We'd love to hear about it! Click here to go to the product suggestion community
Hey folks, I came across a very weird issue with the dhcp relay.It simply is not working, but in more detail...
we have a network of 192.168.0.0/24 and everything is inside thi network.I began to segment it and created some VLANS.
As of now, the eth0 interface on sophos is hosting the 192.168.0.0/24 NW and acts as a DHCP Server.I created VLAN88 on eth2 and set up the switchport like this: interface gigabitethernet49 switchport trunk allowed vlan add 88
so all the other ports are on VLAN Access 88. The new DHCP Server (Windows) is on the 192.168.0.0/24 NW with the IP .6the VLAN88 is 10.88.0.0/24
DHCP Server is active for eth0 192.168.0.0/24 0.100-0.230 range.DHCP Relay is LAN-NEW on eth2 and DHCP Server is the 192.168.0.6.
I know this is not working, as you cannot have the DHCP active for the same interface the Server is on and use it as a Relay. It gave me also that error message accordingly.DHCPREQUEST for 10.88.0.10 from 68:f7:28:0a:e8:df via 10.88.0.1: ignored (unknown subnet).
I disable DHCP Server for the 192.168.0.0/24 rangenow if I plug a machine into the gigabitethernet1 and try to get an IP I wont get one...
weird part is, if I make a TCPDUMP like this: tcpdump -vvvnnns0 -i eth0 port 67 or port 68(note that is the port of the DHCP Server) I see the following:19:29:45.010080 IP (tos 0x0, ttl 64, id 63640, offset 0, flags [DF], proto UDP (17), length 328) 192.168.0.1.67 > 192.168.0.6.67: [bad udp cksum 0x829d -> 0xd9f7!] BOOTP/DHCP, Request from 68:f7:28:0a:e8:df, length 300, hops 1, xid 0x9cbc3b1a, secs 31, Flags [none] (0x0000) Gateway-IP 10.88.0.1 Client-Ethernet-Address 68:f7:28:0a:e8:df Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Requested-IP Option 50, length 4: 10.88.0.10 Hostname Option 12, length 14: "elliotalderson" Parameter-Request Option 55, length 17: Subnet-Mask, BR, Time-Zone, Default-Gateway Domain-Name, Domain-Name-Server, Option 119, Hostname Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252 RP END Option 255, length 0 PAD Option 0, length 0, occurs 1519:29:45.010324 IP (tos 0x0, ttl 128, id 9482, offset 0, flags [none], proto UDP (17), length 342) 192.168.0.6.67 > 10.88.0.1.67: [udp sum ok] BOOTP/DHCP, Reply, length 314, xid 0x9cbc3b1a, Flags [none] (0x0000) Your-IP 10.88.0.11 Server-IP 192.168.0.6 Gateway-IP 10.88.0.1 Client-Ethernet-Address 68:f7:28:0a:e8:df Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Subnet-Mask Option 1, length 4: 255.255.255.0 RN Option 58, length 4: 345600 RB Option 59, length 4: 604800 Lease-Time Option 51, length 4: 691200 Server-ID Option 54, length 4: 192.168.0.6 Default-Gateway Option 3, length 4: 10.88.0.1 Domain-Name Option 15, length 12: "DOMAIN" Domain-Name-Server Option 6, length 8: 192.168.0.4,192.168.0.6 Netbios-Name-Server Option 44, length 8: 192.168.0.4,192.168.0.6 END Option 255, length 0
so the traffic flows like: DHCP Request: Client - SwitchGigabitethernet2 - SwitchGigabitethernet49 - Sophoseth2.88 - FIREWALLMAGIC - Sophoseth0 - SwitchGigabitethernet20 - Windows ServerDHCP Offer: Windows Server - SwitchGigabitethernet20 - Sophoseth0 - FIREWALLMAGIC
and the logs when tailing it (/var/log/dhcpd.log) are completely empty:2019:08:29-19:19:57 vpn dhcpd: Server starting service.
2019:08:29-19:33:25 vpn dhcpd: Internet Systems Consortium DHCP Server 4.4.12019:08:29-19:33:25 vpn dhcpd: Copyright 2004-2018 Internet Systems Consortium.2019:08:29-19:33:25 vpn dhcpd: All rights reserved.2019:08:29-19:33:25 vpn dhcpd: For info, please visit www.isc.org/.../2019:08:29-19:33:25 vpn dhcpd: WARNING: Host declarations are global. They are not limited to the scope you declared them in.2019:08:29-19:33:25 vpn dhcpd: Config file: /etc/dhcpd.conf2019:08:29-19:33:25 vpn dhcpd: Database file: /var/state/dhcp/dhcpd.leases2019:08:29-19:33:25 vpn dhcpd: PID file: /var/run/dhcpd.pid2019:08:29-19:33:25 vpn dhcpd: Internet Systems Consortium DHCP Server 4.4.12019:08:29-19:33:25 vpn dhcpd: Copyright 2004-2018 Internet Systems Consortium.2019:08:29-19:33:25 vpn dhcpd: All rights reserved.2019:08:29-19:33:25 vpn dhcpd: For info, please visit www.isc.org/.../2019:08:29-19:33:25 vpn dhcpd: Wrote 0 deleted host decls to leases file.2019:08:29-19:33:25 vpn dhcpd: Wrote 0 new dynamic host decls to leases file.2019:08:29-19:33:25 vpn dhcpd: Wrote 350 leases to leases file.2019:08:29-19:33:25 vpn dhcpd: Listening on LPF/eth0/00:1a:8c:51:26:3c/192.168.0.0/242019:08:29-19:33:25 vpn dhcpd: Sending on LPF/eth0/00:1a:8c:51:26:3c/192.168.0.0/242019:08:29-19:33:25 vpn dhcpd: Listening on LPF/wlan2/00:1a:8c:0a:1b:02/172.16.10.0/242019:08:29-19:33:25 vpn dhcpd: Sending on LPF/wlan2/00:1a:8c:0a:1b:02/172.16.10.0/242019:08:29-19:33:25 vpn dhcpd: Listening on LPF/wlan1/00:1a:8c:0a:97:01/172.16.0.0/242019:08:29-19:33:25 vpn dhcpd: Sending on LPF/wlan1/00:1a:8c:0a:97:01/172.16.0.0/242019:08:29-19:33:25 vpn dhcpd: Sending on Socket/fallback/fallback-net2019:08:29-19:33:25 vpn dhcpd: Server starting service.
note that the packet above is from 19:29:45 and there is nothing in the logs.
Firewall has been rebooted.
weird is that now, even after the reboot, when I activate the DHCP Relay, and also the DHCP Server on the eth0 it does not give the error message any more on the WebUI.also by starting and stopping the service the logs say: 2019:08:29-19:33:25 vpn dhcpd: Server starting service.
only thing I might have missed, is that I did not check if te packet leaves eth2 or eth2.88 but if the Windows Server gets the packet... VLAN config should be just fine.
Thanks and sorry for the long post.
P.S.: I swear to god, I showed this config my colleague 2 days ago, and my testmachine got the proper IP... 2 days later, config not touched, not working.
Could you show us a screenshot of the DHCP relay option?
In reply to Alexander Busch:
Sure, here it is:
The DHCP Server in on the "LAN" (eth0) interface and has the DHCP Range of "LAN-Test" (eth2.88)
today morning I did test, and on eth2.88 only DHCP Requests are seen.on eth0 I see the DHCP Request and DHCP Offer.
In reply to Gergö Karpati:
As far as I know, you need to add both the LAN and LAN-TEST network in the DHCP Relay page. We've had the same issue, and adding both networks solved it for us.
Hope this helps.
In reply to Karl-Heinz van Hardeveld:
Correct. I remember the day I did the same mistake. You have to add both of the subnets.
Hey Alexander and Karl-Heinz!
Thank you for the feedback, indeed it was that not the 2 interfaces were in it. Well, fail on my side, but thanks a lot for the help!