DHCP lease not renewing on Orange FR

[nivek1612]

Nice work.

I have set a similar rule and I'm now waiting for the renewal 12 pm tomorrow to confirm.

I worked on the original DHCP and DHCPv6 cos 6 tagging with @marjohn. I seem to remember that the firewall rule would not set the cos for dhcpv6 traffic so if this is working ORANGE must only be checking the DHCP call. Did you capture the packets? 

Have you also checked your speed is not reduced after renewal?

[skool]

Have you also checked your speed is not reduced after renewal?

No issue regarding network speed. It's still at the max I always had.

[skool]

I think I've found what's happen on dhclient, but I'm definitively not able to try to fix something on a 10 year C code probably used by a lot of routers.

OPNsense use the FreeBSD dhclient.
This client uses BPF features : https://man.freebsd.org/cgi/man.cgi?query=bpf&sektion=4&manpath=FreeBSD
source code is available here : https://cgit.freebsd.org/src/tree/sbin/dhclient/bpf.c

When dhclient starts, it creates a bpf device that set the vlan priority if needed : https://cgit.freebsd.org/src/tree/sbin/dhclient/bpf.c#n96
It also creates a simple socket for unicast usages.

And when dhclient need to send a packet, depending on the target, it uses the bpf tagged one or a simple socket
https://cgit.freebsd.org/src/tree/sbin/dhclient/bpf.c#n376
(the interface->wfdesc is the bpf one, the interface-ufdesk is a simple socket)

I dont know why it works like that, but it explain that the vlan priority is not set when sending an unicast packet.

[nivek1612]

well adding the firewall rule has allowed me to keep my connection 24 hrs later so we have a workaround pending a patch

[franco]

Perhaps something like this as a POC? https://github.com/opnsense/core/commit/d08a425759190

# opnsense-patch d08a425759190

Assuming IPv6 is set up correctly as well. I take it nowadays you guys have to set vlan-pcp value in advanced DHCPv4 settings?

Either we have to parse them or add a field back to the GUI.


Cheers,
Franco

[franco]

PS: I guess Orange "fixed the glitch" that existed for a few years on their end. It seems to prove the point that the restriction is quite arbitrary if they didn't catch that for all these years... It should have never worked without this on their end -- perhaps they just drop "faulty" packets using a firewall rule?

[nivek1612]

They have been cleaning things up over the last few months and migrating people to the new config
But at least now they are telling the world what they need so we can be sure.

I'm unsure about ipv6 on renew as I remember when marjohn worked on it with me we couldn't change the dhcp6c request in the firewall but I can't remember why

My assumption is that for now they are only checking the dhcpv4 request but for how long

Skool May be able to capture the packets to confirm

[skool]

Skool May be able to capture the packets to confirm

When capturing trafic from the GUI, there is no vlan information. (maybe we can add something like `-e vlan` on tcpdump)

I missed my today's renew to test the patch, I will try it tomorrow.

About IPv6, maybe the existing rule already works : https://github.com/opnsense/core/blob/master/src/etc/inc/filter.lib.inc#L371

Edit: I disabled my rule, applied the patch and I can see these rules on pfctl -sr
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"

so it looks good. I will confirm it tomorrow.

[franco]

Yes, for now let's assume the IPv6 rule works as is and do the same for IPv4.  :)

I just need confirmation for the 'adv_dhcp_send_options' used for DHCP IPv4 -- I'm assuming vlan-pcp is set there (to the same value as IPv6 priority).


Cheers,
Franco

[skool]

I just need confirmation for the 'adv_dhcp_send_options' used for DHCP IPv4 -- I'm assuming vlan-pcp is set there (to the same value as IPv6 priority).

Not sure to understand, but on my setup, I added `vlan-pcp 6` on DHCPv4 `Option Modifiers`field on the GUI.

[Sisyphe]

Looking at Franco's code it seems that the prio on DHCPv4 will be set from the prio configured for DHCPv6 with the proposed patch:

Code Select Expand


if (isset($intfinfo['dhcp6vlanprio'])) {
                     $dhcpv4_opts['set-prio'] = $intfinfo['dhcp6vlanprio'];
                }


If that works, it will be good to have a prio field in the UI like the "Use VLAN priority" drop-down for DHCPv6. Alternatively it should be possible to parse the DHCPv4 "Option Modifiers" field as we used it to set prio with value 'vlan-pcp 6' for Orange FR.

Thanks.

[nivek1612]

updated to latest version (I had rolled back to test)
applied patch and removed firewall rule

Need to wait 24 hours now for renewal

[skool]

Hello,

My DHCP renew didnt worked today, with the patch.
I tried to capture the packets with vlan informations but my tcpdump filter was not correct.

I will made other tests with tcpdump and try to capture my renewal tomorrow.

edit: it seems that this tcpdump command works to capture dhcp packets with vlan informations

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp

I need to capture on the main interface (igb5 for me) not on vlan0.832

[nivek1612]

If you share the filters I can also do a capture
My renewal is at noon tomorrow

[skool]

something interesting

without the patch :

Code Select Expand


root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps keep state label "b8e1da9ac60ce8edb8e5a84bc5cec53e"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"


and with the patch

Code Select Expand


root@opnsense:~ # pfctl -sr | grep vlan0.832 | grep "pass out"
pass out log quick on vlan0.832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on vlan0.832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"
pass out log route-to (vlan0.832 83.202.24.1) inet from (vlan0.832) to ! (vlan0.832:network) flags S/SA keep state allow-opts label "6790f631ba77b3835a88204bb2162f65"


I can see the patch correctly set the prio to 6 on the default rule
but it's not a quick rule, maybe another one interfer.