This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Relay not Forwarding DHCP Offer Packets.

Hey folks, I came across a very weird issue with the dhcp relay.
It simply is not working, but in more detail...

we have a network of 192.168.0.0/24 and everything is inside thi network.
I began to segment it and created some VLANS.

As of now, the eth0 interface on sophos is hosting the 192.168.0.0/24 NW and acts as a DHCP Server.
I created VLAN88 on eth2 and set up the switchport like this:
interface gigabitethernet49
switchport trunk allowed vlan add 88

so all the other ports are on VLAN Access 88.
The new DHCP Server (Windows) is on the 192.168.0.0/24 NW with the IP .6
the VLAN88 is 10.88.0.0/24

DHCP Server is active for eth0 192.168.0.0/24 0.100-0.230 range.
DHCP Relay is LAN-NEW on eth2 and DHCP Server is the 192.168.0.6.

I know this is not working, as you cannot have the DHCP active for the same interface the Server is on and use it as a Relay. It gave me also that error message accordingly.
DHCPREQUEST for 10.88.0.10 from 68:f7:28:0a:e8:df via 10.88.0.1: ignored (unknown subnet).

I disable DHCP Server for the 192.168.0.0/24 range
now if I plug a machine into the gigabitethernet1 and try to get an IP I wont get one...

weird part is, if I make a TCPDUMP like this: tcpdump -vvvnnns0 -i eth0 port 67 or port 68
(note that is the port of the DHCP Server) I see the following:
19:29:45.010080 IP (tos 0x0, ttl 64, id 63640, offset 0, flags [DF], proto UDP (17), length 328)
192.168.0.1.67 > 192.168.0.6.67: [bad udp cksum 0x829d -> 0xd9f7!] BOOTP/DHCP, Request from 68:f7:28:0a:e8:df, length 300, hops 1, xid 0x9cbc3b1a, secs 31, Flags [none] (0x0000)
Gateway-IP 10.88.0.1
Client-Ethernet-Address 68:f7:28:0a:e8:df
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 10.88.0.10
Hostname Option 12, length 14: "elliotalderson"
Parameter-Request Option 55, length 17:
Subnet-Mask, BR, Time-Zone, Default-Gateway
Domain-Name, Domain-Name-Server, Option 119, Hostname
Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
RP
END Option 255, length 0
PAD Option 0, length 0, occurs 15
19:29:45.010324 IP (tos 0x0, ttl 128, id 9482, offset 0, flags [none], proto UDP (17), length 342)
192.168.0.6.67 > 10.88.0.1.67: [udp sum ok] BOOTP/DHCP, Reply, length 314, xid 0x9cbc3b1a, Flags [none] (0x0000)
Your-IP 10.88.0.11
Server-IP 192.168.0.6
Gateway-IP 10.88.0.1
Client-Ethernet-Address 68:f7:28:0a:e8:df
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Subnet-Mask Option 1, length 4: 255.255.255.0
RN Option 58, length 4: 345600
RB Option 59, length 4: 604800
Lease-Time Option 51, length 4: 691200
Server-ID Option 54, length 4: 192.168.0.6
Default-Gateway Option 3, length 4: 10.88.0.1
Domain-Name Option 15, length 12: "DOMAIN"
Domain-Name-Server Option 6, length 8: 192.168.0.4,192.168.0.6
Netbios-Name-Server Option 44, length 8: 192.168.0.4,192.168.0.6
END Option 255, length 0

so the traffic flows like:
DHCP Request: Client - SwitchGigabitethernet2 - SwitchGigabitethernet49 - Sophoseth2.88 - FIREWALLMAGIC - Sophoseth0 - SwitchGigabitethernet20 - Windows Server
DHCP Offer: Windows Server - SwitchGigabitethernet20 - Sophoseth0 - FIREWALLMAGIC

and the logs when tailing it (/var/log/dhcpd.log) are completely empty:
2019:08:29-19:19:57 vpn dhcpd: Server starting service.


2019:08:29-19:33:25 vpn dhcpd: Internet Systems Consortium DHCP Server 4.4.1
2019:08:29-19:33:25 vpn dhcpd: Copyright 2004-2018 Internet Systems Consortium.
2019:08:29-19:33:25 vpn dhcpd: All rights reserved.
2019:08:29-19:33:25 vpn dhcpd: For info, please visit www.isc.org/.../
2019:08:29-19:33:25 vpn dhcpd: WARNING: Host declarations are global. They are not limited to the scope you declared them in.
2019:08:29-19:33:25 vpn dhcpd: Config file: /etc/dhcpd.conf
2019:08:29-19:33:25 vpn dhcpd: Database file: /var/state/dhcp/dhcpd.leases
2019:08:29-19:33:25 vpn dhcpd: PID file: /var/run/dhcpd.pid
2019:08:29-19:33:25 vpn dhcpd: Internet Systems Consortium DHCP Server 4.4.1
2019:08:29-19:33:25 vpn dhcpd: Copyright 2004-2018 Internet Systems Consortium.
2019:08:29-19:33:25 vpn dhcpd: All rights reserved.
2019:08:29-19:33:25 vpn dhcpd: For info, please visit www.isc.org/.../
2019:08:29-19:33:25 vpn dhcpd: Wrote 0 deleted host decls to leases file.
2019:08:29-19:33:25 vpn dhcpd: Wrote 0 new dynamic host decls to leases file.
2019:08:29-19:33:25 vpn dhcpd: Wrote 350 leases to leases file.
2019:08:29-19:33:25 vpn dhcpd: Listening on LPF/eth0/00:1a:8c:51:26:3c/192.168.0.0/24
2019:08:29-19:33:25 vpn dhcpd: Sending on LPF/eth0/00:1a:8c:51:26:3c/192.168.0.0/24
2019:08:29-19:33:25 vpn dhcpd: Listening on LPF/wlan2/00:1a:8c:0a:1b:02/172.16.10.0/24
2019:08:29-19:33:25 vpn dhcpd: Sending on LPF/wlan2/00:1a:8c:0a:1b:02/172.16.10.0/24
2019:08:29-19:33:25 vpn dhcpd: Listening on LPF/wlan1/00:1a:8c:0a:97:01/172.16.0.0/24
2019:08:29-19:33:25 vpn dhcpd: Sending on LPF/wlan1/00:1a:8c:0a:97:01/172.16.0.0/24
2019:08:29-19:33:25 vpn dhcpd: Sending on Socket/fallback/fallback-net
2019:08:29-19:33:25 vpn dhcpd: Server starting service.

note that the packet above is from 19:29:45 and there is nothing in the logs.

Firewall has been rebooted.

weird is that now, even after the reboot, when I activate the DHCP Relay, and also the DHCP Server on the eth0 it does not give the error message any more on the WebUI.
also by starting and stopping the service the logs say: 2019:08:29-19:33:25 vpn dhcpd: Server starting service.

any ideas?

only thing I might have missed, is that I did not check if te packet leaves eth2 or eth2.88 but if the Windows Server gets the packet... VLAN config should be just fine.

Thanks and sorry for the long post.

 

P.S.: I swear to god, I showed this config my colleague 2 days ago, and my testmachine got the proper IP... 2 days later, config not touched, not working. 



This thread was automatically locked due to age.
Parents Reply Children
No Data