cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
0
Helpful
4
Replies

DHCP from gateway?

jnojr
Level 1
Level 1

The DHCP server my Macs use is not on the local subnet.  In my firewall rules, I allow traffic from the DHCP server address UDP 67 to local UDP 68, and that works... until it doesn't.  Every now and then, I find a machine with a zeroconf address and ipfw logs showing dropped DHCP packets from my gateway.  I added a rule to allow that, and DHCP starts working again.  But... why?  I understand that routers will include a DHCP relay, but that should be preserving source / destination, IIRC.  And why would this be so intermittent?

4 Replies 4

devils_advocate
Level 7
Level 7

Can you provide a quick diagram of your setup including all  routing devices between the hosts and the dhcp server

Hi,

I'm not sure if I understand the question correctly but I think the answer is that the DHCP communication depends on if the client already has a lease or not.

  • If it doesn't have a lease it sends a broadcast on the local subnet, which will be forwarded as unicast to the server by the DHCP relay agent (ip helper-address configured on SVI). As the client doesn't have a lease, it's IP-adress is set to the unspecified 0.0.0.0.
  • If, in contrast, the client has a valid lease, it has layer-3 connectivity and it knows the DHCP server's IP-address. So it can unicast directly to the server to renew the lease without using the relay-agent.

Does that answer your question?

Regards

Rolf

Hi Rolf.  Not really... but mentioning the lease may be relevant as to why this issue doesn't manifest itself everywhere all the time.  But what seems to be happening is if the interface is dropped and brought back up, and so is unconfigured, at least some of the time it sees the DHCP traffic sourced from the gateway, NOT the DHCP server.  But I just checked and it looks like the lease length is an hour (unless OSX records the lease length time in minutes instead of seconds), so that doesn't wash either.

Fortunately, this is kind of academic, as since I know what the issue is I can just add a firewall rule.  But it does bug me, and I like to find answers to puzzlers :-)

Unfortunately, no... the network here is a "black box" to me.  Other than having admin rights on my hosts, I'm just another lowly peon user :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: