Wednesday, April 24, 2013

Dealing with a rogue DHCP server

While working with virtual machines running on XenServer, I had one issue with the new machines not picking up their addresses from the DHCP server I was running but instead getting some strange addresses from somewhere else. As it was on a network I had no control over, I had to find a solution on the software side. Provided that I could access the network, configuring the switch would have been a much easier journey!

By the way I would expect the DHCP client to find that the closest DHCP server was my own given that it was on the same switch. But it seems that the DHCP client was receiving a NAK packet from the rogue DHCP before finishing the handshake with the my DHCP server.

On the Web you will find plenty of forums and mailing lists where people explain how to block DHCP packets with iptables. It seems a good idea except that it does not work! In the end you will find people explaining that DHCP packets are raw packets and can’t be blocked by iptables. I also tried with ebtables but did not managed to block the DHCP packets. Tcpdump is very useful when troubleshooting these kind of problems to understand what is really going through the network interfaces.

In the end I switched the network configuration of XenServer to openvswitch instead of Linux bridging capability and managed to get it working by applying some specific rules. I basically dropped every traffic from and to the rogue DHCP server IP address. Finally! The rogue DHCP server was no more and the virtual machines were picking up the correct addresses!