Short question. Is pf blocking this traffic?

On 13-09-14 23:03, Andrew Lester wrote:
> Hi All,
>
> Previously I sent out a very long e-mail about this and I didn't get any 
> responses,
> so this is my second attempt which will be much shorter. Basically, I am 
> having a problem
> with the included version of dhcpd in OpenBSD 5.5 stable, and I'm not sure if 
> it's an
> issue with OpenBSD, or my configuration. I suspect the latter.
>
> I have OpenBSD acting as the DHCP server for my private LAN. I have two 
> subnets
> declared in dhcpd.conf. The first subnet is for a network directly served by 
> the OpenBSD
> server (clients and OpenBSD server in same L3 broadcast domain). The subnet 
> has fixed
> assignments for all the clients based on their MAC address, and this is no 
> problem.
>
> The second subnet is for a network that is not directly connected to the 
> OpenBSD
> box, instead there is a static route to reach it. Routing between the two 
> networks works
> perfectly, and in fact the OpenBSD box is the DNS server for the clients in 
> this remote
> network. I cannot, however, get DHCP working for those clients. Only when I 
> give a client
> a static IP address does it work. The L3 switch which serves the clients (it 
> is their
> default gateway) is configured to act as a DHCP relay, and forwards the DHCP 
> traffic
> from the clients to the OpenBSD box.
>
> Here's the failure:
>
> 1. Client broadcasts DHCP Discover
> 2. L3 switch relays the DHCP discover to the OpenBSD box as a unicast to UDP 
> port 67.
> 3. OpenBSD box receives the relayed unicast DHCP Discover, and responds with 
> an ICMP
> unreachable message for UDP port 67, which is received by the L3 switch.
>
>
> It's as if port 67 is not listening on the OpenBSD system. I have verified 
> dhcpd is set
> to listen on all interfaces. I found that netstat never displays an open 
> socket for
> port 67, but I have since come to learn dhcpd does not use sockets, but BPF 
> which
> apparently there is no way I can find to see open connections. This is not a 
> firewall
> issue, I have tried with pf totally disabled, and in fact I also learned pf 
> can't
> restrict traffic from a BPF connection to begin with.
>
> But port 67 is clearly open. The clients in the same broadcast domain which 
> send their
> UDP DHCP Discovers to 255.255.255.255 port 67 work perfectly.
>
> Does anybody know why the OpenBSD system would be sending ICMP port 
> unreachable
> messages to the DHCP relay agent in response to its relayed DHCP discovers? 
> The DNS
> queries from these clients to the OpenBSD system (same IP as the dhcp server) 
> on port 53
> all work perfectly. Unlike dhcpd, I can verify with netstat that BIND is 
> listening on port 53
> for DNS queries.
>
>
> Warm regards,
>
> Andrew

Reply via email to