Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Rookie24

Pages1
#1
High availability / Re: CARP + BSD dhcrelay causes duplicate ACKs – Suggest replacing with ISC dhcrelay
August 26, 2025, 02:37:20 PM
Update: I've received a response from the core team confirming that ISC dhcrelay is deprecated upstream and will not be supported in OPNsense.

However, they acknowledged PR #8714 and confirmed it's still a potential path forward, albeit currently not prioritized.
#2
High availability / CARP + BSD dhcrelay causes duplicate ACKs – Suggest replacing with ISC dhcrelay
July 25, 2025, 02:00:49 PM
Hi OPNsense Team and Community,

after extensive testing and analysis in a production-like environment, I would like to raise awareness of a critical issue involving `dhcrelay` in combination with CARP.

==========================
🧩 Problem Description
==========================

When running OPNsense in HA with CARP and enabling the built-in `dhcrelay` service (BSD-based), the system exhibits unstable DHCP relay behavior:

- Both CARP nodes forward DHCPDISCOVER messages simultaneously
- Clients receive multiple DHCPOFFERs and DHCPACKs
- Race conditions: leases are refused or misconfigured
- Backup nodes forward traffic they shouldn't – even in BACKUP state

The issue stems from the fact that the current `dhcrelay` is not CARP-aware and cannot suppress itself when not the active node.

==========================
🧪 Workaround
==========================

Running `isc-dhcrelay` on a dedicated Linux VM eliminates the problem entirely:

- Only one instance is active
- Clean forwarding of DHCP across VLANs
- No duplicate traffic or race conditions

==========================
⚙️ Feature Request
==========================

I would like to propose:

1. Integrate `isc-dhcrelay` as an alternative in OPNsense (optional via GUI or plugin)
2. Allow selection between BSD-based and ISC-based relay
3. Eventually deprecate the BSD relay if it can't be made CARP-aware

Alternatively:

- Allow relay suppression on BACKUP via CARP hooks or devd triggers
- Document safe HA relay strategies within OPNsense

==========================
🧪 Test Environment
==========================

- OPNsense 24.1 / 24.7 (RC)
- CARP HA setup with shared VIP
- Central DHCP server (Windows / Kea)
- Relay on VLANs, reproducible issues with `tcpdump`

I'm happy to assist with logs, traces or help test future solutions.
Thank you for your great work on OPNsense!

Best regards, 
Rookie24
Pages1