netbsd-users: A strange problem involving PF and DHCP and an ethernet ADSL modem

Subject: A strange problem involving PF and DHCP and an ethernet ADSL modem
To: None <netbsd-users@netbsd.org>
From: Mark Cullen <mark.r.cullen@gmail.com>
List: netbsd-users
Date: 06/16/2006 01:05:48

Hi all,

I have switched to NetBSD, with only one hiccup ( which was my own silly 
mistake ;) ).

I am having a slight problem with PF and dhclient, and my ADSL modem. I 
can't really explain it to well, so the low down is: every so often 
(once a day?!) my connection dies. The ADSL modem sends a 'DHCPNAK' 
(don't know why exactly yet):

---
Jun 16 00:27:15 bone dhclient: DHCPREQUEST on fxp1 to 192.168.0.1 port 67
Jun 16 00:27:15 bone dhclient: DHCPACK from 192.168.0.1
Jun 16 00:27:15 bone dhclient: bound to 88.96.18.86 -- renewal in 52 
seconds.
Jun 16 00:28:07 bone dhclient: DHCPREQUEST on fxp1 to 192.168.0.1 port 67
Jun 16 00:28:07 bone dhclient: DHCPNAK from 192.168.0.1
Jun 16 00:28:07 bone dhclient: DHCPDISCOVER on fxp1 to 255.255.255.255 
port 67 interval 4
---

and then dhclient will sit forever in a loop of:

---
Jun 16 00:53:51 bone dhclient: DHCPDISCOVER on fxp1 to 255.255.255.255 
port 67 interval 8
Jun 16 00:53:59 bone dhclient: DHCPDISCOVER on fxp1 to 255.255.255.255 
port 67 interval 3
Jun 16 00:54:02 bone dhclient: No DHCPOFFERS received.
Jun 16 00:54:02 bone dhclient: No working leases in persistent database 
- sleeping.
---

over and over and over. It won't pick up an address again unless I do a 
`dhclient -r` followed by a `dhclient fxp1`.

What's weird about this is that PF is logging the following at the same 
times as DHCP stops working (192.168.0.1 is the modem's ip address):

---
00:28:07.015564 rule 0/0(match): block in on fxp1: IP 192.168.0.1.67 > 
255.255.255.255.68: BOOTP/DHCP, Reply, length: 548
---

even though I have a rule in pf which should be allowing this to pass 
through, or at least I think:

---
pass quick on $ext_if proto tcp from 192.168.0.1 port 67 to any port 68 
keep state
---

Is there anything wrong with this rule that I am missing? Perhaps PF 
isn't allowing 255.255.255.255 'by default' and there is some option to 
change the behaviour? Obviously I don't particularly want to have to 
restart dhclient every single day when it dies, so any help would be 
really hugely appreciated!!

Thanks in advance,
Mark