[Kea-users] Using DHCP Relays

Sat Jan 21 07:03:36 UTC 2023

Am 20.01.23 um 15:44 schrieb Simon:
> Stefan G. Weichinger <lists at xunil.at> wrote:
> 
>> It seems I have to rebuild my DHCP setup.
> 
> I suggest “rebuild” is a strong word - modify would be more appropriate.

You are right, yes ;-)

> Ignore circuit-id and agent-id, they are a fairly advanced configuration relating to identifying individual ports on a switch, or subscribers on a WAN system. They are not required at all for what you want.

ok

> You will simply need to configure a relay agent on each network (technically, collision domain) to be served. These are typically configured on routers for convenience, but that is not required and it can be any device as long as it’s in the same broadcast domain as the clients to be served.
> If KEA is not explicitly configured with a subnet (or shared-network) to local interface mapping, then the config will not need modifying.
> 
> How it works is :
> When the relay agent identifies a broadcast DHCP packet on the remote network, it captures it, modifies it by adding “Agent-ID” (typically it's interface IP address on the remote network), and then forwards it to the server(s) configured (typically as unicast packet(s).
> When the server gets the packet, it sees that the Agent-ID field is filled in and uses this to identify the network to which the client is connected - the logic is basically the same as using the IP address of the local interface in the case of locally connected clients.
> When the server has assembled the reply packet (offer or acknowledge), it sends it to the address in the Agent-ID field of the incoming packet.
> The relay agent picks it up, and broadcasts it on the client's network.
> The client receives it just as though it was from a local server.
> 
> For renewals, the client will unicast it’s renewal request to the IP of the server, and the server will reply directly - the relay agent is not involved with this. For this reason, the clients and server(s) must be able to address IP packets between them.

Good to know. So there has to be a specific firewall rule for that in 
each VLAN.

> TL;DR
> Change nothing on your DHCP server config.
> Configure DHCP relay agent for each remote network - ensuring that the relay agent uses the correct IP address for the Agent-ID for each network. This should be automagic but I have heard of some systems with “interesting” issues in this area.
> It should “just work”.

You answered my open questions, thank you very much. I didn't yet know 
how the requests would be matched with the configured subnets etc ... I 
was *assuming* that the relay IP might play a role. Now I know that, 
this gives me confidence to start modifying things.

> One issue I can think of ...
> Is pfsense (I assume it’s doing your routing) running on this box or a different one ? If it’s on a different box then all you’ll need to do is configure the relay agent and remove the interface from the DHCP server. If it’s on the same box, then things get a bit more “interesting”. Can you answer this ?

different box

I will start by stopping one of my 2 kea-nodes, and then remove the VLAN 
interfaces on the remaining one. Plus enable the DHCP-relay, plus adding 
that fw-rule.

In kea I have to remove the various vlan-interfaces and edit the subnets 
to all listen on the same and only LAN-interface.

That should do it ... looking forward to try that.

thanks!