Blind DHCP server

2»

Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    The ARP Check function is for checking IP address availability after “DHCP Request”.

    After enabled ARP Check function, it will send ARP request every time.

    1.png

    In your case, it is because ARP record has expired from your device.

    So before DHCP sends out ACK, it is send ARP request to check MAC address.

  • PeterUK
    PeterUK Posts: 3,577  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Its a bit misleading as you would think no ip dhcp arp_check means no ARP check at all which going by my first post should just work but its still checking the ARP.

    Would it be possible to make the no ip dhcp arp_check a ture DHCP only server? But I guess as long as I worked around it might not be a big deal.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    In the current design, when DHCP ARP check is enabled, it will send out ARP request after receiving “DHCP Request” every time. (default setting is disabled)

    However, if client the MAC address is not recorded in ARP table, it will always send ARP request before send out DHCP ACK.

  • PeterUK
    PeterUK Posts: 3,577  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Ok so why not send the DHCP ACK without checking the ARP table what harm can that do? The DHCP Request is already saying “I'm here at this IP and MAC give me a ACK to renew my IP”.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    The current system design is only able renew IP ARP table by ARP Request.

    So before sends out unicast(DHCP_ACK) to same broadcast subnet, the IP/ARP table of client is required.

  • PeterUK
    PeterUK Posts: 3,577  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2019

    Yes thats the current system but I'm saying change it so that no ip dhcp arp_check really means no ARP check or checking the ARP table.

    If ip dhcp arp_check then it checks the ARP table.

    As I said my ISP never sends ARP to me with who has IP tell gateway IP.

    Like I said I worked around it with Mirror Interface of ARP packets from the clients to USG40 but would be nice if no ip dhcp arp_check worked without ARP checking.

    I just tried DHCP check with arp query: yes and found it on receiving a Discover send offer then receives request it sends ARP who has IP tell gateway to make sure its not in use before sending the ACK and I guess if the ARP reply comes back the same MAC as DHCP request that it allows the ACK.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @PeterUK

    Thanks for your suggestion of it.

    You are correct since DHCP Request included IP and MAC address. So DHCP should send out DHCP ACK directly without any ARP request.

    I will report it as idea.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)