On 28.06.2011 13:48, Benoit Panizzon wrote:
Hi
We are running a DHCP Server on a FreeBSD 7.2-RELEASE-p4 box.
This works for most of our customers, except ones with some kind of SonicWall
Firewalls. We have analyzed the problem with the sonicwall tech support:
We found the problem being in the sonicwall setting a UDP checksum of 0x0000
for DHCP Requests.
According to the RFC this is a valid value and tells the receiving UDP stack
not to check the checksum:
http://www.faqs.org/rfcs/rfc768.html
If the value is different from 0x0000 the receiving UDP stack can perform a
checksum check and if this fails, silently drop that packet.
What we observe is:
DHCP Request with UDP checksum set => Packet reaches DHCP Daemon and is being
answered.
DHCP Request with UDP checksum 0x0000 => ICMP Port Unreachable from FreeBSD.
Can someone confirm this non RFC conform behaviour and knows how to fix it?
As I understand, setting net.inet.udp.checksum to zero would not fix the
problem, as this is only for packet generation.
DHCP (isc-dhcp) uses bpf(4) device for reading and writing dhcp packets.
Since bpf(4) device provides raw access to ether frames, udp checksum
calculation must take place in the dhcp server code. You could use
ktrace(1) if you want to make sure that a icmp packet is generated by
the dhcp server. Also, you have said that icmp error message is port
unreachable, that means, that there is no any udp socket which listens
on 67 port. Can you check if dhcp-server listens on 67-udp port and
there is no any firewall rules, which forbids udp packet to 67 port?
--
Dmitry Banschikov
