I’ve been seeing sequences like this in my logs under 5.17:
23:02:24 interface,info ether1-gateway link down
23:02:27 interface,info ether1-gateway link up (speed 1000M, full duplex)
23:02:28 interface,info ether1-gateway link down
23:02:42 interface,info ether1-gateway link up (speed 1000M, full duplex)
23:02:46 interface,info ether1-gateway link down
23:02:49 interface,info ether1-gateway link up (speed 1000M, full duplex)
23:02:49 dhcp,critical,error dhcp-client on ether1-gateway lost IP address X.X.X.X - received NAK from dhcp server 192.168.100.1
23:02:49 system,info dns changed
23:02:52 dhcp,info dhcp-client on ether1-gateway got IP address 192.168.100.10
23:03:32 dhcp,critical,error dhcp-client on ether1-gateway lost IP address 192.168.100.10 - lease expired
23:03:32 system,info dns changed
Which lead to a bogus external IP on the router and bad DNS among other things. The address 192.168.100.1 is the internal address of my cable modem. AFAIK the modem should not be providing DHCP responses on it’s own. Is there an easy way to reject DHCP response packets from that address? Would something like this work? (This is just a logging rule to test the packet matching for experimental purposes. A real rule would use the drop action instead.)
Both the cable modem and the ISPs DHCP server are on the far side of the ether1-gateway port. The cable modem is apparently trying to be helpful and provide DHCP services when it loses the upstream link momentatrily. I think the bad assumption is that there are one or more PCs more or less directly connected to it, maybe through a switch, which need it to give them IP addresses so they can talk at all. That and the fact that it doesn’t wait longer before it starts trying to be in charge.
Well a trivial block on responses from 192.168.100.1 didn’t seem to do the trick. The router still got the bogus 192.168.100.10 assignment on the most recently upstream connection failure.
jul/10 23:36:12 interface,info ether1-gateway link down
jul/10 23:36:15 interface,info ether1-gateway link up (speed 1000M, full duplex)
jul/10 23:36:17 interface,info ether1-gateway link down
jul/10 23:36:31 interface,info ether1-gateway link up (speed 1000M, full duplex)
jul/10 23:36:34 interface,info ether1-gateway link down
jul/10 23:36:37 interface,info ether1-gateway link up (speed 1000M, full duplex)
jul/10 23:36:38 dhcp,critical,error dhcp-client on ether1-gateway lost IP address xxx.xxx.xxx.xxx - received NAK from dhcp server 192.168.100.1
jul/10 23:36:38 system,info dns changed
jul/10 23:36:40 dhcp,info dhcp-client on ether1-gateway got IP address 192.168.100.10
jul/10 23:37:41 dhcp,critical,error dhcp-client on ether1-gateway lost IP address 192.168.100.10 - lease expired
jul/10 23:37:41 system,info dns changed
The block rule looks like this:
add action=drop chain=input comment="Block rogue DHCP responses from the cable modem." disabled=no dst-port=68 in-interface=ether1-gateway protocol=udp src-address=192.168.100.1
The earlier log rule actually caught several prior events but it looks like it’s missing something. Do I need to block other ptotocols too?
What you are describing is normal, and is not a problem!
Whether you get a public ip, or a private ip, those BOTH come from the MODEM, not the “ISP DHCP SERVER.” The ISP tells the modem which public IP address to give you from the modem’s dhcp server.
You only get a public ip IF the modem has ISP connection. Otherwise, it gives you a private IP…
But, that is not a problem, because when it gives you a private IP, it only sets a lease of 30 seconds or less… so when the modem gets connection to the ISP again, then it will be 30 seconds or less until you receive the public IP address again.
You shoud NOT attempt to block dhcp from the modem… because if you do, then you will not receive any dhcp at all. ALL dhcp, public and private, comes directly from the modem.
ALSO… and I missed this earlier… you can NOT block dhcp in the way that you are trying because you get the DHCP address BEFORE you know what address it is coming from. That is how DHCP works. On a lower level than IP. You can block DHCP passing through the router, but you can’t block it from exiting the router if the router is the dhcp server, and you can’t selectively block it from coming in the router if the router is the dhcp client.