Hi Antonio,
[root@node2:~]# bridge fdb | grep '00:ff:5e'
00:ff:5e:2d:ce:22 dev eth1 master br0
00:ff:5e:2d:ce:21 dev tap0 master br0
ce:21 -> windows
ce:22 -> linux
After some more debugging it seems, this will be a checkpoint firewall issue :(
A bit more detailed: the DHCP server is behind a CP firewall and CP acts as a
DHCP relay. When the DCHP server answes to a DISCOVERY to a windows client, the
FW translates the source address of the response to it's common public IP
(weird why a general NAT rule is impied here). However, when the firewall
passes the response to the linux's DISCOVERY, the souce is not NAT-ed, but
simply changes to the FW node's IP in the subnet (e.g. 10.10.12.0/24 is net
subnet for the L2 of the OpenVPN the CP being the GW with .1, and the FW node02
- which is the active currently - set's the source address of the DHCP response
to 10.10.12.3) I assume at this point, that the linux kernel drops the reply
and refuses to send it over the bridge...
We'll debug the FW a bit further, but at this point I really don't think this
is an issue with openvpn.
Cheers,
Tom
> -----Original Message-----
> From: Antonio Quartulli [mailto:a...@unstable.cc]
> Sent: Wednesday, August 11, 2021 7:49 AM
> To: Dajka Tamás <vi...@vipernet.hu>; openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] TAP interface strange behavior
>
> Hi,
>
> On 10/08/2021 23:21, Dajka Tamás wrote:
> > Hi All,
> >
> >
> >
> > I’m facing a weird problem. I’ve an OpenVPN server running in TAP (L2)
> > config with a separate DHCP server. This is working OK since quite a
> > while, but we just used windows based clients. Now, we wanted to
> > connect a linux client (did test with 2.4.x and 2.5.x clients), but
> > we’ve noticed, that the client is not getting any IP from the DHCP server.
> >
> > tcpdump shows, that the DHCP DISCOVER arrives ok to the DHCP server,
> > the reply is sent back, and here comes the interesting thing:
> >
> > - when the windows client connects, I see the DHCP REPLY on the
> > tap0 interface of the server (and the client connects OK)
> >
> > - wheen the linux client wants to connect, I see the DHCP REPLY
> > only on the interface facing the DHCP server, but not on the tap0 – it
> > disappears (I’ve tried to set the clients mac address nearly the same
> > as the windows machine, just for a test)
> >
> >
> >
> > Please give some advise, what can cause such strange behaviour?
>
> If I understand your problem description correctly, it sounds like your
> bridge is
> not forwarding packets to tap0 after having received them from the interface
> where the DHCP server is.
>
> Can you post the output of the following command after both the windows and
> the linux clients have connected to the VPN?
>
> bridge fdb
>
> This will tell us what the bridge forwarding table looks like.
>
> Also, can you please mention what are the MAC addresses of the windows and
> Linux client?
>
> Thanks.
> Best Regards,
>
>
> --
> Antonio Quartulli
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
