DHCP passing from WAN to LAN on TP-Link Archer C7 v2

timdp · December 26, 2018, 11:14pm

So I believe I'm having the issue described here: https://dev.archive.openwrt.org/ticket/6819

My router gets a 192.168.0.0/24 IP from my ISP's "modem" (sigh) and then my clients get a 172.168.0.0/24 IP from OpenWRT. While not very elegant, this double NAT worked fine for years until yesterday, when my clients suddenly started getting 192.168.0.0/24 IPs. I can only assume that my ISP changed something (DHCP authoritative?) because this used to work with mostly default OpenWRT settings.

The router is a TP-Link Archer C7 v2 with OpenWRT 18.06.1. After resetting to default settings, the issue persists. It occurs both with wired and wireless clients. I've enabled "Force DHCP" on the LAN interface but that hasn't helped. In dhcpdump, I consistently see DHCP responses for both subnets, and clients prefer the ones from my ISP. Perhaps they were already there before, but I don't think they should hit the LAN, right?

According to the ticket I posted above, it did get fixed, but then a bunch of people were still seeing it.

What's the intended behavior? Am I supposed to change a flag?

Thanks!

psherman · December 26, 2018, 11:46pm

This shouldn't happen, even if the upstream DHCP server is in authoritative mode. Something is wrong with your OpenWrt installation, hopefully just a configuration issue.

First things first, check to make sure you're fully up to date with the latest version (18.06.1). If not, perform the update and see what happens.

If that doesn't fix it, post the following files:
/etc/config/network
/etc/config/firewall
/etc/config/dhcp

Also, you could try backing up your configuration and then performing a factory reset... resetting everything to defaults should give you a working config right out of the gate (using the 192.168.1.0/24 network which will be fine since your ISP modem is working on the 192.168.0.0/24 network). If that works, you can try restoring your saved configuration, and see if things still work or if it breaks again (in which case, you know for sure it is something with the config files; you can then try recreating or restoring the files in a systematic way to find out which one is causing the issue).

timdp · December 27, 2018, 12:01am

Thanks for the quick response!

As I mentioned, I tried a factory reset earlier today. After I connected my laptop over UTP, I immediately got a 192 IP, so I think it's broken out of the box somehow.

dhcpdump from a client gives me:

  TIME: 2018-12-27 00:51:57.465
    IP: 0.0.0.0 (9c:b6:d0:f3:67:97) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 21a46c59
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 9c:b6:d0:f3:67:97:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  50 (  4) Request IP address        172.16.0.239
OPTION:  12 (  8) Host name                 chowchow
OPTION:  55 ( 16) Parameter Request List      1 (Subnet mask)
					     28 (Broadcast address)
					      2 (Time offset)
					      3 (Routers)
					     15 (Domainname)
					      6 (DNS server)
					    119 (Domain Search)
					     12 (Host name)
					     44 (NetBIOS name server)
					     47 (NetBIOS scope)
					     26 (Interface MTU)
					    121 (Classless Static Route)
					     42 (NTP servers)
					    249 (MSFT - Classless route)
					     33 (Static route)
					    252 (MSFT - WinSock Proxy Auto Detect)
					    
---------------------------------------------------------------------------

  TIME: 2018-12-27 00:51:57.465
    IP: 172.16.0.1 (a4:2b:b0:a5:da:aa) > 172.16.0.239 (9c:b6:d0:f3:67:97)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 21a46c59
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 172.16.0.239
SIADDR: 172.16.0.1
GIADDR: 0.0.0.0
CHADDR: 9c:b6:d0:f3:67:97:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         172.16.0.1
OPTION:  51 (  4) IP address leasetime      43200 (12h)
OPTION:  58 (  4) T1                        21600 (6h)
OPTION:  59 (  4) T2                        37800 (10h30m)
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:  28 (  4) Broadcast address         172.16.0.255
OPTION:   3 (  4) Routers                   172.16.0.1
OPTION:   6 (  4) DNS server                172.16.0.1
OPTION:  15 (  3) Domainname                lan
OPTION:  12 (  8) Host name                 chowchow
---------------------------------------------------------------------------

  TIME: 2018-12-27 00:51:57.466
    IP: 192.168.0.1 (dc:53:7c:dc:d2:98) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 21a46c59
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 9c:b6:d0:f3:67:97:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         6 (DHCPNAK)
OPTION:  54 (  4) Server identifier         192.168.0.1
OPTION:  56 ( 15) Message                   lease not found
---------------------------------------------------------------------------

so that time, OpenWrt happened to respond first and I got the expected IP. However, you can also see the reply from my ISP's router at the bottom.

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3a:178a:45ae::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '172.16.0.1'
	option dns '1.1.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '1 6t'

/etc/config/firewall without comments:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config include
	option path /etc/firewall.user

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Note that I didn't edit any of these directly. What I did do was:

Change the router's IP from 192.168.1.1 to 172.168.0.1.
Add 1.1.1.1 DNS.
Move ports 1 and 4 from VLAN 1 to VLAN 2 because I don't want those on the LAN. It's basically a lightweight version of this issue. However, I've rolled that change back (you can see all four ports are in the same VLAN) and the issue already occurred before I'd applied it.

Hope this helps. Thanks!

timdp · December 27, 2018, 12:05am

Sorry, by "I immediately got a 192 IP", I meant that when I connected the client machine over UTP right after a factory reset, I got a 192.168.0.0/24 IP from my ISP rather than a 192.168.1.0/24 one from OpenWrt. I had to manually assign 192.168.1.x to the client to get to luci for initial setup.

psherman · December 27, 2018, 12:55am

Nothing jumps out at me as problematic in your config files.

The bug you mentioned is 8 years old, and I haven't personally seen any recent reports of this issue in general as well as for this device (and this is a very popular router model).

Can you confirm that you are on 18.06.1 from the official release builds on the OpenWrt downloads page? It might be worth re-flashing just to make sure it applied correctly.

Also, just to make sure you're really connecting through the C7 -- please verify that you are connected via ethernet and that wifi is turned off on your computer. This will ensure that there is no other means of network connectivity other than through the C7.

What happens if you don't connect the WAN? Will your computer get an IP address via DHCP from the C7? When you connect the WAN, does it then suddenly get DHCP in the 192.168.0.0/24 network?

timdp · December 27, 2018, 11:49am

Thanks again for all the pointers. I did try another flash, with 18.06.1 and then 18.06.0 to rule out any regressions. That didn't help.

However, it turns out I was looking in the wrong place. Hindsight is 20/20.

After unplugging the uplink, I suddenly noticed that I still had internet access on my client machine. So I unplugged the remaining client cables and reinserted them one by one until there was some sort of uplink. That made me realize that the culprit was actually my ethernet-over-power extender to another room. Somehow, that segment contained a modem from my ISP (the market leader), but apparently not actually mine!

I live in an apartment and I can only assume that a neighbor also has ethernet-over-power plugs. It's pretty bonkers that the circuits aren't isolated from each other, but securing my segment better by re-pairing the plugs did obliviate the mysterious DHCP reply.

I'm still going to follow up on how a neighbor's modem can be connected to my power outlets, but obviously, that's not an OpenWrt problem. Again, thanks for all the help!

system · January 6, 2019, 11:49am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.