DHCP client cannot ping gateway or internet

[jplev22]

Hi, I am setting-up a simple dhcp server for my home lan.

From a network client I can ping the server and other devices on the same subnet.

The server cannot ping a windows client. Server can ping a Linux client. Server accesses the internet from the other ethernet port with no issue.
Clients cannot ping gateway or internet.

Networking & isc-dhcp-server services come up with no errors.

/etc/network/interfaces

Code: Select all

source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet static
	address 192.168.190.20
	netmask 255.255.255.0
	broadcast 192.168.190.255
	gateway 192.168.190.1
	dns-nameservers 103.86.96.100

auto enp8s0
iface enp8s0 inet static
        address 192.168.192.1
	netmask 255.255.255.0
	broadcast 192.168.192.255

/etc/dhcp/dhcpd.conf

Code: Select all

option domain-name "JP.home";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 192.168.192.0 netmask 255.255.255.0 {
  range 192.168.192.1 192.168.192.99;
  option domain-name-servers 103.86.96.100, 103.86.99.100;
  option routers 192.168.190.1;
  option broadcast-address 192.168.192.255;
  default-lease-time 600;
  max-lease-time 7200;
}
host homelan {
  hardware ethernet 40:2c:f4:e9:b9:df;
  fixed-address 192.168.192.1;
}

Output from /var/log/syslog

Code: Select all

Apr 13 21:11:07 JPStudy systemd[1]: Started LSB: DHCP server.
Apr 13 21:11:52 JPStudy dhcpd[6550]: DHCPDISCOVER from 14:da:e9:a0:de:9e via enp8s0
Apr 13 21:11:52 JPStudy dhcpd[6550]: ICMP Echo reply while lease 192.168.192.1 valid.
Apr 13 21:11:52 JPStudy dhcpd[6550]: Abandoning IP address 192.168.192.1: pinged before offer
Apr 13 21:11:56 JPStudy dhcpd[6550]: DHCPDISCOVER from 14:da:e9:a0:de:9e via enp8s0
Apr 13 21:11:57 JPStudy dhcpd[6550]: DHCPOFFER on 192.168.192.2 to 14:da:e9:a0:de:9e (Danika-PC) via enp8s0
Apr 13 21:11:57 JPStudy dhcpd[6550]: DHCPREQUEST for 192.168.192.2 (192.168.192.1) from 14:da:e9:a0:de:9e (Danika-PC) via enp8s0
Apr 13 21:11:58 JPStudy dhcpd[6550]: DHCPACK on 192.168.192.2 to 14:da:e9:a0:de:9e (Danika-PC) via enp8s0
Apr 13 21:12:04 JPStudy dhcpd[6550]: DHCPINFORM from 192.168.192.2 via enp8s0
Apr 13 21:12:04 JPStudy dhcpd[6550]: DHCPACK to 192.168.192.2 (14:da:e9:a0:de:9e) via enp8s0
Apr 13 21:13:06 JPStudy dhcpd[6550]: DHCPINFORM from 192.168.192.2 via enp8s0
Apr 13 21:13:06 JPStudy dhcpd[6550]: DHCPACK to 192.168.192.2 (14:da:e9:a0:de:9e) via enp8s0

Output from tcpdump -i enp8s0 for windows client

Code: Select all

21:13:43.866188 IP 192.168.192.2.netbios-ns > 192.168.192.255.netbios-ns: UDP, length 50
21:13:43.882086 ARP, Request who-has _gateway tell 192.168.192.2, length 46
21:13:44.765574 ARP, Request who-has _gateway tell 192.168.192.2, length 46
21:13:45.382031 ARP, Request who-has _gateway tell 192.168.192.2, length 46
21:13:46.382022 ARP, Request who-has _gateway tell 192.168.192.2, length 46
21:13:47.894873 IP 192.168.192.2.netbios-ns > 192.168.192.255.netbios-ns: UDP, length 50
21:13:48.644112 IP 192.168.192.2.netbios-ns > 192.168.192.255.netbios-ns: UDP, length 50
21:13:49.394261 IP 192.168.192.2.netbios-ns > 192.168.192.255.netbios-ns: UDP, length 50
21:13:49.451135  tell 192.168.192.2, length 46
21:13:50.160810 ARP, Request who-has _gateway tell 192.168.192.2, length 46
21:13:50.880944 ARP, Request who-has _gateway tell 192.168.192.2, length 46

Output from tcpdump -vv -i enp8s0 for Linux client

Code: Select all

tcpdump: listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:45:21.708797 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has _gateway tell 192.168.192.3, length 46
06:45:22.757205 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has _gateway tell 192.168.192.3, length 46

I am not sure how to interpret the tcp dump. The client cannot route to gateway?

Ip forwarding seems to be enabled

Code: Select all

# cat /proc/sys/net/ipv4/ip_forward
1

Code: Select all

# ip route
default via 192.168.190.1 dev eno1 onlink 
192.168.190.0/24 dev eno1 proto kernel scope link src 192.168.190.20 
192.168.192.0/24 dev enp8s0 proto kernel scope link src 192.168.192.1 

Any input would be appreciated.

[p.H]

The "routers" option value is wrong. A router's address must be directly reachable on the link.
The "range" option is wrong, it should not include any statically assigned address.

[kopper]

/etc/dhcp/dhcpd.conf

Code: Select all

...
subnet 192.168.192.0 netmask 255.255.255.0 {
  range 192.168.192.1 192.168.192.99;
  option domain-name-servers 103.86.96.100, 103.86.99.100;
  option routers 192.168.190.1;
...

Looks like you offer wrong router information to your DHCP clients.

[jplev22]

Thanks for the input. Seems to go further but cannot ping internet or another subnet.

New dhcpd.conf

Code: Select all

  
option domain-name "home";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.192.0 netmask 255.255.255.0 {
range 192.168.192.20 192.168.192.99;
  option routers 192.168.192.1;
  option broadcast-address 192.168.192.255;
  default-lease-time 600;
  max-lease-time 7200;
}
host homelan {
  hardware ethernet 40:2c:f4:e9:b9:df;
  fixed-address 192.168.192.1;
}

When trying to ping 192.168.190.1 (No response)

Code: Select all

$ sudo tcpdump -v -i enp8s0
tcpdump: listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:44:39.891168 IP (tos 0x0, ttl 64, id 56857, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.192.20 > _gateway: ICMP echo request, id 5307, seq 56, length 64
12:44:39.911116 IP (tos 0x0, ttl 4, id 38783, offset 0, flags [DF], proto UDP (17), length 316)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 288
12:44:39.911128 IP (tos 0x0, ttl 4, id 38784, offset 0, flags [DF], proto UDP (17), length 307)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 279
12:44:39.911232 IP (tos 0x0, ttl 4, id 38785, offset 0, flags [DF], proto UDP (17), length 359)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 331
12:44:39.911242 IP (tos 0x0, ttl 4, id 38786, offset 0, flags [DF], proto UDP (17), length 371)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 343
12:44:39.911333 IP (tos 0x0, ttl 4, id 38787, offset 0, flags [DF], proto UDP (17), length 373)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 345
12:44:39.911344 IP (tos 0x0, ttl 4, id 38788, offset 0, flags [DF], proto UDP (17), length 387)
    192.168.192.20.35995 > 239.255.255.250.1900: UDP, length 359
12:44:40.915188 IP (tos 0x0, ttl 64, id 57015, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.192.20 > _gateway: ICMP echo request, id 5307, seq 57, length 64
12:44:41.939210 IP (tos 0x0, ttl 64, id 57060, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.192.20 > _gateway: ICMP echo request, id 5307, seq 58, length 64
12:44:42.967135 IP (tos 0x0, ttl 64, id 57253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.192.20 > _gateway: ICMP echo request, id 5307, seq 59, length 64
12:44:43.169274 IP (tos 0x0, ttl 64, id 12639, offset 0, flags [DF], proto UDP (17), length 67)
    192.168.192.20.34991 > dns.google.domain: 59733+ A? 2.debian.pool.ntp.org. (39)

[jplev22]

It seems I cannot ping my other ethernet device on the server.
enp8s0 is ip 192.168.192.1
eno1 is ip 192.168.190.20

Is this a routing issue? Would it not follow the default route?

Code: Select all

$ ip route
default via 192.168.190.1 dev eno1 onlink 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
192.168.190.0/24 dev eno1 proto kernel scope link src 192.168.190.20 
192.168.192.0/24 dev enp8s0 proto kernel scope link src 192.168.192.1 

Code: Select all

$ sudo ping -I enp8s0 192.168.190.20
PING 192.168.190.20 (192.168.190.20) from 192.168.192.1 enp8s0: 56(84) bytes of data.
^C
--- 192.168.190.20 ping statistics ---
58 packets transmitted, 0 received, 100% packet loss, time 402ms

Code: Select all

$ sudo tcpdump -i enp8s0 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp8s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:18:33.927012 ARP, Request who-has JPStudy tell JPStudy, length 28
13:18:34.950878 ARP, Request who-has JPStudy tell JPStudy, length 28
13:18:35.974876 ARP, Request who-has JPStudy tell JPStudy, length 28
13:18:36.157960 IP6 JPStudy.mdns > ff02::fb.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
13:18:36.998939 ARP, Request who-has JPStudy tell JPStudy, length 28

Please advise...

[jplev22]

So I established an Bridge device between my two ethernet devices, thinking it would permit them communicating.

Code: Select all

iface br0 inet dhcp
    bridge_ports enp8s0 eno1

''ifup br0'' brings up the device and assigns it an ip on the eno1 subnet.

cannot ping bridge with enp8s0

So, I set iptable

Code: Select all

iptables -A FORWARD --in-interface enp8s0 --out-interface br0 --source 192.168.192.0/255.255.255.0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

Still cannot ping beyond enp8s0....

Could someone give me clue?

[kopper]

Code: Select all

$ ip route
default via 192.168.190.1 dev eno1 onlink 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
192.168.190.0/24 dev eno1 proto kernel scope link src 192.168.190.20 
192.168.192.0/24 dev enp8s0 proto kernel scope link src 192.168.192.1 

Code: Select all

$ sudo ping -I enp8s0 192.168.190.20
PING 192.168.190.20 (192.168.190.20) from 192.168.192.1 enp8s0: 56(84) bytes of data.
^C
--- 192.168.190.20 ping statistics ---
58 packets transmitted, 0 received, 100% packet loss, time 402ms

Your ip route lists that 192.168.190.0 is found in eno1, yet in your ping command you tell to look for the host in enp8s0. As you have specified route for 192.168.190.0/24 explicitly to use eno1, I'd figure the default gateway will not be used.

EDIT:

Code: Select all

$ ip route
default via 192.168.190.1 dev eno1 onlink 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
192.168.190.0/24 dev eno1 proto kernel scope link src 192.168.190.20 
192.168.192.0/24 dev enp8s0 proto kernel scope link src 192.168.192.1 

Code: Select all

$ sudo ping -I enp8s0 192.168.190.20
PING 192.168.190.20 (192.168.190.20) from 192.168.192.1 enp8s0: 56(84) bytes of data.
^C
--- 192.168.190.20 ping statistics ---
58 packets transmitted, 0 received, 100% packet loss, time 402ms

Your ip route lists that 192.168.190.0 is found in eno1, yet in your ping command you tell to look for the host in enp8s0. As you have specified route for 192.168.190.0/24 explicitly to use eno1, I'd figure the default gateway will not be used.


EDIT:

So I established an Bridge device between my two ethernet devices, thinking it would permit them communicating.

Code: Select all

iface br0 inet dhcp
    bridge_ports enp8s0 eno1

''ifup br0'' brings up the device and assigns it an ip on the eno1 subnet.

cannot ping bridge with enp8s0

So, I set iptable

Code: Select all

iptables -A FORWARD --in-interface enp8s0 --out-interface br0 --source 192.168.192.0/255.255.255.0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

Still cannot ping beyond enp8s0....

Could someone give me clue?

I don't think you need any bridge device to let your interfaces to communicate with each other. All you need is to:
1) Have forwarding enabled in sysctl.conf (net.ipv4.ip_forward = 0)
2) Have proper firewall rules in FORWARD chain (or just -P ACCEPT without rules to test).

For MASQUERADE you should also define the output interface you want to perform the operation for, i.e. -o enp8s0 if that is your internet facing interface.

[jplev22]

Thank for the explanation.

Traffic is finally routed through my server:

NAT had to be setup in nftables

Code: Select all

nft add table nat
nft add chain nat post { type nat hook postrouting priority 0 \; }
nft add chain nat pre { type nat hook prerouting priority 0 \; }   
nft add rule nat post ip saddr 192.168.192.0/24 oif eno1 snat 192.168.190.20 [\code]

Now my lan clients have access to the internet. Thanks for your input.

Reference: http://computer-outlines.over-blog.com/article-nftables-6-a-nftables-linux-internet-gateway-123294152.html