Re: OpenBSD 5.5: ICMP port unreachable to DHCP relay agent...
Short question. Is pf blocking this traffic? On 13-09-14 23:03, Andrew Lester wrote: Hi All, Previously I sent out a very long e-mail about this and I didn't get any responses, so this is my second attempt which will be much shorter. Basically, I am having a problem with the included version of dhcpd in OpenBSD 5.5 stable, and I'm not sure if it's an issue with OpenBSD, or my configuration. I suspect the latter. I have OpenBSD acting as the DHCP server for my private LAN. I have two subnets declared in dhcpd.conf. The first subnet is for a network directly served by the OpenBSD server (clients and OpenBSD server in same L3 broadcast domain). The subnet has fixed assignments for all the clients based on their MAC address, and this is no problem. The second subnet is for a network that is not directly connected to the OpenBSD box, instead there is a static route to reach it. Routing between the two networks works perfectly, and in fact the OpenBSD box is the DNS server for the clients in this remote network. I cannot, however, get DHCP working for those clients. Only when I give a client a static IP address does it work. The L3 switch which serves the clients (it is their default gateway) is configured to act as a DHCP relay, and forwards the DHCP traffic from the clients to the OpenBSD box. Here's the failure: 1. Client broadcasts DHCP Discover 2. L3 switch relays the DHCP discover to the OpenBSD box as a unicast to UDP port 67. 3. OpenBSD box receives the relayed unicast DHCP Discover, and responds with an ICMP unreachable message for UDP port 67, which is received by the L3 switch. It's as if port 67 is not listening on the OpenBSD system. I have verified dhcpd is set to listen on all interfaces. I found that netstat never displays an open socket for port 67, but I have since come to learn dhcpd does not use sockets, but BPF which apparently there is no way I can find to see open connections. This is not a firewall issue, I have tried with pf totally disabled, and in fact I also learned pf can't restrict traffic from a BPF connection to begin with. But port 67 is clearly open. The clients in the same broadcast domain which send their UDP DHCP Discovers to 255.255.255.255 port 67 work perfectly. Does anybody know why the OpenBSD system would be sending ICMP port unreachable messages to the DHCP relay agent in response to its relayed DHCP discovers? The DNS queries from these clients to the OpenBSD system (same IP as the dhcp server) on port 53 all work perfectly. Unlike dhcpd, I can verify with netstat that BIND is listening on port 53 for DNS queries. Warm regards, Andrew
OpenBSD 5.5: ICMP port unreachable to DHCP relay agent...
Hi All, Previously I sent out a very long e-mail about this and I didn't get any responses, so this is my second attempt which will be much shorter. Basically, I am having a problem with the included version of dhcpd in OpenBSD 5.5 stable, and I'm not sure if it's an issue with OpenBSD, or my configuration. I suspect the latter. I have OpenBSD acting as the DHCP server for my private LAN. I have two subnets declared in dhcpd.conf. The first subnet is for a network directly served by the OpenBSD server (clients and OpenBSD server in same L3 broadcast domain). The subnet has fixed assignments for all the clients based on their MAC address, and this is no problem. The second subnet is for a network that is not directly connected to the OpenBSD box, instead there is a static route to reach it. Routing between the two networks works perfectly, and in fact the OpenBSD box is the DNS server for the clients in this remote network. I cannot, however, get DHCP working for those clients. Only when I give a client a static IP address does it work. The L3 switch which serves the clients (it is their default gateway) is configured to act as a DHCP relay, and forwards the DHCP traffic from the clients to the OpenBSD box. Here's the failure: 1. Client broadcasts DHCP Discover 2. L3 switch relays the DHCP discover to the OpenBSD box as a unicast to UDP port 67. 3. OpenBSD box receives the relayed unicast DHCP Discover, and responds with an ICMP unreachable message for UDP port 67, which is received by the L3 switch. It's as if port 67 is not listening on the OpenBSD system. I have verified dhcpd is set to listen on all interfaces. I found that netstat never displays an open socket for port 67, but I have since come to learn dhcpd does not use sockets, but BPF which apparently there is no way I can find to see open connections. This is not a firewall issue, I have tried with pf totally disabled, and in fact I also learned pf can't restrict traffic from a BPF connection to begin with. But port 67 is clearly open. The clients in the same broadcast domain which send their UDP DHCP Discovers to 255.255.255.255 port 67 work perfectly. Does anybody know why the OpenBSD system would be sending ICMP port unreachable messages to the DHCP relay agent in response to its relayed DHCP discovers? The DNS queries from these clients to the OpenBSD system (same IP as the dhcp server) on port 53 all work perfectly. Unlike dhcpd, I can verify with netstat that BIND is listening on port 53 for DNS queries. Warm regards, Andrew
