Issue with Kea DHCP server

Started by coatmaker618, October 15, 2025, 04:39:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2025, 04:39:08 PM
I have a new OPNSense install that I am setting up, and one of the new things I'm doing is using Kea as the DHCP server instead of the (apparently now defunct per https://docs.opnsense.org/manual/isc.html#isc-dhcp) ISC.

So far I really like Kea from a GUI perspective, it's much more straightforward and clear than ISC so I'd prefer to keep using it.  However I am not getting DHCP assigned on my LAN.  Interestingly, I am seemingly getting DHCP addresses on the VLANs (at least from a preliminary look).  I know everything is setup correctly as setting a static IP on my desktop (on the LAN) works perfectly.

To confuse things further I went to Kea's logs and did a few searches which seem to indicate that it is seeing a DHCP request from my desktop and trying to issue a DHCP lease to it -- at least per my reading of the logs.  I've attached the results of a search of the desktop MAC (which is not getting an IP via DHCP).

It turns out that while setting up I did unintentionally activate dnsmasq, but that has been stopped and OPNSense has been rebooted so I hope that's now just a red herring.
October 15, 2025, 07:20:57 PM #1
Post your interface assignments and IPs, Kea settings and subnets.
Today at 03:27:00 AM #2
Quote from: coatmaker618 on October 15, 2025, 04:39:08 PMI have a new OPNSense install that I am setting up, and one of the new things I'm doing is using Kea as the DHCP server instead of the (apparently now defunct per https://docs.opnsense.org/manual/isc.html#isc-dhcp) ISC.

So far I really like Kea from a GUI perspective, it's much more straightforward and clear than ISC so I'd prefer to keep using it.  However I am not getting DHCP assigned on my LAN.  Interestingly, I am seemingly getting DHCP addresses on the VLANs (at least from a preliminary look).  I know everything is setup correctly as setting a static IP on my desktop (on the LAN) works perfectly.

To confuse things further I went to Kea's logs and did a few searches which seem to indicate that it is seeing a DHCP request from my desktop and trying to issue a DHCP lease to it -- at least per my reading of the logs.  I've attached the results of a search of the desktop MAC (which is not getting an IP via DHCP).

It turns out that while setting up I did unintentionally activate dnsmasq, but that has been stopped and OPNSense has been rebooted so I hope that's now just a red herring.

Quote from: pfry on October 15, 2025, 07:20:57 PMPost your interface assignments and IPs, Kea settings and subnets.

Is there any easy way to export those? I only ask as screenshots are kind of tough with the low filesize limit.
Today at 04:32:29 AM #3
Quote from: coatmaker618 on Today at 03:27:00 AMIs there any easy way to export those? I only ask as screenshots are kind of tough with the low filesize limit.

Heh. Not that I know of. I'm not an image-editing wizard, and I have bad eyes to boot. But it's tough to speculate without your config. I didn't see anything in the log that stood out.
Today at 05:23:11 AM #4
Quote from: coatmaker618 on Today at 03:27:00 AMIs there any easy way to export those? I only ask as screenshots are kind of tough with the low filesize limit.

Plenty of screenshots have been posted here without issues around file size. You can reduce size if needed while keeping it screen-viewable.

I use Kea so would try to help if I could see the settings.
Deciso DEC697
Today at 05:58:16 AM #5
Quote from: pfry on Today at 04:32:29 AM
Quote from: coatmaker618 on Today at 03:27:00 AMIs there any easy way to export those? I only ask as screenshots are kind of tough with the low filesize limit.

Heh. Not that I know of. I'm not an image-editing wizard, and I have bad eyes to boot. But it's tough to speculate without your config. I didn't see anything in the log that stood out.

Hah, fair enough. Turns out it may be a red herring after all!

I just tried the old ISC DHCP server on the LAN interface and the desktop is STILL not getting a DHCP address.  I've used that DHCP server enough to be reasonably comfortable with it, so I think it's pretty unlikely I did anything wrong there. Besides, now I have two DHCP servers not working!

So I'm thinking it must be something common, as in not the DHCP server itself but some other router setting? I'm at a loss, but I can give you the list of VLANs if that'll help, or (probably easier) delete most of them and re-add them once I have this working.
Today at 08:54:39 AM #6
Here's what I can piece together. I've disabled a bunch of entries just for the sake of testing but it's still problematic.
Today at 09:01:59 AM #7
you should check the log file in Services: Kea DHCP: Log File, be sure to set the log level in the pull down box to informational.

Also do you see kea listening on the expected interfaces from the ssh cli command as below example

Code Select
root@OPNsense:~ # sockstat -ln | egrep -ai 'user|:67'
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
0        kea-dhcp4  19321 15  udp4   10.0.1.138:67         *:*
root@OPNsense:~ #
OPNsense 25.7.4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, sftp-backup plugins. limited kea DHCP server deployment.
Today at 09:29:50 AM #8
The total logfile is a bit long (a little over 5k lines, but I did a search for the MAC of my desktop as well as the MAC of a server getting a static assignment successfully via DHCP) so you can see the results of each.  I guess I've been restarting the server a lot while debugging!

Per the command request:
root@OPNsense02:~ # sockstat -ln | egrep -ai 'user|:67'
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
0        kea-dhcp4  73038 15  udp4   192.168.1.3:67        *:*
0        kea-dhcp4  73038 17  udp4   192.168.2.3:67        *:*
0        kea-dhcp4  73038 19  udp4   192.168.3.3:67        *:*
0        kea-dhcp4  73038 21  udp4   192.168.10.3:67       *:*
0        ntpd       32097 23  udp6   fe80::5a47:caff:fe79:6752%igc0:123 *:*

Today at 11:59:11 AM #9
These are just a couple of things I noticed and which caused me to pause. It is not an analysis but a couple of queries which may or may not matter.

In Kea(2).log it simply keeps offering 192.168.1.40 with no apparent reply, but why do the offers appear to be coming from 192.168.1.3 when your implied gateway in Kea Subnets is 192.168.1.1 (192.168.1.1/24)?

In your Kea(3).log you have a warning DHCPSRV_LEASE_SANITY_FAIL where it thinks subnet ID 4 should be subnet ID 3 (lines 4-27 of your log). This is described in  Kea docs as:
QuoteThis warning message is printed when the lease being loaded does not match the configuration. Due to lease-checks value, the lease will be loaded, but it will most likely be unused by Kea, as there is no subnet that matches the IP address associated with the lease.
It then appears to allocate successfully from 192.168.10.3
Deciso DEC697
Today at 03:31:15 PM #10 Last Edit: Today at 04:18:58 PM by coatmaker618
Ahhh, I can explain. So the 192.168.x.y is a format I'm using.  The x represents the subnet, easy enough. The y is 3 for the router since there's a longterm goal of using this router in a HA/failover setup.  I did setup CARP on each interface to be the .1 address but I turned that off days ago as it adds more complexity to troubleshooting.

But that's why you're seeing a strange number choice. I can turn CARP back on (or reboot yet again) if that would help (eg: if something is looking for .1 -- it shouldn't be a problem since this is the only router so it's always master/main on the CARP interface). But I hope that helps explain the strange IPs you're seeing (.3 for a router).

Note that this is the same on 192.168.1.y & 192.168.10.y

Also, is 'implied gateway' just because a.b.c.1 is the started gateway or is it stated somewhere in the log/settings? I didn't see it, but I sure could be looking right at it and missing it.
Print
Go Up Pages1
User actions