Re: DHCP, CARP, and VLANs
On Fri, Oct 13, 2006 at 07:21:35PM +0200, ropers wrote: > clueless conjecture: > what's arp -a say? on either machine? > where is your DHCP server running? > on one of your two OpenBSD fw's? On one of the vlans? > if I don't reply again, that'll mean I'm bamboozled and/or out of ideas I'm going to start a new thread because the real issue appears to be with network performance. There are some other quirky things, but lots of connections are getting denied for another reason. Thanks for your response. Bryan
Re: DHCP, CARP, and VLANs
On Fri, Oct 13, 2006 at 11:18:31AM -0700, Kian Mohageri wrote: > Where is your DHCP server? Where is the DHCPOFFER being lost? Have you > sniffed on interface between the firewalls and DHCP server? The client and > firewalls? I will have to follow up on this after I get some other things figured out. It seems there may be a more significant performance issue that is causing problems. Thanks for your response. Bryan
Re: DHCP, CARP, and VLANs
On 10/12/06, Bryan Vyhmeister <[EMAIL PROTECTED]> wrote: > > > This would send the DHCP requests to whatever server they needed to go > to. I have been trying to use dhcrelay on the firewalls for this purpose > with dismal results. If a DHCPREQUEST for comes in, all is well, > but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach > the client. Where is your DHCP server? Where is the DHCPOFFER being lost? Have you sniffed on interface between the firewalls and DHCP server? The client and firewalls? -- Kian Mohageri
Re: DHCP, CARP, and VLANs
I am about to pull my hair out. This just does not make sense. In searching the archives for anything that could be related I found a post that stated that running the vlan(4) with the correct netmask and the carp(4) interface with /32 caused dhcp to work fine for them. I have done that and it has had no effect. Thanks for the response. clueless conjecture: what's arp -a say? on either machine? where is your DHCP server running? on one of your two OpenBSD fw's? On one of the vlans? if I don't reply again, that'll mean I'm bamboozled and/or out of ideas
Re: DHCP, CARP, and VLANs
On Fri, Oct 13, 2006 at 12:17:41PM +0200, ropers wrote:
> This may be a red herring, but are you running pf(4) on these OpenBSD
> firewalls? If so, are you letting DHCPDISCOVER messages through? I
> made such a mistake some time ago: In my case there was a Windows DHCP
> server on one side and its clients were on the other side of an
> OpenBSD firewall/bridge. This is what got things working:
>
> from /etc/pf.conf:
> #allow DHCP traffic to/from winsrv:
> pass on $ext_if proto udp from { 0.0.0.0, } port 68 to
> $winsrv port 67
> pass on $ext_if proto udp from any port 68 to 255.255.255.255 port 67
> pass on $ext_if proto udp from $winsrv port 67 to { 255.255.255.255,
> } port 68
I found this from a previous post (I think it was yours) and added that
to my pf.conf but it did not have any effect. I also tried just
disabling pf(4) entirely. That did not have any effect at all. What
makes this even more frustrating is that for one of my VLANs, dhcpd is
working pretty well on my OpenBSD server. For another VLAN, I can only
get a FreeBSD-based dhcpd to work. The whole goal was to phase that
server out but it is not working reliably on the first VLAN.
I am about to pull my hair out. This just does not make sense. In
searching the archives for anything that could be related I found a post
that stated that running the vlan(4) with the correct netmask and the
carp(4) interface with /32 caused dhcp to work fine for them. I have
done that and it has had no effect. Thanks for the response.
Bryan
Re: DHCP, CARP, and VLANs
On 13/10/06, Bryan Vyhmeister <[EMAIL PROTECTED]> wrote:
I am having some serious difficulty with dhcp, carp, and vlans. I have
two OpenBSD/i386 3.9-stable firewalls running GENERIC. I am using them
to replace a failing Cisco Catalyst 3550 switch that was doing the VLAN
routing. The boxes are working great as far as the VLAN routing goes but
DHCP is not working right. On the Cisco, I could use:
ip helper-address aaa.bbb.ccc.ddd
This would send the DHCP requests to whatever server they needed to go
to. I have been trying to use dhcrelay on the firewalls for this purpose
with dismal results. If a DHCPREQUEST for comes in, all is well,
but if a DHCPDISCOVER request comes in, DHCPOFFER does not seem to reach
the client.
I figured that I should put the DHCP server on the actual network with
the clients using a vlan(4) interface so that no "relaying" would be
needed. The exact same problems seem to exist with this setup.
This may be a red herring, but are you running pf(4) on these OpenBSD
firewalls? If so, are you letting DHCPDISCOVER messages through? I
made such a mistake some time ago: In my case there was a Windows DHCP
server on one side and its clients were on the other side of an
OpenBSD firewall/bridge. This is what got things working:
from /etc/pf.conf:
#allow DHCP traffic to/from winsrv:
pass on $ext_if proto udp from { 0.0.0.0, } port 68 to
$winsrv port 67
pass on $ext_if proto udp from any port 68 to 255.255.255.255 port 67
pass on $ext_if proto udp from $winsrv port 67 to { 255.255.255.255,
} port 68
This assumes that the macro $winsrv and the table are defined.
But you would need to adjust things anyway, as you have a different setup.
Cf. http://en.wikipedia.org/wiki/DHCP#DHCP_and_firewalls
Then again, you may have a different problem.
Cheerio,
--ropers
