DHCPv4 and multiple subnets

[tofaz]

Hi all,

I'm currently running FreeBSD with PF as my current firewall and I'm using ISC-DHCPD as the DHCP server for all my networks. Since my core switch is taking care of the internal VLANs routing, then there is a /30 link to connect to the firewall.

With the setup above my DHCP server is configured with multiple subnets (not directly connected to it) and the core switch is relaying DHCP request from all the networks.

I'm thinking to switch back to OPNsense but I see that is not possible to assign multiple subnets to the DHCP scope if they're not directly assigned to it. Looking around I've seen few posts here and there in regards to the "issue" and a PR ticket on GitHub that never got resolved.

Does anyone know if this feature will ever appear in any future OPNsense release? They are using the same DHCP daemon so I'm not sure where the limitation is on the OPNsense side.

Thank you!
tofaz

[tofaz]

Up

[Gauss23]

Can you show us an example of your existing config (FreeBSD host)?
And maybe you can post a link to that PR on GitHub?

[tofaz]

Code Select Expand


authoritative;
default-lease-time 7200;
max-lease-time 14400;

subnet 172.16.200.0 netmask 255.255.255.252 {
}

# TOFA network

subnet 172.16.100.0 netmask 255.255.255.0 {
  range 172.16.100.150 172.16.100.250;
  option domain-name-servers 172.16.200.1;
  option domain-name "tofanos.com";
  option routers 172.16.100.254;
  option subnet-mask 255.255.255.0;
  option tftp-server-address 172.16.100.40;
}

# LAB1 network

subnet 172.16.101.0 netmask 255.255.255.0 {
  range 172.16.101.200 172.16.101.250;
  option domain-name-servers 172.16.200.1;
  option domain-name "lab1.tofanos.com";
  option routers 172.16.101.254;
  option subnet-mask 255.255.255.0;
}

Here the link to the PR: https://github.com/opnsense/plugins/issues/1105

[mimugmail]

You have to Install Freeradius Plugin an use the DHCP service there (prior disable the other one)

[tofaz]

Thanks for the tip!

I tried and the freeradius daemon doesn't even start, with nothing present in the log. I will dig in more later when I'll have time.

But for OPNsense DHCPD do you know why the same daemon doesn't have a functionality implemented? I'm sure lots of companies have this scenario in their infrastructures.

[mimugmail]

Lack of the DHCP software itself.

Via CLI

radiusd -x

[tofaz]

> Lack of the DHCP software itself.

FreeRadius or ISC-DHCPD? If the second one it works like a charm on its own.

[mimugmail]

> Lack of the DHCP software itself.

FreeRadius or ISC-DHCPD? If the second one it works like a charm on its own.

No, it cant handle subnets which are not connected, in fact the FreeBSD version. No idea about Linux

[tofaz]

It does, the config I have posted above is isc-dhcp44-server-4.4.2_1 on FreeBSD 12.2 and I have leases in 2 networks using one network interface and 1 subnet defined.

You just need to at least declare the attached network, even without a pool of addresses.

[mimugmail]

Ah ok, had it wrong in my mind, was nearly 2 years ago I implemented it with FR

[tofaz]

OPNsense 20.7.4 has the same ISC-DHCPD version so I am not sure why it lacks of a standard functionality.

[mimugmail]

I think it would require a lot of work for code refactoring.

[tofaz]

I guess it due to the unification of config/lease files and GUI because OPNsense runs the same daemon. Maybe it's the way the GUI needs to show the different leases in different subnets.

[mimugmail]

Yes, noone wants to touch this legacy code and there are really few requests for sicj effort. The addition to freeradius was really small compared to this.