I'm relatively new to OpnSense (migrated over from pfSense after being disappointed in their release cadence). I have my setup working pretty much the way I want. I generally use all static DHCP on my network so I can better understand what is going on when problems arise. However, the other day, I noticed that on my primary LAN pool, while I have a pool of addresses defined (none of which currently in use), if I alter the MAC address on one of my static entries so my device now has to get an IP address dynamically from the pool, I never get allocated an address.
Is there some setting in KeaDHCP to prevent the use of pools? I've poked through the GUI but don't see any settings that would appear to cause this functionality. Is this a defect in 26.1.4? Its certainly possible I have just missed this issue for a while. As I said, most devices on my network have a static DHCP Reservation associated with them.
Yeah, if I switch my Reservation MAC back to match my device, voila, it comes right up. I've tested on multiple devices, if they ask for a DHCP address without matching a Reservation KeaDHCP knows about, it gets ignored. If I have a Reservation setup for the device, it works fine. My subnet is a class C and my pool goes from .11 to .40, so there should be plenty of addresses for it to doll out, if necessary.
Not sure if it matters but I don't have ISC DHCP installed anymore. I also have multiple subnets defined that are each on different VLANs. The subnet I am trying to use is the "default" LAN subnet. I believe this used to work, but its been a while since I might have even noticed. I'm not intentionally trying to do anything to prevent the use of DHCP IP pools.
Sorry for so many spam messages here. I believe I figured out part of the issue. On the Leases DHCPv4 tab, it is showing that KeaDHCP has dolled out all addresses in the pool. I guess it makes sense why it can't doll out any new ones. I am confused what these leases are though. One of them appears to be valid and has a hostname associated with my wife's phone (and a lifetime of 4000, the configured value of "valid lifetime"). The rest all have a large lifetime of 86400 and no hostnames or MAC addresses associated with any of them. Why would KeaDHCP doll out an address to a device without a MAC address?
A trick, you can leave the pool in a subnet empty (dont specify a range in it), then you can work reservation only.
I understand why someone might want to only allow reserved MACs on their network (with this issue, that is essentially where I am at now) but I am not interested in being that tight with my security. I am trying to figure out why OpnSense has dolled out all my pool addresses seemingly to devices not on my network (None of them have hostnames or MAC addresses associated with them)? I can reboot my router when I get a chance (after work) but this seems like a pretty bad "bug"/unintended consequence of something. Anytime KeaDHCP dolls out an IP address, there should be a MAC address associated with it, regardless of being a reservation (static) or not. Am I missing something?
Kea uses client identifiers per default. If you have some device that spams a lot of these they get a lease for each of them.
You can turn that behavior off in each subnet:
Match client-id
By default, KEA uses client-identifiers instead of MAC addresses to locate clients, disabling this option changes back to matching on MAC address which is used by most dhcp implementations.
I appreciate the suggestion but I already have that turned off.
Then you probably have misconfigured vlans.
Check if your setup follows the best practice for them:
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
I run a complex HA setup with many vlans, lagg and trunk and managed switches and KEA works fine with no weird things going on. I assume its a configuration or infrastructure issue on your end.