Screen OS

Hello, I am struggeling with getting DHCP clients to work across another subnet in a SSG5 box. 

Right now the DHCP server (win2008 r2) is directly connected to port 0/2 and is serving clients in the 192.168.2.x/24 range and it works.

Port 0/2 is setup with a static IP in the Trust zone.

Now I have created 3 subinterfaces on the 0/6 port also in Trust zone, and one of them is VLAN10, with IP 192.168.10.x/24.
Eth 0/6 is connected to a ProCurve switch and if I set a client on a different port on the switch with static IP, the traffic flows as normal, can reach other hosts on different subnets etc. But if I change the client to DHCP, it will not receive any IP.

I have set up DHCP relay, with the IP of my DHCP server in the SSG on interface ethernet0/6.10(192.168.10.1/24), but it seems that its not relaying the DHCP broadcast. I have of course setup another DHCP scope on the DHCP server for the 192.168.10.x subnet.

Any clues about where I should start to look for some more information?  I have created an any-any policy in the IntraZone Trust allowing all traffic, but I can not see any DHCP traffic there. I also turned on debug, but I can not find any useful information there.

Thanks in advance.

Hi,

I would configure a policy with the predifined service DHCP-relay and start "debug dhcp all".

ScreenOS does not relay DHCP broadcasts but converts the collected requests into the unicasts that are forwarded to the configured server.  Does the DHCP server accept the unicasts?

Thanks for the help.

I see that the DHCP requests are being forwarded to the DHCP server.

## 2011-06-16 12:17:46 : DHCP: got packet from if <ethernet0/6.10>.
## 2011-06-16 12:17:46 : DHCP: Packet processed by DHCP relay
## 2011-06-16 12:17:46 : DHCP: Relay discover message on ethernet0/6.10 from MAC 406186af72cf: request IP 0.0.0.0
## 2011-06-16 12:17:46 : DHCP: Relay request from 192.168.10.1 to 192.168.2.20, ret = 0
## 2011-06-16 12:17:54 : DHCP: got packet from if <ethernet0/6.10>.
## 2011-06-16 12:17:54 : DHCP: Packet processed by DHCP relay
## 2011-06-16 12:17:54 : DHCP: Relay discover message on ethernet0/6.10 from MAC 406186af72cf: request IP 0.0.0.0
## 2011-06-16 12:17:54 : DHCP: Relay request from 192.168.10.1 to 192.168.2.20, ret = 0
## 2011-06-16 12:18:11 : DHCP: got packet from if <ethernet0/6.10>.
## 2011-06-16 12:18:11 : DHCP: Packet processed by DHCP relay
## 2011-06-16 12:18:11 : DHCP: Relay discover message on ethernet0/6.10 from MAC 406186af72cf: request IP 0.0.0.0
## 2011-06-16 12:18:11 : DHCP: Relay request from 192.168.10.1 to 192.168.2.20, ret = 0

And on the DHCP server, I can see a DHCP DISCOVER packet coming from the firewall (192.168.2.1) and then a DHCP OFFER coming from the DHCP server and being sent back to the firewall (192.168.2.1). And after that there is no more in the debug or on the traffic log on the DHCP server itself.

I wonder where I should look for more information now.

Could it be that something is wrong with my interfaces and routing?
Int0/2 is a part of bgorup0, setup with a static IP, and its in NAT mode. Int0/6.10 is a subinterface and is in routing mode. I also have created a policy that allows all traffic in the Intra-zone Trust, also setup with NAT with source translation.

Hi,

Everything seems to be OK, also the DHCP debug output. Please check if the setting "No DHCP Relay" in zone Trust is not enabled.

I think you should go deeper into the details. You can use snoop for capturing packets, as described in the KB articles 5411,5413,6708,20562, and analyse their content with a Sniffer application. This might be also a bug.

Thanks for the replay.

I think I am onto something, as i finally made the DHCP to work, when i removed the NAT in the policy, then DHCP traffic was working perfectly. But now I have a new problem, and that is that all the clients in VLAN10 on interface eth0/6.10 can not reach internet.

We have 1 public IP on the firewall itself on the Untrust interface 0/0, and all clients on interface 0/2 (192.168.2.x) can reach internet, but that interface is in NAT mode, while my subinterface 0/6.10 have to be in routing mode in order to get DHCP to work.

I am also planning for more VLAN's and I would like that most of them can reach internet, only a few subnet's will only have internal traffic behind the firewall (like cluster heartbeat networks etc).

So I believe that I need to do something about the NAT, but NAT on SSG is not my strongest side... 🙂

Hi!

The fact that ScreenOS forces src-NAT even for the Trust-to-Trust traffic if the ingress interface is in the NAT mode, is a surprise for me. Probably because I never use the NAT-mode and switch to the route mode immediatelly after an IP has been configured on the interface. The NAT-mode is an absolutelly bad thing because of it's unpredictable behaviour. I suppose that the only reason to still have it in ScreenOS is the backward compatibility.

I always configure src-NAT in the policy rules. Click on the "Advanced" button, while editing the policy, and check the  "Source Translation" . The default src-NAT "Use egress interface IP" will be applied to the policy.

Finally made it working 🙂

Sorry, may fault, I was only putting src-NAT on the Trust-to-Trust Policy, and that didn't work of course.

When I put  src-NAT on the Trust-to-Untrust, it finally worked.....

Thank you so much for your help!

This was a tremendous help. Thanks for posting the solution.