Strange entries in my log file

Pete Clarke pete at devilincarnate.eclipse.co.uk
Tue Jul 17 08:00:07 UTC 2007 

Simon Hobson wrote:
> Pete Clarke wrote:
> 
>>  >> I am seeing quite a few of these entries in my log file:
>>>>  Jul 16 16:31:37 cholet dhcpd: type 7 from 4e via 70.70.73.69: unknown
>>>>  network segment
>>>>
>>>>  What do they mean?
>>>  Do you have a declaration for that subnet ?
>>>
>> Nope
>>
>> Only for 192.168.1.0/24 and a few 192.168.0.0/24 static entries...
> 
> Then your config doesn't match your network. You are obviously 
> getting packets from another subnet, your don't have a declaration 
> for that subnet, so you get log entries to tell you. Nothing strange 
> about that.
> 
>> The clients all plugged in/wirelessly associated work fine - just
>> wondered what those messages were all about ...
>>
>>
>> Sometimes I get DHCPOFFERS from other networks too ... which is odd..
> 
> Again, not odd, you have something in your network that is forwarding 
> packets which you didn't expect. You need to understand your network 
> before you can understand the services running on it.
> 
> 

Hmm ... this is a small, home network.
I have 2 subnets, one for the various servers running, and 1 for clients.

There are 2 internet connections, from 2 different providers, one has a
seperate ipCop firewall protecting it, the other just uses the inbuilt
firewall on the router.

The 2 layer 3 router/switches that connect the various elements
together, both define helper addresses to point to the local DHCP server.


The simplified layout is like this:


---- ---- ----
|PC| |PC| |PC|
---- ---- ----
 |    |    | 192.168.1.0/24
--------------
|switch      |
--------------
    |
    | 192.168.0.0/24
    | 192.168.1.0/24
    | 192.168.2.0/24              192.168.2.2
--------------        -------      ---------
|lyr3 switch | ------ |ipCop| ---- |gateway| ---- Internet
--------------        -------      ---------
    |
    | 192.168.0.0/24
    | 192.168.1.0/24
--------------        -----------
|lyr3 switch | -------| gateway | ---- Internet
--------------        -----------
    |
    | 192.168.0.0/24
--------------
|fibre switch|
--------------
 |    |    |
---- ---- ----
|sv| |sv| |sv| 192.168.0.0/24
---- ---- ----


The 1st layer 3 switch has both 192.168.0.0/24 and 192.168.1.0/24 vlans
configured, the .0 is for the servers/management boxes, and the .1 is
for clients (wired/wireless).
The .2 is for client internet access.
The ipCop protected internet connection is for clients, it provides a
caching proxy, DansGuardian etc. for the Windows clients.
The other internet connection is just for things like port fowarding to
my live server(s), and for raw internet for the management box and so
the servers can automatically download OS updates (debian).

Both layer 3 switches have the DHCP server helper addresses configured,
and this works nicely - if I disable the helpers, the DHCPDISCOVER's get
to the server, but the DHCPOFFER's don't get back to the clients..(as
you'd expect).

I am assuming the rogue packets are coming in through the 2nd internet
connection, does that sound reasonable..?

More information about the dhcp-users mailing list