Cannot get dhclient to get an IP address on WAN

[ipartola]

I have a simple setup with a dual NIC Intel card on amd64. I know the connection to my ISP works fine because the router I'm replacing can quickly get an external IP. OPNSense struggles. tcpdump on my WAN port (igb0) shows:

01:09:47.918351 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from a0:ce:c8:01:05:8b (oui Unknown), length 300
01:09:47.935354 IP 32.217.174.1.bootps > 32.219.252.142.bootpc: BOOTP/DHCP, Reply, length 300
01:09:47.953487 IP 32.217.174.1.bootps > 32.219.252.142.bootpc: BOOTP/DHCP, Reply, length 300

Looks to me like the replies from their DHCP server are coming back fine. However OPNSense logs show:

2021-04-22T01:11:31   dhclient[18640]   No DHCPOFFERS received.   
2021-04-22T01:11:19   dhclient[18640]   DHCPDISCOVER on igb0 to 255.255.255.255 port 67 interval 12

I didn't do anything to the firewall yet, so this is pretty much the default simple install. How can I fix this?

Secondly, why do I sometimes get the internal DHCP server (172.20.20.X) to assign the WAN interface an address in that range? How come the WAN dhclient is even able to listen to that address?

Thanks!

[ipartola]

I should say that I can either fake a cached lease or just use the previously assigned IP address as a static assignment and that works no problem.

[chemlud]

What is the exact setup, any bridged modems or fiber converters in WAN? Which ISP? CG-NAT?

[marjohn56]

Try spoofing the mac that the ISP router uses.


---Edit---


Also check that the ISP is not using some other form of validation.

[ipartola]

MAC address was spoofed from the old router. This is Frontier fiber in CT, USA. There are no other pieces of equipment, just the ONT box that translates optical signal to Ethernet and the OPNSense box plugged right into that.

[marjohn56]

Is there a user forum for that ISP where someone may have posted a similar issue?

[ipartola]

Oh and there is no CG-NAT. It’s just a public IP.

[ipartola]

There is abs I am asking on there as well, but the issue is clearly happening when I switched to OPNSense. I can plug my old router back in and it gets an address right away.

[marjohn56]

https://www.reddit.com/r/frontierfios/comments/5yvcy8/question_regarding_dhcp_lease_on_ont_via_ethernet/

[ipartola]

Yes already saw that one and talked to their tech support who told me there were no issues. They see everything as fine on their end

[marjohn56]

There's nothing peculiar or non standard about the dhcp client, it's a bog standard client. Only time I've ever heard of issues is when the ISP has some weird authentication employed; usually mac spoofing is sufficient.

[ipartola]

There is clearly something funny going on here. I was able to use tcpdump to capture a DHCPOFFER:

https://hpd.gasmi.net/?data=45C00148D3670000401170D720DBF80120DBFAEE004300440134D671020106004357CA8B001700000000000020DBFAEE0000000020D9AE0180615F082D7A000000000000000000006468637030352E667477792E696E2E66726F6E746965726E65742E6E6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000638253633501023604B810069D330400000E100104FFFFF800030420DBF8010F0F66747264686370757365722E6E657406084A284A284A284A29FF0000000000&force=ipv4

I am running dhclient manually to see its output in the terminal and it claims it never got any offers.

[ipartola]

OK so digging into it further, what I see as being weird here is that the DHCP server is at 184.16.6.157 while the address it's offering is 32.219.250.238 and the gateway is 32.217.174.1. I believe this is all in a /21. Could the issue be that dhclient is ignoring the DHCPOFFER because it's coming from a different subnet?

[chemlud]

Not really, I guess. I have one ISP that has his DHCP on a machine with a private IP. Doesn't matter, even as private IPs are blocked on WAN...

The IP resolves to    

dhcp05.ftwy.in.frontiernet.net

which makes perfectly sense, I guess.

[marjohn56]

Can I make a suggestion. Turn off the ISP gateway and leave it off for an hour. The lease time is 60 minutes, so let any existing lease expire before re-starting. Sky UK used to have a weirdo where that had to be done.