"send_packet: No route to host" during DHCP request renewal

[Alessandro DE LAURENZIS]

Greetings,

I recently built up a router based on OBSD 6.0; axe0 is the i/f
connected to the ADSL modem, and it obtains its address from my ISP
through DHCP:

[....................snip....................]
root@egeo:[~]> cat /etc/hostname.axe0
# Internet connection
# Pubblic address obtained through ISP DHCP service
dhcp
[....................snip....................]

I noticed the following log messages at DHCP request renewal:

[....................snip....................]
Jan  9 23:32:28 egeo dhclient[58607]: DHCPREQUEST on axe0 to
10.254.3.253 Jan  9 23:32:28 egeo dhclient[58607]: send_packet: No
route to host Jan  9 23:32:31 egeo dhclient[58607]: DHCPREQUEST on axe0
to 255.255.255.255 Jan  9 23:32:31 egeo dhclient[58607]: DHCPACK from
2.238.176.1 (78:19:f7:45:d7:c1) Jan  9 23:32:31 egeo dhclient[58607]:
bound to 2.238.176.236 -- renewal in 14340 seconds.
[....................snip....................]

I do not understand what's happening here; the first request fails with
"No route to host", the second one (which seems to me a broadcast one)
is instead correctly managed.

Does it mean that there is a DHCP server running on 10.254.3.253? This
should be a private network address, but my LAN is on
192.168 (and on the same machine, having internal IP address
192.168.1.1, is indeed running a DHCP service).

Is it a "reject" declaration in dhclient.conf the right way to tackle
this symptom? Or do I need some additional rules in pf.conf?

[....................snip....................]
root@egeo:[~]> cat /etc/dhclient.conf
# DHCP service is used on this machine only for ISP
# connection (axe0 i/f)

send host-name "egeo.atlantide.priv";

# Do not overwrite resolv.conf, use local DNS instead
ignore domain-name-servers, domain-name;
[....................snip....................]

[....................snip....................]
root@egeo:[~]> cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

# List of internal interfaces
int_if="{ vether0 bce0 ath0 }"

# "egress" keyword chooses the i/f that holds the default route (axe0)

# Non-routable private addresses
table   <non-routable> { \
        0.0.0.0/8 \
        10.0.0.0/8 \
        127.0.0.0/8 \
        169.254.0.0/16 \
        172.16.0.0/12 \
        192.0.0.0/24 \
        192.0.2.0/24 \
        224.0.0.0/3 \
        192.168.0.0/16 \
        198.18.0.0/15 \
        198.51.100.0/24 \
        203.0.113.0/24 \
}

set     block-policy    drop                            # Silently drop
rejected packets set     loginterface
egress                          # Enable packet and byte statistics for
axe0 #set    skip            on lo0                          # \
#set    skip            on enc0                         #  ) Completely
omit these i/f from packet processing #set    skip            on
bwi0                         # /

# Enable traffic on loopback i/f (very low security risk)
pass    quick           on lo0          all

# Normalize incoming packets and perform NAT
match   in              all             scrub (no-df random-id max-mss
1440) match   out             on egress       inet
from !(egress:network)  to any  nat-to (egress:0)

# Drop packets coming in on egress if they appear to be from
# non-routable addresses (misconfiguration? spoofing attack?)
# Similarly, clients should not attempt to connect to such
# addresses
block   in quick                on egress       from <non-routable>
to any block   return out quick        on egress       from
any                to <non-routable>

# By default, block all traffic
block   all

# Allow outgoing IPv4 traffic from both the router itself
# and the LAN clients
pass    out quick                       inet

# Allow all internal LAN traffic
pass    in              on $int_if      inet

# Do not permit remote connections to X11
block   return in       on !lo0 proto tcp       to port 6000:6010

# Allow pinging
pass                                    inet proto icmp         all
icmp-type { echoreq, unreach }


#
# Port forwarding
#
# Note: currently all servers are running on the router itself;
#       if that's won't be the case in future, use "rdt-to 192.168.1.x"
#

# Network services, Internet style
pass    in              on egress       inet proto { tcp udp }  from
any        to (egress) port ssh pass    in              on egress
inet proto { tcp udp }  from any        to (egress) port www pass
in              on egress       inet proto tcp          from any
to (egress) port https pass    in              on egress       inet
proto { tcp udp }  from any        to (egress) port imap pass
in              on egress       inet proto { tcp udp }  from any
to (egress) port imaps pass    in              on egress       inet
proto tcp          from any        to (egress) port smtp pass
in              on egress       inet proto { tcp udp }  from any
to (egress) port submission

# FTP
pass    in              on egress       inet proto tcp          from
any        to (egress) port ftp pass    in              on egress
inet proto tcp          from any        to (egress) port 49152:49407

# transmission daemon
pass    in              on egress       inet proto { tcp, udp } from
any        to (egress) port { 9091 51413 }
[....................snip....................]


Thanks,

-- 
Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis