24.1 - DHCP server moves to KEA - implications?

Started by chemlud, January 19, 2024, 01:40:26 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3 ... 6
User actions
January 19, 2024, 01:40:26 PM Last Edit: January 19, 2024, 01:42:41 PM by chemlud
Hi!

No 24.1 board yet, so posting in 23.7 forums.

I read in the release notes for 24.1 RC1:

Code Select
ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative.  The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

Would be quite helpful to know which problems might araise from this, which use cases might not be covered when moving to 24.1. Is a new installation recommended for 24.1 due to this?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 19, 2024, 02:06:19 PM #1
The old DHCP still exist, you are not "mandated" to switch to Kea.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
January 19, 2024, 02:19:40 PM #2
Yes, ISC remains the same. There are a lot of tweaks and advanced extras in ISC that don't have immediate equivalents in Kea so it's going to be a slow crawl towards feature parity if that will even ever be reached (expecting some older advanced ISC features are no longer in use).

Created the board for 24.1 now and moved this here.


Cheers,
Franco
January 19, 2024, 03:17:30 PM #3
Hi and thanks for clarifications. If I use, let's say, MAC-reserved IPs for different IPs and not much more, what will the process of transition to KEA look like?

Install the new KEA plugin (?) and move (manually? automagically?) my current DHCP config to the new plugin?

Many thanks in advance.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 19, 2024, 05:24:00 PM #4
Dynamic leases "just work". There is an interface for static reservations that I have not yet tested.

What's definitely missing, at least from the UI, are custom options like "Unifi Controller address" etc.
Only:

- gateway
- DNS server
- NTP server
- TFTP server

are offered in the pool settings.

Registration of dynamic leases in Unbound works - yeah!  :)

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 20, 2024, 04:11:35 AM #5
There's a cosmetic bug which becomes visible with WiFi devices when power saving is enabled, and you'll end up seeing multiple entries in the leases tab for the same device even though the previous lease is valid. The issue is already reported on GH.

Static reservations work fine, one just needs to pay attention to the VLAN the entry is created on.


There were no plans for migrating the existing DHCP data to Kea as far as I now.


Kea and the old client can run in parallel on different vlans. Simply disable the old server on a vlan, copy all reservations/useful data to a text editor, go to Kea and set up the vlan in Subnets, add the Reservations, then to Settings to have Kea run on the interface.

Should there be a need, disable Kea on the interface and reenable it on the other side.
January 20, 2024, 03:24:34 PM #6
I am running into an issue where I configure a DHCPv4 subnet with a DNS server IP other than the opnsense IP, save the subnet, and when I view the subnet the DNS server has been overwritten as the opnsense server IP.  I can confirm that the opnsense server IP is being handed out by kea.
January 20, 2024, 08:01:03 PM #7
@bbin
you have to uncheck Auto collect option data in the subnet settings

@Patrick M. Hausen
how you get the leases to register in unbound ?
i stopped isc and start kea, reserved leases come in, but unbound wont resolve them.
January 20, 2024, 10:35:11 PM #8
Quote from: sofax on January 20, 2024, 08:01:03 PM
@Patrick M. Hausen
how you get the leases to register in unbound ?
i stopped isc and start kea, reserved leases come in, but unbound wont resolve them.
Disabled ISC DHCPv4, enabled Kea DHCP, created subnet, pool etc.

Service > Unbound DNS > General > Register DHCP Static Mappings [X]

Pull cable from my Mac, plug back in.

I then got a successful DNS lookup for <my Mac>.localdomain - but seemingly I cannot reproduce it just right now. Hmmm ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 21, 2024, 01:57:10 PM #9
Quote from: Patrick M. Hausen on January 20, 2024, 10:35:11 PM
...

ok i did the same , i unchecked and checked both options leases and static in unbound and restart unbound, but wont work.
Maybe you still had remnants of the isc in the unbound host entries.
January 22, 2024, 04:25:49 AM #10
I tried using kea without luck so far... Even though I disabled the ISC server on my vlan 630, stopped and started ISC to make sure it frees up the listening on port 67 on 192.168.63.1 but kea still complains it's unable to start properly

Code Select
WARN [kea-dhcp4.dhcpsrv.0x83359d000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface ix1_vlan630, reason: failed to bind fallback socket to address 192.168.63.1, port 67, reason: Address already in use - is another DHCP server running?


Checking netstat, I see *:67 so I guess ISC is listening on *:67 and prevents kea from running side-by-side.

Still trying to see if there is a way around this...
January 22, 2024, 04:51:02 AM #11
When kea starts (I stopped ISC first) it properly bind to only the IP it needs to

Code Select
udp4       0      0 192.168.63.1.67        *.*

But if I stop kea and starts isc (even though it's not enabled on all interfaces) it binds to everything and thus blocks kea from working

Code Select
udp4       0      0 *.67                   *.*
January 22, 2024, 09:36:36 AM #12
Binding to things is a bit of a grey area for DHCP servers.
You might find out that ISC binds to a low level socket that handles all DHCP packets, regardless of if it should or not. Which is the reason we found it impossible to run multiple ISC DHCP servers on one host.
In KEA it is possible to disable that behaviour, but I'm not sure if that actually works in a non-relay environment.

In short, it might be that it is not a good idea to run multiple DHCP servers on one host, depending on the specific implementation in opnsense and your network.
January 26, 2024, 06:03:47 AM #13
I've run into an issue with it. Now I'll be honest, I forget how ICS works, and I'm not sure how it's been implemented into opnsense. Does it fork for each interface?

A concern I have is that I have 3 active internal interfaces. Maybe I'm old school, but I was trying to figure out how to set it up per interface, and then I realized, you just put them all into one line. It gives me anxieties, and I wonder... anyone assess it for possibilities of it leaking all of the subnets it serves? I don't offsec as great as i want to. Or... great at all. By ANY context of the word. 🫢

I did hit a problem with it. It was only serving my LAN interface, despite having the appropriate subnets entered. I can tear into it but is there by chance someone who's already done it? I went back to ICS right now because I was down nearly all day. Fwiw, I had just done a clean, fresh install of 23.7 before changing to the dev branch. I had an anomaly routing issue that was preventing one of my interfaces from having a functional wan connection, and it was easier to reinstall than continue tearing apart the config. Note: there are still some issues with configuring opnsense using a combination of console and webui. I'll document those this weekend if I have time.

Regarding:
QuoteBinding to things is a bit of a grey area for DHCP servers.
When did this become a thing? Most modern daemons that are likely to have bindings for segmented services, are either expected to run multiple instances (granted, most of the time it's dockerized) or forks itself for each configured instance.

QuoteIn short, it might be that it is not a good idea to run multiple DHCP servers on one host, depending on the specific implementation in opnsense and your network.

I assume that a majority of opnsense deployments are currently serving DHCP to more than one interface. It's highly probable. It's kind of a thing that an advanced router would be desired for. Im asking this with all sincerity. Do you have alternate suggestions for serving multiple interfaces that would allow it to be brought up or down easily on that interface (with settings preserved)? I'd appreciate a better understanding, also, of why binding it to the interface is a grey area. It's just that I've never heard that. But opnsense is the only software I've ever had to run FreeBSD, so I'm pretty ignorant on BSD particularities. I use just about every flavor of Enterprise Linux (RHEL/centos/fedora/rocky/alma/etc) and Debian or Ubuntu when I have to (thankfully docker has saved me from that mostly). Anyway, I'd love to hear more on this please.
January 26, 2024, 06:13:57 AM #14
Btw, I do understand the need to transition, and It might make configuration simpler for many people. I understand the UI isn't final form yet either. But DHCP is one of those things you expect to "just work" and when it doesn't, and you can't find a logical reason, it's frustrating. I'll give it a try again this weekend at 2am when I'm the only one awake, and I'm not blaming anyone or angry about it, I'm.. I guess I'm disappointed by kea so far. But I've never used it. I'll deep dive it and hopefully it won't feel like a regression.
Print
Go Up Pages1 2 3 ... 6
User actions