On 13/10/06, Bryan Vyhmeister <[EMAIL PROTECTED]> wrote:
I am having some serious difficulty with dhcp, carp, and vlans. I have
two OpenBSD/i386 3.9-stable firewalls running GENERIC. I am using them
to replace a failing Cisco Catalyst 3550 switch that was doing the VLAN
routing. The boxes are working great as far as the VLAN routing goes but
DHCP is not working right. On the Cisco, I could use:
ip helper-address aaa.bbb.ccc.ddd
This would send the DHCP requests to whatever server they needed to go
to. I have been trying to use dhcrelay on the firewalls for this purpose
with dismal results. If a DHCPREQUEST for <ip> comes in, all is well,
but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach
the client.
I figured that I should put the DHCP server on the actual network with
the clients using a vlan(4) interface so that no "relaying" would be
needed. The exact same problems seem to exist with this setup.
This may be a red herring, but are you running pf(4) on these OpenBSD
firewalls? If so, are you letting DHCPDISCOVER messages through? I
made such a mistake some time ago: In my case there was a Windows DHCP
server on one side and its clients were on the other side of an
OpenBSD firewall/bridge. This is what got things working:
from /etc/pf.conf:
#allow DHCP traffic to/from winsrv:
pass on $ext_if proto udp from { 0.0.0.0, <dhcpclients> } port 68 to
$winsrv port 67
pass on $ext_if proto udp from any port 68 to 255.255.255.255 port 67
pass on $ext_if proto udp from $winsrv port 67 to { 255.255.255.255,
<dhcpclients> } port 68
This assumes that the macro $winsrv and the table <dhcpclients> are defined.
But you would need to adjust things anyway, as you have a different setup.
Cf. http://en.wikipedia.org/wiki/DHCP#DHCP_and_firewalls
Then again, you may have a different problem.
Cheerio,
--ropers
