Short question. Is pf blocking this traffic?
On 13-09-14 23:03, Andrew Lester wrote:
> Hi All,
>
> Previously I sent out a very long e-mail about this and I didn't get any
> responses,
> so this is my second attempt which will be much shorter. Basically, I am
> having a problem
> with the included version of dhcpd in OpenBSD 5.5 stable, and I'm not sure if
> it's an
> issue with OpenBSD, or my configuration. I suspect the latter.
>
> I have OpenBSD acting as the DHCP server for my private LAN. I have two
> subnets
> declared in dhcpd.conf. The first subnet is for a network directly served by
> the OpenBSD
> server (clients and OpenBSD server in same L3 broadcast domain). The subnet
> has fixed
> assignments for all the clients based on their MAC address, and this is no
> problem.
>
> The second subnet is for a network that is not directly connected to the
> OpenBSD
> box, instead there is a static route to reach it. Routing between the two
> networks works
> perfectly, and in fact the OpenBSD box is the DNS server for the clients in
> this remote
> network. I cannot, however, get DHCP working for those clients. Only when I
> give a client
> a static IP address does it work. The L3 switch which serves the clients (it
> is their
> default gateway) is configured to act as a DHCP relay, and forwards the DHCP
> traffic
> from the clients to the OpenBSD box.
>
> Here's the failure:
>
> 1. Client broadcasts DHCP Discover
> 2. L3 switch relays the DHCP discover to the OpenBSD box as a unicast to UDP
> port 67.
> 3. OpenBSD box receives the relayed unicast DHCP Discover, and responds with
> an ICMP
> unreachable message for UDP port 67, which is received by the L3 switch.
>
>
> It's as if port 67 is not listening on the OpenBSD system. I have verified
> dhcpd is set
> to listen on all interfaces. I found that netstat never displays an open
> socket for
> port 67, but I have since come to learn dhcpd does not use sockets, but BPF
> which
> apparently there is no way I can find to see open connections. This is not a
> firewall
> issue, I have tried with pf totally disabled, and in fact I also learned pf
> can't
> restrict traffic from a BPF connection to begin with.
>
> But port 67 is clearly open. The clients in the same broadcast domain which
> send their
> UDP DHCP Discovers to 255.255.255.255 port 67 work perfectly.
>
> Does anybody know why the OpenBSD system would be sending ICMP port
> unreachable
> messages to the DHCP relay agent in response to its relayed DHCP discovers?
> The DNS
> queries from these clients to the OpenBSD system (same IP as the dhcp server)
> on port 53
> all work perfectly. Unlike dhcpd, I can verify with netstat that BIND is
> listening on port 53
> for DNS queries.
>
>
> Warm regards,
>
> Andrew