[ previous ] [ next ] [ threads ]
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] dhcp server problem
 Date:  Fri, 23 Feb 2007 17:29:18 -0700
On 2/23/07, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> David Burgess wrote:
> > On 2/23/07, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> >> David Burgess wrote:
> >> > So an occasional client has a problem obtaining an IP address from
> our
> >> > m0n0wall dhcp server. I've searched the archives and my problem
> appears
> >> to
> >> > be unique in some respects.
> >> The few times I have seen this have been ARP table screwups.  This can
> >> be very common with wireless as clients move from switch (AP) to
> switch.
> >>   I would start by segmenting the network.  If you can, divide wireless
> >> and wired.
> > Hm. Our entire network is wireless with multiple access points connected
> > wirelessly. The only situation I can think of that would fit your
> > explanation is when a client moves from one AP to another, which happens
> > occasionally. Would that cause the problem?
> > If so, then what is the solution? Is there some way to flush the ARP
> table,
> > or manually update an ARP entry from either the router or the client
> side?
> This is way beyond the normal scope of this list.  So lets go! :)
> First lets start with the arp table.  Every system on your network has
> one.  Every computer, switch and AP.  For one interface devices,
> (desktops) it is a simple table.  Type 'arp -a' from the command line to
> see it.  (Windows, Mac, Linux or Unix...)  It shows the IP address
> translated to mac address of everything it has seen.  In a switched
> network, that will be the router.  It may include printers, servers, and
> other systems you touch.  At home connected directly to a router with no
> other items, it will only be the router.
> Now a switch has a much more complex routing table.  It has no IP stuff.
>   It just knows the port each MAC address hangs off.  Now what happens
> when a MAC address moves?  This depends on how far down a chain it is.
> Say you have a switch at the router.  It has several switches off it for
> each floor.  Each floor has several switches for each region of the
> floor.  Each region has one (or more) AP.  Now Bob's laptop walks down
> the hall.  On the way it connects to the floor above.  The AP says "I
> have bob's MAC."  The regional switch says "I have Bob's MAC."  The
> floor switch says "I have Bob's MAC." The router switch says "I have
> Bob's MAC." down the chan to the floor switch on Bob's floor who now
> says "I have Bob's MAC." but on a different port... And the regional
> switch says "He has Bob's MAC." and on to the AP.  But by now Bob has
> gone back to his desk.  So the first AP says, "But I have Bob's MAC..."
> If you have someone on a edge between to APs they can flip back and
> forth, and this goes on.
> Solutions...  You can shorten the "lease time" (I know it is not lease
> time, but the analogy works) on some advanced switches.  You can use
> different ESSIDs so the client doesn't move as easily.  You can use less
> switches on the wireless network.
>                         Lee

Your explanation makes sense, but as I think about it I realise that this
can't be what's happening here, at least the exact case of a client
switching APs in every instance:

Our APs are radio towers and our clients, without exception, are fixed
antennas. So while, occasionally, a client antenna does register with the
wrong AP, I know of at least three instances of a client not being able to
get an IP address via dhcp when he could have only ever registered with a
single AP.

I suspect it's still something to do with ARP errors, but it can't be a
simple case of changing APs or changing port switches in this case.

I hate to introduce what is probably a red herring, but while I'm shooting
in the dark, I might point out that the m0n0wall has its LAN and WAN ports
plugged into a single switch. Other ports on the switch connect to other APs
and the upstream gateway. The only side-effect this setup that I have
observed to date is the complete domination of our system logs by messages
in the form of, "kernel: arp: is on nve0 but got reply from
00:06:5b:af:b2:9a on em0".

While I don't like having the LAN and WAN ports on the same switch, the
chief has been doing it this way since before I was on board, and 99.999% of
our traffic appears to pass normally. Could my occasional but annoying dhcp
problem arise from this setup? Is there some other possible explanation?