Discussion:
DHCP ... In Use
(too old to reply)
Tim Lee
2005-10-11 17:17:01 UTC
Permalink
precisely what does it mean when the DHCP report from FireBrick (Plus)
indicates that lots of IPs are "in use"

In this particular case, the entire DHCP pool has been marked as "in
use", and all the "in use" IPs have the same MAC ... example below

LAN 10.1.0.26 00039700010B 2005-10-18 18:11:15 In use
LAN 10.1.0.27 00039700010B 2005-10-18 18:11:30 In use
LAN 10.1.0.28 00039700010B 2005-10-18 18:11:45 In use
LAN 10.1.0.29 00039700010B 2005-10-18 18:11:59 In use
LAN 10.1.0.30 00039700010B 2005-10-18 18:12:13 In use
LAN 10.1.0.31 00039700010B 2005-10-18 18:12:26 In use
LAN 10.1.0.32 00039700010B 2005-10-18 18:12:41 In use
LAN 10.1.0.33 00039700010B 2005-10-18 18:12:55 In use
LAN 10.1.0.39 00039700010B 2005-10-18 18:10:21 In use

none of these IPs ping.
there is no wireless on the LAN

I am confused.
Worse still many machines cant get a DHCP cos the entire pool has been
consumed. Temporarily I can resolve this by deleting all the "in use"
IPs but I would like to understand what is going on.

Any ideas anyone??
thanks
/Tim
Tim Lee
2005-10-11 18:38:38 UTC
Permalink
Post by Tim Lee
precisely what does it mean when the DHCP report from FireBrick (Plus)
indicates that lots of IPs are "in use"
In this particular case, the entire DHCP pool has been marked as "in
use", and all the "in use" IPs have the same MAC ... example below
LAN 10.1.0.26 00039700010B 2005-10-18 18:11:15 In use
LAN 10.1.0.27 00039700010B 2005-10-18 18:11:30 In use
LAN 10.1.0.28 00039700010B 2005-10-18 18:11:45 In use
LAN 10.1.0.29 00039700010B 2005-10-18 18:11:59 In use
LAN 10.1.0.30 00039700010B 2005-10-18 18:12:13 In use
LAN 10.1.0.31 00039700010B 2005-10-18 18:12:26 In use
LAN 10.1.0.32 00039700010B 2005-10-18 18:12:41 In use
LAN 10.1.0.33 00039700010B 2005-10-18 18:12:55 In use
LAN 10.1.0.39 00039700010B 2005-10-18 18:10:21 In use
none of these IPs ping.
there is no wireless on the LAN
I am confused.
Worse still many machines cant get a DHCP cos the entire pool has been
consumed. Temporarily I can resolve this by deleting all the "in use"
IPs but I would like to understand what is going on.
Any ideas anyone??
thanks
/Tim
The DHCP problem seems to have gone away by switching off ProxyArp from
a WAN subnet
IIRC I had ProxyArp on in order to allow me to portmap a few public
services onto NATed LAN hosts. Is there a way of getting servies to work
without using ProxyArp?
Ben Mack
2005-10-13 09:14:17 UTC
Permalink
In article <434c06af$0$38046$***@news.aaisp.net.uk>, Tim Lee
<***@datapath.RemoveThis.co.AndThis.uk> writes
[snip]
Post by Tim Lee
The DHCP problem seems to have gone away by switching off ProxyArp from
a WAN subnet
Mmm, not sure why that is
Post by Tim Lee
IIRC I had ProxyArp on in order to allow me to portmap a few public
services onto NATed LAN hosts. Is there a way of getting servies to work
without using ProxyArp?
In order to map an incoming packet, the FireBrick has to ARP for that
address first. Without stealth, there are only two ways for it to ARP
a) if it has that address (you can define a subnet per address)
b) it has proxy-ARP enabled for that address

HTH
--
Ben Mack
Watchfront Electronics - Bespoke R&D - http://www.watchfront.co.uk/
Watchfront Internet - ADSL, Colo - http://www.watchfront.net/
Are you bricking it? - Firewalls - http://www.firebrick.co.uk/
Rev Adrian Kennard
2005-10-13 17:21:43 UTC
Permalink
Post by Ben Mack
[snip]
Post by Tim Lee
The DHCP problem seems to have gone away by switching off ProxyArp from
a WAN subnet
Mmm, not sure why that is
"ProxyArp" is not a FireBrick subnet setting - is that a setting on
something else on the network that was doing proxy ARP? If that is the
case then it will answer for IP addresses. The FireBrick will check
addresses it is trying to allocate to confirm they are not in use. If
something else answers the ARP, then it marks it in the DHCP table as
"In use" and so does not use it. You can disable this check in the
subnet settings by ticking "Don't check".
Post by Ben Mack
Post by Tim Lee
IIRC I had ProxyArp on in order to allow me to portmap a few public
services onto NATed LAN hosts. Is there a way of getting servies to work
without using ProxyArp?
In order to map an incoming packet, the FireBrick has to ARP for that
address first. Without stealth, there are only two ways for it to ARP
a) if it has that address (you can define a subnet per address)
b) it has proxy-ARP enabled for that address
To clarify - thats not some special FireBrick thing - unless something
answers the ARP, the packet is not sent by whatever was trying to send
it (e.g. router).
--
_ Rev. Adrian Kennard, Andrews & Arnold Ltd / AAISP
(_) _| _ . _ _ Broadband, fixed IPs, no min term http://adsl.ms/
( )(_|( |(_|| ) Asterisk VoIP based PABXs, SNOM190 http://aa.gg/
~~~~~~~~~~~~~~~~ Bond two ADSL lines? http://www.FireBrick.info/
Tim Lee
2005-10-14 09:58:40 UTC
Permalink
Post by Rev Adrian Kennard
Post by Ben Mack
[snip]
Post by Tim Lee
The DHCP problem seems to have gone away by switching off ProxyArp
from a WAN subnet
Mmm, not sure why that is
"ProxyArp" is not a FireBrick subnet setting - is that a setting on
something else on the network that was doing proxy ARP? If that is the
case then it will answer for IP addresses.
Sorry I meant removing the ProxyArp setting from a NATed route WAN->LAN
ProxyArps 36-40 24/7 WAN->LAN Any 217.169.28.36-40 Proxy ARP
killing this ProxyArp stopped the DHCP pool exhastion
Post by Rev Adrian Kennard
The FireBrick will check
addresses it is trying to allocate to confirm they are not in use. If
something else answers the ARP, then it marks it in the DHCP table as
"In use" and so does not use it.
Would that explain why the same MAC should listed listed against every
IP in the DHCP pool - with them all marked as "In use", and no DHCP
leases being available for legitimate LAN clients?
LAN 10.1.0.26 00039700010B 2005-10-18 18:11:15 In use
LAN 10.1.0.27 00039700010B 2005-10-18 18:11:30 In use
LAN 10.1.0.28 00039700010B 2005-10-18 18:11:45 In use
Post by Rev Adrian Kennard
You can disable this check in the
subnet settings by ticking "Don't check".
That road leads to client machines reporting IP conflicts!
Rev Adrian Kennard
2005-10-15 08:37:58 UTC
Permalink
Post by Tim Lee
Post by Rev Adrian Kennard
Post by Ben Mack
[snip]
Post by Tim Lee
The DHCP problem seems to have gone away by switching off ProxyArp
from a WAN subnet
Mmm, not sure why that is
"ProxyArp" is not a FireBrick subnet setting - is that a setting on
something else on the network that was doing proxy ARP? If that is the
case then it will answer for IP addresses.
Sorry I meant removing the ProxyArp setting from a NATed route WAN->LAN
ProxyArps 36-40 24/7 WAN->LAN Any 217.169.28.36-40 Proxy ARP
killing this ProxyArp stopped the DHCP pool exhastion
Post by Rev Adrian Kennard
The FireBrick will check addresses it is trying to allocate to confirm
they are not in use. If something else answers the ARP, then it marks
it in the DHCP table as "In use" and so does not use it.
Would that explain why the same MAC should listed listed against every
IP in the DHCP pool - with them all marked as "In use", and no DHCP
leases being available for legitimate LAN clients?
LAN 10.1.0.26 00039700010B 2005-10-18 18:11:15 In use
LAN 10.1.0.27 00039700010B 2005-10-18 18:11:30 In use
LAN 10.1.0.28 00039700010B 2005-10-18 18:11:45 In use
Post by Rev Adrian Kennard
You can disable this check in the
subnet settings by ticking "Don't check".
That road leads to client machines reporting IP conflicts!
A FireBrick should not see its own Proxy ARP replies, unless there is
some sort of loop.

If you make the FireBrick Proxy ARP for an IP on the same network
segment as a machine that does have that IP it will see duplicate IPs,
as you would expect. But if the Proxy ARP is on a WAN->LAN route, then
it only proxy ARPs on the WAN, and presumably there are no machines on
the WAN with the IPs for which it is doing so - so no clash. Unless you
have WAN and LAN connected together (which would also explain the "In
use" entries as the firebrick would see its own Proxy ARPs).
--
_ Rev. Adrian Kennard, Andrews & Arnold Ltd / AAISP
(_) _| _ . _ _ Broadband, fixed IPs, no min term http://adsl.ms/
( )(_|( |(_|| ) Asterisk VoIP based PABXs, SNOM190 http://aa.gg/
~~~~~~~~~~~~~~~~ Bond two ADSL lines? http://www.FireBrick.info/
Tim Lee
2005-10-15 09:10:01 UTC
Permalink
Post by Rev Adrian Kennard
Post by Tim Lee
Post by Rev Adrian Kennard
Post by Ben Mack
[snip]
Post by Tim Lee
The DHCP problem seems to have gone away by switching off ProxyArp
from a WAN subnet
Mmm, not sure why that is
"ProxyArp" is not a FireBrick subnet setting - is that a setting on
something else on the network that was doing proxy ARP? If that is
the case then it will answer for IP addresses.
Sorry I meant removing the ProxyArp setting from a NATed route WAN->LAN
ProxyArps 36-40 24/7 WAN->LAN Any 217.169.28.36-40 Proxy ARP
killing this ProxyArp stopped the DHCP pool exhastion
Post by Rev Adrian Kennard
The FireBrick will check addresses it is trying to allocate to
confirm they are not in use. If something else answers the ARP, then
it marks it in the DHCP table as "In use" and so does not use it.
Would that explain why the same MAC should listed listed against every
IP in the DHCP pool - with them all marked as "In use", and no DHCP
leases being available for legitimate LAN clients?
LAN 10.1.0.26 00039700010B 2005-10-18 18:11:15 In use
LAN 10.1.0.27 00039700010B 2005-10-18 18:11:30 In use
LAN 10.1.0.28 00039700010B 2005-10-18 18:11:45 In use
Post by Rev Adrian Kennard
You can disable this check in the
subnet settings by ticking "Don't check".
That road leads to client machines reporting IP conflicts!
A FireBrick should not see its own Proxy ARP replies, unless there is
some sort of loop.
If you make the FireBrick Proxy ARP for an IP on the same network
segment as a machine that does have that IP it will see duplicate IPs,
as you would expect. But if the Proxy ARP is on a WAN->LAN route, then
it only proxy ARPs on the WAN, and presumably there are no machines on
the WAN with the IPs for which it is doing so - so no clash. Unless you
have WAN and LAN connected together (which would also explain the "In
use" entries as the firebrick would see its own Proxy ARPs).
Thanks Adrian
That would make sense of what I am seeing.
I will track down the hosts for all the WANside MACs and establish that
none of them are somehow bridging back to the LAN
/Tim

Continue reading on narkive:
Loading...