l2tp over dhcp didnt send renew packets correctly

[skool]

Hello,

I've a WAN connection using DHCP to my main ISP (Orange FR) through a VLAN interface, that works correctly.

Over this connection, I'm using a L2TP point-to-point connection to a non-profit ISP, and all my IPv4/IPv6 web trafic is routed into the L2TP connection.

But every 24h, when the main DHCP lease expires, I lost the main WAN link, that breaks the whole internet access.

I started a packet capture on all the wan interfaces (physical, vlan, l2tp) for all dhcp packets (udp port 67) during the renew, and I see only the packet on the vlan interface, not on the main one

I suppose that something is blocking or modifying the DHCP packets when the L2TP link is up (as it not uses the main gateway).

I started a second packet capture to the next-server seen on /var/db/dhcp.leases file to check if I see somewhere else (answers will be tomorrow)

Is there someone having the same configuration ?
Thanks

[skool]

I made a live packet capture during the renew today, and there is something I didnt understand.

When the renew time occurs, I see :
- a packet sent to the known dhcp server on the firewall live view but on the l2tp interface (not the good one) with label « let out anything from firewall host itself (force gateway) »
- multiple dhcp requests seen on a packet capture to the known dhcp server, but on the vlan interface (the good one) but no response

After few minutes, I click on the renew button on the interface overview, and I see on live view the good packet sent.

So I suppose there is something wrong with packetfilter rules for DHCP queries, but I dont know exactly what's happening.

When I see the automatic floating rules, the rule to force the gateway is defined here, but I dont know how to set a custom quick rule before the automatic ones.

[muchacha_grande]

Try using a floating rule setting the desired interface

[skool]

Try using a floating rule setting the desired interface

I tried this one, but the automatic rules applies before the manual floating rules.

I just added a custom route on the routing table to force the good gateway to join the next-server on my dhcp lease.
There is also a quick rule for dhcp queries (to set vlan priority) on the automatic rules, before the one that set the gateway. I hope the new routing entry will made this rule to match and skip the other one. (I'm not so clear…)

[skool]

So, just adding a route is not enough to fix my issue.

I will run a custom tcpdump on physical interface to see dhcp packets

[skool]

On this day, With my tcpdump and firewall view, I can see that
- packet is firstly sent to the good interface with correct datas
- but changed by packetfilter rule

My main ISP need to send DHCP packets with VLAN priority 6, and this option is set by a pf rule, but it's not the good one that matches, even if it's a quick rule.
I suppose that the rule for L2TP link is modifying my packet, I dont know how to exclude the dhcp query from this rule…


I started a new test :
- disable force gateway on « Firewall > Settings > Advanced »
- add a static route to my L2TP endpoint to use the Gateway on my main ISP (without that, it causes a loop)
- add a static route to the DHCP server to use the gateway on my main ISP

Disabling force gateway removes the rules that probably causes my issue.

[skool]

Hey
My last changes fix my issue. So, disabling the « force gateway » rule, and adding static routes for L2TP endpoint and DHCP servers through the main interface is one solution.

Dont know if it's something it can be improved or not, as it's a specific setup.