Suspicious dhclient WAN activity exactly 24 hrs after boot

Started by jonm, August 24, 2023, 01:21:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2023, 01:21:58 PM Last Edit: August 27, 2023, 02:35:35 PM by jonm
I updated to 23.1_6 yesterday and all was well. (I know, I'm a bit behind on releases.)
Then today, exactly 24hrs after the system booted yesterday, I lost the WAN connection.
My ISP connection is via a cable modem in bridge mode. ISP says connection has been up for 70 days, no issues seen from their side.

The following was in the system.log:

Code Select
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 dhclient 74237 - [meta sequenceId="1"] New IP Address (igb0): 87.102.220.xxx
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 dhclient 75488 - [meta sequenceId="2"] New Subnet Mask (igb0): 255.255.254.0
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 dhclient 77230 - [meta sequenceId="3"] New Broadcast Address (igb0): 87.102.221.255
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 dhclient 78170 - [meta sequenceId="4"] New Routers (igb0): 87.102.220.1
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 dhclient 81623 - [meta sequenceId="5"] Creating resolv.conf
<13>1 2023-08-24T11:31:18+02:00 OPNsense.ho1 opnsense 85905 - [meta sequenceId="6"] /usr/local/etc/rc.newwanip: No IP change detected for WAN[wan]
<27>1 2023-08-24T11:35:40+02:00 OPNsense.ho1 dhclient 7753 - [meta sequenceId="2"] My address (87.102.220.xxx) was deleted, dhclient exiting
<27>1 2023-08-24T11:35:40+02:00 OPNsense.ho1 dhclient 7753 - [meta sequenceId="3"] connection closed
<26>1 2023-08-24T11:35:40+02:00 OPNsense.ho1 dhclient 7753 - [meta sequenceId="4"] exiting.


What could have triggered this? My WAN IP hasn't changed, it never does. Is the 24 hour interval a coincidence? It seems suspicious to me...

Thanks

Jon.



August 24, 2023, 01:28:48 PM #1
Good question. dhclient exits without notifying the rest of the system about it which leads to this unfortunate state. In this case the address was deleted from the interface. But I suppose this is the full system log from the event?

Can you check if there is anything in dmesg. I think in 23.1.8 we added kernel log messages to system log to make those things easier to check for.


Cheers,
Franco
August 24, 2023, 02:55:49 PM #2
Hi Franco

I don't see anything obvious in dmesg. (Although there are no timestamps)

Also I determined that the activity at 11:35 was the ping check script which runs from cron every 5 minutes, taking the igb0 interface down then up because it had been unable to ping out.

Thanks.
August 24, 2023, 03:53:32 PM #3
This may be detached the address. It's relatively easy to test this theory.


Cheers,
Franco
August 27, 2023, 02:31:06 PM #4 Last Edit: August 27, 2023, 02:35:00 PM by jonm
Looking again at what's going on here I see that every 12 hours, the DHCP address of the WAN interface is renewed. But the IP address never changes. The problem is that dhclient seems to think it has indeed changed, so then this happens:

Code Select

/usr/local/etc/rc.newwanip: IP renewal starting (new: 87.102.220.xxx, old: 87.102.220.xxx, interface: WAN[wan], device: igb0, force: yes)


And that then causes my OpenVPN instance to be taken down then up (and that then does end up with a new IP address.)

So my question is, how do I stop this from happening given that my WAN IP, whilst obtained from my ISP via DHCP, never actually changes?
August 27, 2023, 02:41:37 PM #5
In my original post, there was:

Code Select

OPNsense.ho1 opnsense 85905 - [meta sequenceId="6"] /usr/local/etc/rc.newwanip: No IP change detected for WAN[wan]


But now, that doesn't seem to be happening. I updated to 23.1.11 - did something change in this area?
Print
Go Up Pages1
User actions