Multiple dhcrelay setup causing multiple duplicate DHCP requests

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Aug 17 07:00:25 UTC 2010


Michael Hodgkinson wrote:

>The clients are broadcasting requests/discovers and the dhcrelays are
>unicasting to both dhcpd servers.
>
>I ran tcpdump on the firewalls and confirmed the dhcrelays are the cause of
>the duplicate packets. The capture was many MB and probably a security
>concern, otherwise I would attach it.
>
>It appears that the client sends a request, which is received by fw1's
>dhcrelay, the request is sent to both dhcp1 and dhcpd2 which is intercepted
>by fw2's dhcrelay which also sends the request to both dhcp1 and dhcpd2
>causing a loop between the two dhcrelays.

I see it now. Ordinarily fw2 wouldn't see unicast traffic relayed by 
fw1, but because the servers are actually in the packet path, they do.

Two methods come to mind :

1) Move the relay agents. They do NOT have to be in the gateways, 
they can be on any device that is physically connected to the same 
network as the clients. It's just customary to put them in the 
routers since the routers are by definition connected, and are always 
on - ie it's a convenient place to put them.

2) Move the servers. This may be harder, but can you move the server 
so that the relayed traffic doesn't go through the other relay agent.

3) If you have the facilities, put some filters on fw1 and fw2 to 
block the traffic from the other device. Ie, on fw1 only allow DHCP 
traffic from server dhcpd2 on that eth5 into the firewall.
Actually, I'm not sure this last one will work.


The other one that comes to mind is to figure out how to make the 
relay agent more intelligent and add the missing features. I know one 
that's cropped up from time to time is that the outgoing interface to 
the server (eth5 in this case) must be a broadcast capable network - 
ie it can't be something like a ppp link. I believe the same fix for 
your problem would fix that.

I think the answer is probably that the relay agent needs to be able 
to listen only on those interface to which clients will be connected, 
and only use the normal OS network stack for unicast packets back 
to/from the server(s). And of course, only deal with packets on the 
'backhaul' that are to/from the server(s)

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.



More information about the dhcp-users mailing list