Auteur Sujet: Orange DHCP conformité protocolaire 2023 - lire depuis le début du sujet (Lu 161373 fois)

Keyser · « **Réponse #888 le:** 17 mai 2023 à 23:11:51 »

Citation de: B3nJ1 le 13 mai 2023 à 07:48:16

Je suppose que ton renew n'est pas tagué en COS6 ?

Sorry about the english, I don’t speak french. Do you know for a fact that the RENEWs also needs to be COS6 tagged like the DISCOVER?

toine512 · « **Réponse #889 le:** 18 mai 2023 à 00:09:24 »

All trafic required for negociating and maintaining the link alive must / should be tagged 802.1q Class of Service 6 at VLAN 832 egress, e.g. ARP, DHCP, NDP (IPv6), DHCPv6 (IPv6). We know it's mandatory for DHCP(v6). Uplink should answer using same priority.
Moreover it's advised to set IP header DSCP field to CS6 if possible.

You need to select your provider here https://lafibre.info/profile/?area=groupmembership so it appears below your nick.

Keyser · « **Réponse #890 le:** 18 mai 2023 à 09:27:33 »

Thank you for responding. I know those settings are advised, but my pfSense with a fs.com ONT SFP worked like a charm for 2 years until this winter when Orange tightned the DHCP protocol compliance. Now I get an IP just fine and it works for about 24 hours until the DHCP renew. Then the line stops responding and I have to login and do a DHCP release and renew to get it going again. I suspect perhaps the Renew is not COS6 tagges out of pfSense as the discover frame is when configured on the DHCP client.

breizyann · « **Réponse #891 le:** 18 mai 2023 à 09:57:56 »

Citation de: Keyser le 18 mai 2023 à 09:27:33

Thank you for responding. I know those settings are advised, but my pfSense with a fs.com ONT SFP worked like a charm for 2 years until this winter when Orange tightned the DHCP protocol compliance. Now I get an IP just fine and it works for about 24 hours until the DHCP renew. Then the line stops responding and I have to login and do a DHCP release and renew to get it going again. I suspect perhaps the Renew is not COS6 tagges out of pfSense as the discover frame is when configured on the DHCP client.

Hello @ll,

When your pfsense box get a functional lease, did you check if this lease does have 7 days before expiration?

• If yes interesting to know why 24h later a renew is needed ?
• Or may be you are forcing this renew in your configuration ?
• Also are you using single or double stack in your config ?

Keyser · « **Réponse #892 le:** 18 mai 2023 à 12:29:40 »

The lease comes with a renew interval of aprox. 24 hours, a rebind interval of about 6 days, and an expiration interval of 7 days.
It’s normal for a DHCP client to attempt renew when the renew timer (T1) expires, so pfSense is just doing what it’s suppose to.
But as soon as a renew reqeust has been sent, the line stops routing traffic, so Orange must consider something wrong with that attempt, and shut down routing.

I then have to do a full DHCP release and renew to get another ~24 hours.

It’s a single stack IPv4 only setup.

arnaudf · « **Réponse #893 le:** 18 mai 2023 à 12:50:55 »

Hi Keyser,

This reminds me my own problem.
This was related to the case of UserClass dhcp option.

The right value is : FSVDSL_livebox.Internet.softathome.Livebox5
(and the wrong value was : FSVDSL_livebox.Internet.softathome.livebox5)

This applies for both IPv4 and IPv6.
edit : obviously, for Livebox6, the last char has to be a 6

Could you pls check this ?

zoc · « **Réponse #894 le:** 18 mai 2023 à 12:58:17 »

Hello,

Je suis en cours de déploiement de mon CCR2004 à la place de l'ER4. Pas de problème en IPv4, mais en IPv6, baobab me répond ça:

Code: [Sélectionner]

    ...
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 48
        IAID: 00000014
        T1: 0
        T2: 0
        Status code
            Option: Status code (13)
            Length: 32
            Status Code: NoPrefixAvail (6)
            Status Message: No prefixes have been assigned
    Authentication
        Option: Authentication (11)
        Length: 27
        Protocol: 0
        Algorithm: 0
        RDM: 0
        Replay Detection: 0000000000000000
        Authentication Information: 646863706c697665626f786672323530
    Vendor-specific Information
        Option: Vendor-specific Information (17)
        Length: 18
        Enterprise ID: Orange (1368)
        option
            Option code: 1
            Option length: 12
            Option data: 000100000000000000000018

Donc à priori l'option 17 m'indique que tout est bon, mais comme vous pouvez le voir pas de préfixe alloué. Est-ce que par hasard ce ne serait pas parce que mon Mikrotik fait une requête de préfixe avec IAID à 0x14 alors que l'IAID est à 1 sur mon ER4 ?

J'ai essayé de libérer le lease en arrêtant proprement dibbler sur l'ER4, mais je ne suis pas certain qu'il fasse bien un release...

zoc · « **Réponse #895 le:** 18 mai 2023 à 13:00:35 »

Citation de: Keyser le 18 mai 2023 à 09:27:33

I suspect perhaps the Renew is not COS6 tagges out of pfSense as the discover frame is when configured on the DHCP client.

Most likely this is the issue. Users of OPNSense faced the same problem and correctly tagging renew request with CoS 6 fixed it...

Keyser · « **Réponse #896 le:** 18 mai 2023 à 13:01:02 »

I’m using the capital L in Livebox, but I am and have always been sending a “…..Livebox4” userclass even though it’s actually a Livebox5 i have.
It works fine when aqquiring a new lease - it’s just the renew that fails. Do you think they know I’m supposed to have a LB5, and fails the renew based on that?

Keyser · « **Réponse #897 le:** 18 mai 2023 à 13:05:54 »

Citation de: zoc le 18 mai 2023 à 13:00:35

Most likely this is the issue. Users of OPNSense faced the same problem and correctly tagging renew request with CoS 6 fixed it...

Okay - that does seem to indicate this might be my problem. I will stage a full packet capture tonight when the renew attempt happens again, and then I’ll know if the Renew is COS6 tagged or not.
I believe i can create a floating match rule in pfSense that looks for - and priority tags - DHCP frames going out of my WAN VLAN interface.
That way there is no need to have the DHCPv4 client modified to tag renews if it does not support this right now. I know it correctly tags discover frames currently.

zoc · « **Réponse #898 le:** 18 mai 2023 à 13:06:19 »

Orange is not verifying if UserClass matches the Livebox version you own.

toine512 · « **Réponse #899 le:** 18 mai 2023 à 13:28:01 »

Citation de: zoc le 18 mai 2023 à 12:58:17

Hello,

Je suis en cours de déploiement de mon CCR2004 à la place de l'ER4. Pas de problème en IPv4, mais en IPv6, baobab me répond ça:
...

As-tu pensé à désactiver le Rapid Commit ?