New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wi-Fi Proxy ARP breaks poorly implemented DHCP clients #14309
Comments
I've observed it only on devices that use the official SDK for ESP8266. I think clients should do ICMP ping not ARP who has, its a flaw in their dhcp client implementation. Edit: to clarify, I think it's mentioned RFC... the client isn't following the spec properly |
how do they find dst mac for ping without who-has? |
Sorry, I had a wrong understanding of Gratuitous ARP, thanks for clearing that up @brada4 |
@Ambr051us I suggest configuring your DHCP server to always give those faulty devices a random IPv4 address as a workaround and a really short lease. |
Just disable ARP proxy as it reflects back gratuitous responses. Does not protect against those spoofed. |
@rany2 that would make it worse actually. The devices give up and settle for what they think is a duplicate IP address after about 10 minutes of discover-offer-ack-deny ping-pong. Making them renew the address they worked so hard to accept would be detrimental. |
Connect unencrypted device and observe traffic in the air. Unless it is clear what type of atypical ARP message locks up IoT it is impossible to fix. Once you have that message there is a slim hope to filter out killer packet with arptables+client isolation till hostapd gets improved. You will need 1x1 2.4ghz card on same channel in monitor mode. Like oldest laptop you are able to power on. |
Please test if this kernel patch helps: https://nbd.name/p/0d9379f6 |
@nbd168 I confirm the issue is resolved on my ESP8266 devices that have this problem. Thank you for fixing this! |
I'll definitely check too when I get home from work |
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
@nbd168 I ended up solving my problem by adding netfilter rules with the specific MAC addresses of the 2 misbehaving IP cameras that I own. Thanks @brada4 for pointing out that arptables exists :D |
You need to introduce new not-inet AF table then drop output response arp daddr eq ether daddr. It travels outside scope of fw4 inet table. |
I can't seem to get nft to accept any non-const expression on the right hand side of the |
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: #14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
Please also test the latest version of the patch that I pushed to OpenWrt. Compared to the earlier version, it fixes an issue with neigh entry refcounting. |
@nbd168 Works fine, I already tested the patchwork version as well. rany2/openwrt@b4e9e23 |
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: #14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c1ad783)
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: NipaLocal <nipa@local>
… same There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Link: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> Acked-by: Dave Taht <dave.taht@gmail.com> Signed-off-by: NipaLocal <nipa@local>
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c1ad783)
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c1ad783)
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c1ad78318c3e6421e60dd187477f38ca5f9a5752)
There are broken devices in the wild that handle duplicate IP address detection by sending out ARP requests for the IP that they received from a DHCP server and refuse the address if they get a reply. When proxyarp is enabled, they would go into a loop of requesting an address and then NAKing it again. Fixes: openwrt/openwrt#14309 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c1ad78318c3e6421e60dd187477f38ca5f9a5752)
Describe the bug
The "Proxy ARP" feature of hostapd (tested with wpad-wolfssl and wpad-mbedtls) breaks DHCP duplicate address detection on some clients. DHCP clients are supposed to send out an "ARP Who Has" message with the IP address offered to them. IF this so-called "Gratuitous ARP request" gets a response, that means the offered address is already in use and the client sends a DHCPDECLINE. There are some poor implementations out there (many of which are closed-source of course), which send a DHCPACK very quickly after the gratuitous ARP request, maybe even before it. (I assume that hostapd only starts answering ARP requests on behalf of clients once it has seen a DHCPACK or some ARP packet indicating the address being in use, so the bug technically happens on the clients here). This can lead to hostapd answering the gratuitous ARP causing the client to decline the address it just ACK-ed and try again.
I'm opening this because it's easier to fix hostapd than all the bad DHCP implementations that are already out in the wild. What hostapd does (sending an ARP response on behalf of a client to the same client) is not violating any spec strictly speaking, but it would be sane not to do. I'm not familiar with the hostapd codebase and not even sure whether it has an actively maintained upstream (Wikipedia lists 3 actively maintained implementations). I've run into the issue using OpenWRT so I came here, I hope someone knows where the "if requesting MAC address matches the proxy response's MAC address, don't send the proxy response" condition can be added to the code.
OpenWrt version
r23630-842932a63d
OpenWrt release
23.05.2
OpenWrt target/subtarget
mediatek/mt7622
Device
Xiaomi Redmi Router AX6S
Image kind
Official downloaded image
Steps to reproduce
Actual behaviour
An infinitely repeating cycle of DHCPDISCOVER -> DHCPOFFER -> DHCPACK -> Proxy_ARP response to gratuitous request -> DHCPDECLINE
Expected behaviour
Never answering ARP requests with the same address as the requester
Additional info
No response
Diffconfig
No response
Terms
The text was updated successfully, but these errors were encountered: