[Kea-users] Using DHCP Relays

[Simon]

Stefan G. Weichinger <lists at xunil.at> wrote:

> It seems I have to rebuild my DHCP setup.

I suggest “rebuild” is a strong word - modify would be more appropriate.


> So it seems I have to remove the VLAN interfaces and somehow use a DHCP relay (on the existing pfsense) for each of the VLANs.
> 
> What I don't yet understand: how to assign requests coming from VLAN X to the matching subnet X on Kea?
> 
> I read something around "circuit ID" and "agent ID" here:
> 
> https://docs.netgate.com/pfsense/en/latest/services/dhcp/relay.html

Ignore circuit-id and agent-id, they are a fairly advanced configuration relating to identifying individual ports on a switch, or subscribers on a WAN system. They are not required at all for what you want.

You will simply need to configure a relay agent on each network (technically, collision domain) to be served. These are typically configured on routers for convenience, but that is not required and it can be any device as long as it’s in the same broadcast domain as the clients to be served.
If KEA is not explicitly configured with a subnet (or shared-network) to local interface mapping, then the config will not need modifying.

How it works is :
When the relay agent identifies a broadcast DHCP packet on the remote network, it captures it, modifies it by adding “Agent-ID” (typically it's interface IP address on the remote network), and then forwards it to the server(s) configured (typically as unicast packet(s).
When the server gets the packet, it sees that the Agent-ID field is filled in and uses this to identify the network to which the client is connected - the logic is basically the same as using the IP address of the local interface in the case of locally connected clients.
When the server has assembled the reply packet (offer or acknowledge), it sends it to the address in the Agent-ID field of the incoming packet.
The relay agent picks it up, and broadcasts it on the client's network.
The client receives it just as though it was from a local server.

For renewals, the client will unicast it’s renewal request to the IP of the server, and the server will reply directly - the relay agent is not involved with this. For this reason, the clients and server(s) must be able to address IP packets between them.

TL;DR
Change nothing on your DHCP server config.
Configure DHCP relay agent for each remote network - ensuring that the relay agent uses the correct IP address for the Agent-ID for each network. This should be automagic but I have heard of some systems with “interesting” issues in this area.
It should “just work”.


One issue I can think of ...
Is pfsense (I assume it’s doing your routing) running on this box or a different one ? If it’s on a different box then all you’ll need to do is configure the relay agent and remove the interface from the DHCP server. If it’s on the same box, then things get a bit more “interesting”. Can you answer this ?



Simon