understand.

When the renew time occurs, I see :
- a packet sent to the known dhcp server on the firewall live view but on the l2tp interface (not the good one) with label « let out anything from firewall host itself (force gateway) »
- multiple dhcp requests seen on a packet capture to the known dhcp server, but on the vlan interface (the good one) but no response

After few minutes, I click on the renew button on the interface overview, and I see on live view the good packet sent.

So I suppose there is something wrong with packetfilter rules for DHCP queries, but I dont know exactly what's happening.

When I see the automatic floating rules, the rule to force the gateway is defined here, but I dont know how to set a custom quick rule before the automatic ones.

Try using a floating rule setting the desired interface

Quote from: muchacha_grande on July 10, 2023, 08:27:02 PM
Try using a floating rule setting the desired interface
I tried this one, but the automatic rules applies before the manual floating rules.

I just added a custom route on the routing table to force the good gateway to join the next-server on my dhcp lease.
There is also a quick rule for dhcp queries (to set vlan priority) on the automatic rules, before the one that set the gateway. I hope the new routing entry will made this rule to match and skip the other one. (I'm not so clear...)

So, just adding a route is not enough to fix my issue.

I will run a custom tcpdump on physical interface to see dhcp packets

July 12, 2023, 03:11:48 PM #5 Last Edit: July 12, 2023, 03:44:11 PM by skool
On this day, With my tcpdump and firewall view, I can see that
- packet is firstly sent to the good interface with correct datas
- but changed by packetfilter rule

My main ISP need to send DHCP packets with VLAN priority 6, and this option is set by a pf rule, but it's not the good one that matches, even if it's a quick rule.
I suppose that the rule for L2TP link is modifying my packet, I dont know how to exclude the dhcp query from this rule...


I started a new test :
- disable force gateway on « Firewall > Settings > Advanced »
- add a static route to my L2TP endpoint to use the Gateway on my main ISP (without that, it causes a loop)
- add a static route to the DHCP server to use the gateway on my main ISP

Disabling force gateway removes the rules that probably causes my issue.

Hey
My last changes fix my issue. So, disabling the « force gateway » rule, and adding static routes for L2TP endpoint and DHCP servers through the main interface is one solution.

Dont know if it's something it can be improved or not, as it's a specific setup.