DHCP lease not renewing on Orange FR

[skool]

If you share the filters I can also do a capture
My renewal is at noon tomorrow

Seems it's not possible from the GUI,
but on SSH, you can try it :

Code Select Expand

/usr/sbin/tcpdump -i igb5 -n -U -w test_dhcp.pcap -c 100 -e vlan and ip and port 67 and udp

replacing igb5 by the main public interface (not the vlan interface)

Note: I just done lot of tests, and it seems that priority set by PF rule is not shown on the capture... I seen a renew using priority 0 but correctly answered (without a rule, it breaks the connection).

[nivek1612]

So the patch doesn't work but the firewall rule does

[franco]

but it's not a quick rule, maybe another one interfer.

Nice catch. Let's change it to mimic IPv6 behaviour:

https://github.com/opnsense/core/commit/3ed4f6d2

# opnsense-revert opnsense && opnsense-patch d08a425759190 3ed4f6d2

And sorry, I said "adv_dhcp_send_options" but I meant "adv_dhcp_option_modifiers". Just got back home to a useful computer ;)


Cheers,
Franco

[nivek1612]

Cheers Franco

still not seeing quick in the output should we?

Code Select Expand

root@home:~ # pfctl -sr | grep igb0_vlan832 | grep "pass out"
pass out log quick on igb0_vlan832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log on igb0_vlan832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "ef42d12f986749549ec90dcd3d0e3521"
pass out log route-to (igb0_vlan832 x.x.x.x) inet from (igb0_vlan832) to ! (igb0_vlan832:network) flags S/SA keep state allow-opts label "0706ba41b95e2917cd5e0c8c641862d1"

[franco]

Can you reload firewall filter?


Cheers,
Franco

[nivek1612]

that did it

Code Select Expand

root@home:~ # pfctl -sr | grep igb0_vlan832 | grep "pass out"
pass out log quick on igb0_vlan832 proto udp from any port = dhcpv6-client to any port = dhcpv6-server set ( prio 6 ) keep state label "af991f951c9d5dd7679e1defbf9ee033"
pass out log quick on igb0_vlan832 proto udp from any port = bootpc to any port = bootps set ( prio 6 ) keep state label "1379874b63290e4ce50d44de5cd544e5"
pass out log route-to (igb0_vlan832 x.x.x.x) inet from (igb0_vlan832) to ! (igb0_vlan832:network) flags S/SA keep state allow-opts label "0706ba41b95e2917cd5e0c8c641862d1"
root@home:~ #


[skool]

just to say, I tested lot of cases, and as I seen, the vlan-pcap option is still mandatory even if I have a firewall rule.
maybe because the broadcasted packages uses a custom bpf filter that breaks the « set priority » option on a rule.

I'm waiting for tomorrow with the latest patch.
but if it works, I suppose that a good thing would be to have a « vlan priority » on dhcpv4 like on dhcpv6, that sets « vlan-pcp » on dhclient config file and update the automatic rule.

thanks all for your help on this issue, I definitively like opnsense team and community :)

[nivek1612]

we sort of have that already with option modifers

[skool]

we sort of have that already with option modifers

yes, but it's not so user friendly, and if we need to generate a pf rule, it will be easier with the same field that already exists for ipv6
easy to develop, easy to use, sounds good to me :)

[franco]

Yep, I just have to check if double setting of vlan-pcp doesn't cause an error in dhclient and of course Orange users will have to make the switch to the new setting, but we can document in the release notes and probably spread the information to other forums.


Cheers,
Franco

[nivek1612]

24 hours later and I'm still connected

Looking good. 

[franco]

Neat, here is the official PR, but still working on it: https://github.com/opnsense/core/pull/6485

To test:

# opnsense-revert opnsense && opnsense-patch 2e4a1ea98d74


Cheers,
Franco

[Sisyphe]

Nice!

I've removed vlan-pcp in "Option modifiers" and set "Use VLAN priority" in the UI, now waiting 24h. Thanks!

[skool]

Hi,

first, I also confirm that the 2 patchs d08a425759190 and 3ed4f6d2 are working for me. I just had my renew without any issue.

I reverted and applied 2e4a1ea98d74, removed the vlan-pcp option from the modifiers, defined the priority to 6, and applied (that causes a dhclient restart)
after that :
- pfctl rules are ok, the same that with the 2 old patches
- /var/etc/dhclient_wan.conf contains the vlan-pcp option
- after a restart, I correctly got my dhcp lease.

so, it looks good ! see you tomorrow to confirm that the new patch is correct.

many thanks for the job !

[nivek1612]

new patch applied and changes were made to GUI removed the vlan-pcp option from the modifiers and defined the priority to 6

Like Skool, this caused a dhclient restart.

All looks good however in the logs for dhcp6c I noticed this error. Not sure if it was there before as I wasn't checking IPv6. I'm remote so I can't fully check but I'm getting a 19/20 on ipv6-test which is what I would expect.

Code Select Expand


2023-04-11T19:21:36 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-11T19:21:34 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2023-04-10T12:04:53 Notice dhcp6c dhcp6c REQUEST on igb0_vlan832 - running newipv6
2023-04-10T12:04:51 Error dhcp6c transmit failed: Can't assign requested address
2023-04-10T12:04:50 Notice dhcp6c RTSOLD script - Starting dhcp6 client