Unicast DHCPv4 issue on WAN

I'm running OpenWrt 23.05.3 on an Rpi4B 4GB as a "router on a stick". I have VLANs set up for the WAN, LAN, and WLAN. That's all working properly.

I swapped to this from a cheap TPLink ER605 that was having issues routing to the internet on occasion which would be resolved by restarting the WAN interface.

The Rpi4 is experiencing the same issue but now, with access to various logs, I can attempt to track down the actual cause.

First thing I noticed is that DHCP renewals from my ISP don't seem to work unless they are broadcast requests. The ISP provides a 10.X.X.X address as the DHCP gateway which is causing issues. From syslog I'm seeing:

Apr 1 23:14:11 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:29:13 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:36:43 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:40:28 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:42:21 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:43:17 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:43:45 OpenWrt netifd: wan (15238): udhcpc: sending renew to server 10.72.2.195
Apr 1 23:43:48 OpenWrt netifd: wan (15238): udhcpc: broadcasting renew
Apr 1 23:43:48 OpenWrt netifd: wan (15238): udhcpc: lease of X.X.X.X obtained from 10.72.2.195, lease time 3600

And below are the last three packets from the tcpdump on that interface:

23:43:45.449217 MYMACADDR > 00:17:10:98:55:90, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 59783, offset 0, flags [DF], proto UDP (17), length 328)
    MYPUBLICIP.68 > 10.72.2.195.67: BOOTP/DHCP, Request from MYMACADDR, length 300, xid 0x8eb27a2c, Flags [none]
          Client-IP MYPUBLICIP
          Client-Ethernet-Address MYMACADDR
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Request
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 7: "OpenWrt"
            Vendor-Class (60), length 12: "udhcp 1.36.1"
23:43:48.528469 MYMACADDR > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    MYPUBLICIP.68 > 255.255.255.255.67: BOOTP/DHCP, Request from MYMACADDR, length 300, xid 0x8eb27a2c, secs 3, Flags [none]
          Client-IP MYPUBLICIP
          Client-Ethernet-Address MYMACADDR
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Request
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 7: "OpenWrt"
            Vendor-Class (60), length 12: "udhcp 1.36.1"
23:43:48.546110 00:17:10:98:55:90 > MYMACADDR, ethertype IPv4 (0x0800), length 370: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 356)
    209.148.135.202.67 > MYPUBLICIP.68: BOOTP/DHCP, Reply, length 328, xid 0x8eb27a2c, Flags [none]
          Client-IP MYPUBLICIP
          Your-IP MYPUBLICIP
          Gateway-IP 10.72.2.195
          Client-Ethernet-Address MYMACADDR
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: ACK
            Server-ID (54), length 4: 10.72.2.195
            Lease-Time (51), length 4: 3600
            Subnet-Mask (1), length 4: 255.255.255.224
            RN (58), length 4: 1800
            RB (59), length 4: 2700
            Default-Gateway (3), length 4: MYGATEWAYIP
            Domain-Name-Server (6), length 8: 206.248.154.22,206.248.154.170
            BR (28), length 4: 255.255.255.255
            Hostname (12), length 30: "CPEmymacaddr-CM946a77f955be"

Is this typical? From my understanding the answer is no. Is there a way to force DHCP renewal requests on the WAN interface to always be broadcast?

To add a little more information, it looks like the netifd scripts just send the SIGUSR1 signal to the udhcpc process to trigger a renew. Out of curiosity, I tried sending SIGUSR1 to the udhcpc process manually. Every time I do it manually, it attempts a unicast renewal, which fails, and follows up immediately with a broadcast.

I have no idea why it doesn't do this automatically. Logs below show it trying to renew over the course of an hour. The last two attempts at 15:59 and 16:02 are my manual ones.

Apr  2 14:44:41 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 14:59:29 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:06:53 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:10:35 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:12:26 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:13:22 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:13:50 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:13:53 OpenWrt netifd: wan (1259): udhcpc: broadcasting renew
Apr  2 15:13:53 OpenWrt netifd: wan (1259): udhcpc: lease of X.X.X.X obtained from 10.72.2.195, lease time 3600
Apr  2 15:43:53 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:58:54 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:59:43 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 15:59:46 OpenWrt netifd: wan (1259): udhcpc: broadcasting renew
Apr  2 15:59:46 OpenWrt netifd: wan (1259): udhcpc: lease of X.X.X.X obtained from 10.72.2.195, lease time 3600
Apr  2 16:02:22 OpenWrt netifd: wan (1259): udhcpc: sending renew to server 10.72.2.195
Apr  2 16:02:25 OpenWrt netifd: wan (1259): udhcpc: broadcasting renew
Apr  2 16:02:25 OpenWrt netifd: wan (1259): udhcpc: lease of X.X.X.X obtained from 10.72.2.195, lease time 3441

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

You're getting a 1 hour lease, which is quite short. It seems like the upstream is not configured properly/optimally, but there's nothing you can do about that.

Let's review your config (per my post above) to make sure eveything is configured properly on your side.

I have reached out to my ISP but they are a reseller and the DHCP servers are owned by the ISP they resell from. I'm not expecting much from that side.

I've included the requested configs below. I'm still working on the zones and firewall rules within the LAN but the zones to WAN are all working.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.4",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option auto '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option name 'eth0.10'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '64'
	option name 'eth0.64'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '128'
	option name 'eth0.128'
	option ipv6 '0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.10'

config interface 'wlan'
	option proto 'static'
	option device 'eth0.64'
	option ipaddr '192.168.64.1'
	option netmask '255.255.255.0'

config interface 'wlan_iot'
	option proto 'static'
	option device 'eth0.128'
	option ipaddr '192.168.128.1'
	option netmask '255.255.255.0'

config interface 'wired_lan'
	option proto 'static'
	option device 'eth0.20'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'
	option ipv6 '0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2'
	option key 'redacted'
	option disabled '1'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '10000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	option dnsforwardmax '4096'
	option filter_aaaa '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wlan'
	option interface 'wlan'
	option start '10'
	option limit '200'
	option leasetime '12h'

config dhcp 'wlan_iot'
	option interface 'wlan_iot'
	option start '10'
	option limit '200'
	option leasetime '12h'

config dhcp 'wired_lan'
	option interface 'wired_lan'
	option start '50'
	option limit '200'
	option leasetime '12h'

redacted static leases
root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wlan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'wired_lan'
	list network 'wired_lan'

config zone
	option name 'wlan_iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wlan_iot'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP to Traefik'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.12'
	list reflection_zone 'lan'
	list reflection_zone 'wlan'

config redirect
	option target 'DNAT'
	option name 'HTTPS to Traefik'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.12'
	option dest_port '443'
	list reflection_zone 'lan'
	list reflection_zone 'wired_lan'
	list reflection_zone 'wlan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuard'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.1.9'

config forwarding
	option src 'wlan'
	option dest 'wan'

config forwarding
	option src 'wlan_iot'
	option dest 'wan'

config forwarding
	option dest 'wan'

config forwarding
	option dest 'wan'

config forwarding
	option src 'wired_lan'
	option dest 'wan'

config forwarding
	option src 'wired_lan'
	option dest 'wlan'

config forwarding
	option src 'wlan'
	option dest 'wired_lan'

config rule
	list src_ip '192.168.1.137'
	list dest_ip '192.168.128.0/24'
	option target 'ACCEPT'
	option name 'ha to iot subnet'
	option dest '*'

config forwarding
	option src 'wired_lan'
	option dest 'wlan_iot'

Nothing jumps out as problematic in terms of upstream DHCP. the dnsmasq settings might be something to consider with what appears to be DoH/DoT or other DNS related things, but I expect that it wouldn't have any real impact.

I think this is a DHCP server issue on the ISP side.

Thanks for pointing out the DoH thing. I had installed DNS over HTTP Proxy and things got weird so I removed it. Didn't realize it had added DNS Forwards.

So just to follow up on the DHCP issue -- I'll keep pushing with my ISP but is there no way to force the renew requests to broadcast instead of unicast?

If you're not using DoH/DoT anymore, maybe just clear that stuff out. depending on your willingess/time, a reset to defaults could be a quick way to verify that it's nothing on your end.

1 Like