# My ISP cannot extend the DHCP lease and renew the ip connection every second hour



## olav (Sep 4, 2018)

I have a FreeBSD 11.2-RELEASE firewall, it works great. With the exception that every second hour internet access hangs for 10 seconds. I've tried changing hardware, but always used FreeBSD. My guess is that there is an error in the configuration at my ISP that is causing this. But they deny helping me and says that my operating system in unsupported. I don't think there is a problem with my FreeBSD, it has been like this since at least the FreeBSD 10-RELEASE. The configuration in /etc/dhclient.conf is default, with the exception in 11.2-RELEASE where I had to fix a bug in the dhclient and I've tried to do some additional tuning.

It now looks like this:

```
# $FreeBSD: releng/11.2/etc/dhclient.conf 85575 2001-10-27 03:14:37Z rwatson $
#
#       This file is required by the ISC DHCP client.
#       See ``man 5 dhclient.conf'' for details.
#
#       In most cases an empty file is sufficient for most people as the
#       defaults are usually fine.
#
backoff-cutoff 2;
initial-interval 1;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;

interface "bce1" {
  send host-name "";
  send dhcp-lease-time 7200;

  # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229432
  supersede interface-mtu 0;
  #supersede dhcp-lease-time 20000;
}
```

I've taken a log dump of the DHCP communication.

```
TIME: 2018-02-20 01:38:01.018
    IP: 92.221.112.122 (d4:ae:52:c7:cc:c3) > 92.221.64.1 (00:02:00:01:00:01)
    OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 873f8bf4
  SECS: 0
FLAGS: 0
CIADDR: 92.221.112.122
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  51 (  4) IP address leasetime      3600 (60m)
OPTION:  61 (  7) Client-identifier         01:d4:ae:52:c7:cc:c3
OPTION:  12 ( 11) Host name                 firebay19v2
OPTION:  55 (  9) Parameter Request List      1 (Subnet mask)
                         28 (Broadcast address)
                          2 (Time offset)
                        121 (Classless Static Route)
                          3 (Routers)
                         15 (Domainname)
                          6 (DNS server)
                         12 (Host name)
                        119 (Domain Search)

---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:01.018
    IP: 92.221.64.1 (00:02:00:01:00:01) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 873f8bf4
  SECS: 0
FLAGS: 7f80
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         6 (DHCPNAK)
OPTION:  54 (  4) Server identifier         92.221.64.1
---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:01.018
    IP: 0.0.0.0 (d4:ae:52:c7:cc:c3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 04e629f5
  SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         1 (DHCPDISCOVER)
OPTION:  51 (  4) IP address leasetime      3600 (60m)
OPTION:  61 (  7) Client-identifier         01:d4:ae:52:c7:cc:c3
OPTION:  12 ( 11) Host name                 firebay19v2
OPTION:  55 (  9) Parameter Request List      1 (Subnet mask)
                         28 (Broadcast address)
                          2 (Time offset)
                        121 (Classless Static Route)
                          3 (Routers)
                         15 (Domainname)
                          6 (DNS server)
                         12 (Host name)
                        119 (Domain Search)

---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:07.141
    IP: 0.0.0.0 (d4:ae:52:c7:cc:c3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 04e629f5
  SECS: 7
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         1 (DHCPDISCOVER)
OPTION:  51 (  4) IP address leasetime      3600 (60m)
OPTION:  61 (  7) Client-identifier         01:d4:ae:52:c7:cc:c3
OPTION:  12 ( 11) Host name                 firebay19v2
OPTION:  55 (  9) Parameter Request List      1 (Subnet mask)
                         28 (Broadcast address)
                          2 (Time offset)
                        121 (Classless Static Route)
                          3 (Routers)
                         15 (Domainname)
                          6 (DNS server)
                         12 (Host name)
                        119 (Domain Search)

---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:07.141
    IP: 92.221.64.1 (00:02:00:01:00:01) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 04e629f5
  SECS: 0
FLAGS: 7f80
CIADDR: 0.0.0.0
YIADDR: 92.221.112.122
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         2 (DHCPOFFER)
OPTION:  54 (  4) Server identifier         92.221.64.1
OPTION:  51 (  4) IP address leasetime      7194 (1h59m54s)
OPTION:   1 (  4) Subnet mask               255.255.224.0
OPTION:  28 (  4) Broadcast address         255.255.255.255
OPTION:   3 (  4) Routers                   92.221.96.1
OPTION:  15 (  8) Domainname                lyse.net
OPTION:   6 (  8) DNS server                92.220.228.70,109.247.114.4
OPTION:  12 ( 22) Host name                 0004005c020b/skadb3ar1
---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:09.149
    IP: 0.0.0.0 (d4:ae:52:c7:cc:c3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 04e629f5
  SECS: 7
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  54 (  4) Server identifier         92.221.64.1
OPTION:  51 (  4) IP address leasetime      3600 (60m)
OPTION:  50 (  4) Request IP address        92.221.112.122
OPTION:  61 (  7) Client-identifier         01:d4:ae:52:c7:cc:c3
OPTION:  12 ( 11) Host name                 firebay19v2
OPTION:  55 (  9) Parameter Request List      1 (Subnet mask)
                         28 (Broadcast address)
                          2 (Time offset)
                        121 (Classless Static Route)
                          3 (Routers)
                         15 (Domainname)
                          6 (DNS server)
                         12 (Host name)
                        119 (Domain Search)

---------------------------------------------------------------------------

  TIME: 2018-02-20 01:38:09.679
    IP: 92.221.64.1 (00:02:00:01:00:01) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 04e629f5
  SECS: 0
FLAGS: 7f80
CIADDR: 0.0.0.0
YIADDR: 92.221.112.122
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: d4:ae:52:c7:cc:c3:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         92.221.64.1
OPTION:  51 (  4) IP address leasetime      14400 (4h)
OPTION:   1 (  4) Subnet mask               255.255.224.0
OPTION:  28 (  4) Broadcast address         255.255.255.255
OPTION:   3 (  4) Routers                   92.221.96.1
OPTION:  15 (  8) Domainname                lyse.net
OPTION:   6 (  8) DNS server                92.220.228.70,109.247.114.4
OPTION:  12 ( 22) Host name                 0004005c020b/skadb3ar1
---------------------------------------------------------------------------
```

Are there other things I could do that would help convincing my ISP to take a look at this? I think they are using some propritary stuff as DHCP server, called Vespa or something.


----------



## SirDice (Sep 4, 2018)

After a client receives an IP address from DHCP at the half-time of the lease the address is renewed. If this is successful the address is kept. If there's no response the renew is tried again at 3/4 of the lease time. And a final time at the end of the lease time. If there's no response from the DHCP server the client assumes the address isn't valid anymore and will remove it from the interface. This is how DHCP works regardless of OS. 

It sounds like the initial DHCP REQUEST works, but there's a problem with renewing the lease. Which is why it initially works but stops working after some time. 

Ask them what their DHCP lease time is. Don't assume it's 3 hours, it could be anything between 5 minutes and several days.

Looking at the responses you posted you can see the lease time is set by the server and you have it hard-coded in dhclient.conf. Because those numbers don't line up your renewal isn't handled at the appropriate times. I would suggest taking the advice at the top of that file, an empty file works for most people.


----------



## olav (Sep 4, 2018)

Their lease is 4 hours, I've tried different configuration with the lease time without any result. Even default / blank will cause the DHCPNAK to happen every second hour. I've even tried setting the lease to 1 minute, but then the internet is totally unusable.


----------



## SirDice (Sep 4, 2018)

With a lease time of 4 hours I expect a renew request at the 2 hour mark. Which is exactly what your FreeBSD client does. You shouldn't receive a DHCPNAK though, so that's definitely something wrong on their side. For some reason the server is denying the renewal. 

http://www.tcpipguide.com/free/t_DHCPLeaseRenewalandRebindingProcesses-2.htm


----------



## olav (Sep 4, 2018)

Thanks, section 10 with negative acknowledgement describes perfectly that the fault has to be on their side.
The only other thing I can think about causing this on my side, is the IPFW configuration. But I think it should be fine.


```
#!/bin/sh

#Quietly flush out rules
/sbin/ipfw -q -f flush

#Set command prefix (add "-q" option after development to turn on quiet mode)
cmd="/sbin/ipfw add"

# set outside and inside network interfaces
wan_if="bce1"
lan_if="bce0"
#ipmi_if="em3"

/sbin/ipfw nat 1 config if $wan_if unreg_only  \
                                   reset \
                                   redirect_port tcp 192.168.101.10:2222 22 

# Allow anything within the LAN - interface with heaviest traffic shall come first.
$cmd 10 allow ip from any to any via $lan_if
$cmd 20 allow ip from any to any via lo0
$cmd 40 allow ip from any to any via tun*

####### DHCP stuff
#
# you need this to be able to renew your DHCP lease from your ISP
$cmd 50 allow udp from any 67 to any 68 in recv $wan_if
#
#####

# Catch spoofing from outside.
$cmd 60 deny ip from any to any not antispoof in recv $wan_if
$cmd 64 deny ip from any to any 953 in recv $wan_if

# allow openvpn, dns and http to host
$cmd 80 allow udp from any to any dst-port 1194 in setup keep-state
$cmd 82 allow udp from any to any dst-port 53 in setup keep-state
$cmd 83 allow udp from any to any dst-port 53 out setup keep-state
$cmd 88 allow tcp from any to any dst-port 53 in setup keep-state
$cmd 89 allow tcp from any to any dst-port 53 out setup keep-state
$cmd 90 allow tcp from any to any dst-port 80 in setup keep-state
$cmd 92 allow tcp from any to any dst-port 443 in setup keep-state

# NAT rule for incomming packets.
$cmd 100 nat 1 ip4 from any to any in recv $wan_if
$cmd 101 check-state

# Rules for outgoing traffic - allow everything that is not explicitely denied.
$cmd 1000 deny ip from not me to any 25 out xmit $wan_if

# Allow all other outgoing connections.
$cmd 2000 skipto 10000 tcp from any to any out xmit $wan_if setup keep-state
$cmd 2010 skipto 10000 udp from any to any out xmit $wan_if keep-state

# Rules for allowing dial-in calls to services which are listening on a LAN interface behind the NAT
$cmd 6000 skipto 10000 tcp from any to any 22 in recv $wan_if setup keep-state

# NAT rule for outgoing packets.
$cmd 10000 nat 1 ip4 from any to any out xmit $wan_if

# Allow anything else, just in case IPFW is not configured as open firewall.
$cmd 65534 allow ip from any to any
```


----------



## sko (Sep 5, 2018)

It won't fix the actual problem, but maybe you can use that as a workaround:

Put a default lease in your dhclient.conf:

```
lease {
    interface "bce1";
    fixed-address <your IP>;
    option routers <gateway IP;
}
```

Of course this would only work if you have a static IP that has to be acquired and kept active via DHCP. This is a rather stupid requirement for static IP connections, but sadly very common with business-lines from many ISPs here in Germany.
We've had problems with exactly one of those lines where the ISPs DHCP won't respond to DHCP requests without a prior discovery - hence leading to the lease timing out and losing the connection for a few seconds, which made our telephone system fail on a regular basis because it wouldn't automatically reconnect the SIP trunks...
Using the default/fallback lease in dhclient.conf (and completely axing the SIP connections after short disconnections) *mostly* worked around that problem until the ISP finally fixed their DHCP...


----------



## olav (Sep 5, 2018)

Wow nice, I didn't know you could do that. I will try that later tonight. It is a static ip, so I hope that will work!


----------



## sko (Sep 5, 2018)

Make sure to read the "LEASE DECLARATIONS" section of dhclient.conf(5), especially the 'renew' and 'rebind' statements might be needed!


----------



## olav (Sep 5, 2018)

Unfortunately it didn't work


----------



## ShelLuser (Sep 5, 2018)

When you say it 'hangs for 10 seconds' then what exactly do you mean by that?

For example: if you try to run `ping 8.8.8.8` does it take a while before the connection actually works?  Or if you try to visit a certain website does that stall for 10 seconds prior to getting the website?

What exactly is the output from `ifconfig` when this happens (before this happens)? Because if this is merely about a delay in access then I'm not really convinced yet that this is a DHCP related issue.


----------



## olav (Sep 5, 2018)

WAN communication is completely dead, it is especially annoying when playing an online video game.


----------



## ShelLuser (Sep 6, 2018)

WAN communication problems don't necessarily have to involve your Internet uplink, depending on the way you configured the WAN of course. Which leads up to the question how you set it up? OpenVPN or.... ?


----------



## olav (Sep 6, 2018)

It is just a DHCP client, which receives a static ip address from my ISP's DHCP server. The problem is, I can't extend the lease and have to renew the connection every second hour. That is why you see my DHCP client is running DHCPDISCOVER after it receive the DHCPNAK.


----------



## ShelLuser (Sep 6, 2018)

Why mention a WAN when you're merely talking about your Internet connection, so not a WAN? Also: in the OP you mentioned that the connection would hang for 10 seconds, but now you mention that it goes completely dead. That's quite a difference.

Stuff like that is not helping with trying to diagnose what could be going wrong here. I understand that you seem fully focused on DHCP but I'm still not fully convinced that this is actually causing your problems. I'm still a little skeptic about the configuration on the client side for example.

Which brings me to my earlier question: when a disconnect happens, what does `ifconfig` tell you? Did dhclient actually change the IP address or...  Also important: what does a network dump show when you're trying to access the Internet in that disconnected situation (assuming your IP didn't got reset)?

Any specific error messages on the box itself (for example when trying to ping 8.8.8.8?


----------



## SirDice (Sep 6, 2018)

The ISP is simply screwing up the DHCP renewal. No amount of fiddling on the OP's side is going to change that fact. 



olav said:


> But they deny helping me and says that my operating system in unsupported.


Which operating systems do they support? Any Linux?


----------



## olav (Sep 6, 2018)

Like everyone else, they offer help with Windows. But they do have several Linux experts at second and third level support. They actually ran ISC-DHCP server a few years back, but now they changed to a proprietary DHCP server solution. Anyway the link you gave me earlier has a perfect explanation of how DHCP is supposed to work so I'm now working with escalating this issue to someone who can tell me why I get DHCPNAK.


----------



## SirDice (Sep 6, 2018)

I doubt it's going to make any difference but you could try net/isc-dhcp44-client instead of FreeBSD's own dhclient(8). That should be the same client as most Linux distributions use.


----------



## olav (Sep 6, 2018)

I've already tried that, no difference. But thanks for suggestion.


----------



## SirDice (Sep 6, 2018)

olav said:


> I've already tried that, no difference.


Yeah, I didn't expect it to behave differently. But it's an argument you can use, because it's the same DHCP client as on Linux (which they do support).


----------

