Hi All, I am experiencing an issue with dhcpd on OpenBSD 5.5-stable. I’ve been searching extensively and can’t seem to find any solution. I am using OpenBSD as a default gateway for two VLANs, and for one of the VLANs, dhcpd is handing out IP addresses. In this VLAN, DHCP works perfectly. The other VLAN does not have DHCP enabled. However, I have a second subnet set up in /etc/dhcpd.conf for a remote network on my private LAN. Clients in that remote network have another L3 switch as their default gateway, and in turn, the L3 switch uses the OpenBSD system as its default gateway. The OpenBSD system has a static route for the remote network. Routing between the networks works perfectly. If I statically assign an IP address to a client in the remote network, I have full network access to my private LAN and out to the Internet. But when I configure the L3 switch to act as a DHCP relay agent, and forward DHCP requests to the OpenBSD DHCP server, DHCP does not work. Clients on the remote network do not get replies from the DHCP server, and get a self assigned IP address (169.x.x.x). The relay agent on the L3 switch sends the DHCP requests to the same IP address and interface on the OpenBSD system that the clients in the directly-connected VLAN use.
If I perform a packet capture on that interface on the OpenBSD system to see the relayed DHCP requests, what I see is the request being successfully relayed to the DHCP server, and it is a unicast packet since it was relayed. The source IP is the IP of the routed interface on the L3 switch for the remote network, and the destination IP is the IP address of the DHCP server. The source and destination port is 67. What I would expect to see is the DHCP server reply with a unicast offer to the IP of the routed interface on the L3 switch. Instead, the server replies with an ICMP unreachable packet, indicating that the destination UDP port 67 was unreachable. This ICMP unreachable message is seen on the L3 switch. Again, routing here works as expected. I can ping both the L3 switch interface and clients with a static IP in the remote network from the OpenBSD system just fine. And the L3 switch and remote clients can ping the OpenBSD system just fine as well. What is even more perplexing about the ICMP unreachable for destination port 67 is when I perform the same packet capture of the DHCP process for clients on the local VLAN, the system replies with the very same source IP and port for which the ICMP unreachable packets get generated when remote clients try to use DHCP! This is not a firewall issue either. My only firewall is PF and I've tested with it configured to pass all traffic, and with it completely disabled. The ONLY difference I can see in the packet captures is that for the local clients, the process is initiated by a broadcast packet to port 67, while a unicast packet to port 67 is seen for the remote clients. But again, replies to the local clients will end up coming from the DHCP server IP and port 67 just fine. I apologize for the long winded message. And thank you to anybody who can provide any input! :) Warm regards, Andrew
