New Member
Posts: 8
Registered: ‎06-21-2014
Kudos: 8
Solutions: 1
Accepted Solution

WAN port is answering DHCP requests and assigning leases

I'm new to EdgeOS.  I just recieved my EdgeRouter PoE earlier this week.  After configuring the router, I accidentally discovered that my WAN port is answering DHCP requests and assigning leases from my 192.168.1.x pool.  I expected that the firewall or NAT would drop those inbound DHCP requests or that the DHCP server would only reply on the ports that are assigned the corresponding IP.  How can I change this behavior?

Here are my firewall, interface, and service configurations:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "allow established connections"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid sessions"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "allow established connections"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid sessions"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description "WiFi AP"
        duplex auto
        firewall {
            in {
            }
            local {
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.21 {
                    stop 192.168.2.240
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on eth1
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "WAN masquerade"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}

 


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5479
Solutions: 1656
Contributions: 2

Re: WAN port is answering DHCP requests and assigning leases


@DeviousToast wrote:

I then scanned the web UI for everything related to eth0 and eth1 and swapped them to make eth0 my WAN and eth1 my LAN1.  I also swapped the DHCP pools to associate 192.168.1.0/24 with switch0 and 192.168.2.0/24 with eth1.  I plan to setup my UniFi AP on eth1 and want to give it a separate DHCP pool from the wired connections. 


Yeah actually this sounds like a known issue that has been discussed before. Basically if DHCP server is already configured (so it has already started "listening" on a particular interface), and then the interface settings are changed, the DHCP server does not "switch" to the new interface automatically. This is a limitation of the underlying implementation (ISC DHCP) and for now if interfaces settings are changed such that DHCP interfaces should be changed, the DHCP server needs to be restarted (e.g., reconfiguring it or just rebooting the router).

View solution in original post


All Replies
Established Member
Posts: 901
Registered: ‎10-12-2012
Kudos: 893
Solutions: 39
Contributions: 1

Re: WAN port is answering DHCP requests and assigning leases

What makes you think eth0 is doing this?

New Member
Posts: 8
Registered: ‎06-21-2014
Kudos: 8
Solutions: 1

Re: WAN port is answering DHCP requests and assigning leases

Connecting a computer to eth0 and making a DHCP request results in an IP on the 192.168.1.x subnet with gateway 192.168.1.1.  That's the same behavior as connecting a computer to eth2-4 (switch0).  Connecting a computer to eth1 results in an IP on the 192.168.2.x subnet.  The behavior on eth1 and switch0 is exactly what I expected.  The DHCP response on eth0 shouldn't be happening, and I'm at a loss for why.

Established Member
Posts: 901
Registered: ‎10-12-2012
Kudos: 893
Solutions: 39
Contributions: 1

Re: WAN port is answering DHCP requests and assigning leases

Was the computer making the request previously assigned a DHCP address from a different interface? Have you tried with a machine that has not previously requested a DHCP address from the router?

New Member
Posts: 8
Registered: ‎06-21-2014
Kudos: 8
Solutions: 1

Re: WAN port is answering DHCP requests and assigning leases

Yes, I re-tested with a machine that hadn't been seen by the EdgeRouter.  It still receives an IP on 192.168.1.x from eth0.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: WAN port is answering DHCP requests and assigning leases

I'm curious.  I you look at the leases for that dhcp server in the GUI, does it show up as a host with the address?

Regular Member
Posts: 536
Registered: ‎11-12-2013
Kudos: 78
Solutions: 3

Re: WAN port is answering DHCP requests and assigning leases

the way i see it, pluggin in a dhcp client to a wan port makes 0 sense in the first place........

your simply not suppose to have your LAN devices connected through WAN port. it doesnt make sense.

if it does work getting leases through your wan, isnt that a good thing?



T1200 - ERX - UAP - R7000 - WEB6000Q
New Member
Posts: 8
Registered: ‎06-21-2014
Kudos: 8
Solutions: 1

Re: WAN port is answering DHCP requests and assigning leases

Agreed that connecting a DHCP client to WAN makes no sense.  It was purely by accident that I discovered this.  I find it to be a very bad thing if DHCP leases are given out to clients on the other side of my WAN port.  That could include everyone in my neighborhood that happens to be on the same switching fabric at me.  It's not hard to imagine ways to abuse this bug (e.g. DHCP DoS).

However, I did find a work-around.  I deleted the DHCP pool "LAN1" from my config and re-created it.  The new LAN1 DHCP pool is identical to the previous.  Testing various clients inside the LAN and outside the LAN (connected through the WAN) verifies this works for me.

So... what happened?  Here's my theory.

I just received my EdgeRouter PoE earlier this week.  The first thing I did was to upgrade it from EdgeOS 1.2 to 1.4.1.  This added the setup wizard feature, which was the next thing I did (after taking care of the user accounts...).  I ran the WAN+2LAN wizard and accepted the defaults.  This setup eth0 as LAN2, eth1 as WAN, and switch0 as LAN2.  

I then scanned the web UI for everything related to eth0 and eth1 and swapped them to make eth0 my WAN and eth1 my LAN1.  I also swapped the DHCP pools to associate 192.168.1.0/24 with switch0 and 192.168.2.0/24 with eth1.  I plan to setup my UniFi AP on eth1 and want to give it a separate DHCP pool from the wired connections.  

I tested connections and DHCP pools on eth1 and switch0 and found everything working as expected.  It wasn't until another segment of my network upstream of this router's WAN received a weird DHCP assignment did I realize it came from this router's eth0 and the LAN1 pool that was supposed to be associated with switch0 instead.  Either I missed a detail in the web UI when moving the LAN1 pool from eth0 to switch0, or there's a bug that retains association with the previous interface when moving a DHCP pool between interfaces.  I'll be happy to file a bug report with Ubiquiti if anyone knows the right place for it.  I'm new here.

Thank you all for the suggestions.  That's what made me think about deleting and recreating the DHCP pool.

Cheers,

Established Member
Posts: 901
Registered: ‎10-12-2012
Kudos: 893
Solutions: 39
Contributions: 1

Re: WAN port is answering DHCP requests and assigning leases

[ Edited ]

The config you posted would not cause what you are describing.

Any ISP worth their salt would simply not allow a rogue dhcp server to send out leases onto their network. If they do... there are likely bigger problems going on Man Wink

If it happened how you are describing, seems like it shouldn't be hard to recreate the problem.

Veteran Member
Posts: 7,911
Registered: ‎04-21-2011
Kudos: 2750
Solutions: 173

Re: WAN port is answering DHCP requests and assigning leases

How and what are you connected to from your Upstream provider?

New Member
Posts: 8
Registered: ‎06-21-2014
Kudos: 8
Solutions: 1

Re: WAN port is answering DHCP requests and assigning leases

I would hope any decent ISP wouldn't permit that, but hope isn't a strategy.  I'd rather not leak internal network config data to the outside world.  I tested the new EdgeRouter's configuration behind my existing router, so the DHCP leak didn't go far.  I just had some very confused devices on the rest of my network.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5479
Solutions: 1656
Contributions: 2

Re: WAN port is answering DHCP requests and assigning leases


@DeviousToast wrote:

I then scanned the web UI for everything related to eth0 and eth1 and swapped them to make eth0 my WAN and eth1 my LAN1.  I also swapped the DHCP pools to associate 192.168.1.0/24 with switch0 and 192.168.2.0/24 with eth1.  I plan to setup my UniFi AP on eth1 and want to give it a separate DHCP pool from the wired connections. 


Yeah actually this sounds like a known issue that has been discussed before. Basically if DHCP server is already configured (so it has already started "listening" on a particular interface), and then the interface settings are changed, the DHCP server does not "switch" to the new interface automatically. This is a limitation of the underlying implementation (ISC DHCP) and for now if interfaces settings are changed such that DHCP interfaces should be changed, the DHCP server needs to be restarted (e.g., reconfiguring it or just rebooting the router).