24.1 - DHCP server moves to KEA - implications?

[tessus]

There were no plans for migrating the existing DHCP data to Kea as far as I now.

This certainly is a deal breaker. I do have more than 50 DHCP Static Mappings on about 20 VLANs. I am not really inclined to recreate all of them manually.

[sorano]

Then don't lol.

Current DHCPB is not going away (yet).


I'm very happy to see them implement KEA as it's the way.

[Patrick M. Hausen]

I was about to make the switch in my home lab when I found you cannot even serve the domain name to clients. Sorry, that is not going to fly.

[GrantSquirt8415]

Hello all,
Upgraded from 23.7.12 to 23.7.12_5 and then immediately to 24.1_1.
Running 4 physical interfaces with separate networks on each, 2 wan, 2 lan with DCHP service.
Switched from ISC to Kea DHCPv4
Transitioned to the Kea DHCPv4 service was simple but seems to be an all or nothing issue.
Attempting to get Kea listening on interface 1 would not work with ISC DHCPv4 listening on interface 2 (seems the ISC DHCPv4 server locks the port on all interfaces).
Once I had both subnets defined (you can do them separately for clarity) and disabled the ISC DHCPv4 instances Kea was able to start as per the logs and as per GUI.
I would be happy to test the Kea implementation further.
Thanks

[jonny5]

Have not attempted to use the new KEA

Have used ISC to do static reservations, and enable the Dynamic DNS feature to external BIND (Primary & Secondary), and finally just got all of the /24 subnetting squared away necessary for the Reverse DNS portion of the protocol to do its thing (/24s for each zone). All subnets populating, no syslog errors for DHCP registrations (also cleared up my pools - the static assigned used / dynamic pool space)!

This is to comment excitement for the new feature, I've been interested in using an IPAM, and setting up details that allow auto subnetting / DHCP pool expressions - seems this might enable that future quite nicely.

Of current transition to KEA primary need is:

• serve domain name
• serve domain suffix search
• enable dynamic dns with config of master bind, domain key, more or less the dynamic dns functionality that exists for ISC in OPNSense now

There's probably a reasonable list of features others have used for BOOTP/etc. though I'm not trying to swim in that pool that deep right now and cannot comment to their use or have any testability in that space.

[bimbar]

DHCPd opens a raw interface on all network interfaces. I don't think it is possible (at least with ISC DHCPd) to use two different DHCP daemons on one host simultaneously.

[franco]

DHCPd opens a raw interface on all network interfaces. I don't think it is possible (at least with ISC DHCPd) to use two different DHCP daemons on one host simultaneously.

Correct for ISC-DHCP.

[SFC]

Kea and the old client can run in parallel on different vlans. Simply disable the old server on a vlan, copy all reservations/useful data to a text editor, go to Kea and set up the vlan in Subnets, add the Reservations, then to Settings to have Kea run on the interface.

Should there be a need, disable Kea on the interface and reenable it on the other side.

But how are you associating VLAN >> Subnet?  Does it just guess based on the interface IP address?  I don't see any option to associate a subnet to a VLAN in the Kea config whereas ISC there's a direct mapping to VLAN/Interface >> DHCP Subnet.

[newsense]

DHCPd opens a raw interface on all network interfaces. I don't think it is possible (at least with ISC DHCPd) to use two different DHCP daemons on one host simultaneously.

Correct for ISC-DHCP.

As previously stated, ISC-DHCP and KEA can run in parallel on different interfaces. I've done the transition on production systems with no downtime - as follows:


1) Create Subnet and Reservations for VLAN X in Kea

2) Go to ISC DHCP and disable it on VLAN X -- leaving it running on the other VLANs

3) Go to Kea and enable VLAN X in Settings

4) Validate and continue with the next VLAN in scope were Kea can run without missing any ISC functionality


QED :)

[doug.dimick]

I am unable to set the correct DNS server in the subnet configuration. I input the correct IP address for my DNS server, which is not on OPNsense, save & apply, but when I go back into the subnet configuration screen, the IP address has been overwritten with that of the OPNsense LAN interface. I have not tested any further to see what address would actually be provided to the client, though. Bug?

[newsense]

Untick Auto collect option data on the subnet

[MandyBaxter]

To the original question --
You'll need adjust your ruleset for UDP 67 & 68 on whichever interface(s) you expect to support. Apparently, OPNsense automatically sets up a rule for ISC dhcpd when it's enabled on an interface, but not for KEA dhcpd. (In the logging, the ISC rule shows up with the label "allow access to DHCP server").

On missing features --
OPNSense's web interface for KEA doesn't cover logging options. (Or, if it does, I haven't found it yet.) Remote syslog to a centralized server is kinda key. Mr. Google helpfully finds examples on how to set this up manually for KEA. So, it seems the KEA dhcpd has this capability.

[newsense]

To the original question --
You'll need adjust your ruleset for UDP 67 & 68 on whichever interface(s) you expect to support. Apparently, OPNsense automatically sets up a rule for ISC dhcpd when it's enabled on an interface, but not for KEA dhcpd. (In the logging, the ISC rule shows up with the label "allow access to DHCP server").

It is coming in 24.1.1, it can be added now if needed:

https://github.com/opnsense/core/commit/b1685d8e467d755fa1cf7203a82b63f2a115cb05

Code Select Expand

opnsense-patch b1685d8

[agh1701]

I was about to make the switch in my home lab when I found you cannot even serve the domain name to clients. Sorry, that is not going to fly.

Has anyone tried kea and verified that it does not serve the routers domain name?  Even thou it is not configurable in kea.

[antonym]

I tried using kea without luck so far... Even though I disabled the ISC server on my vlan 630, stopped and started ISC to make sure it frees up the listening on port 67 on 192.168.63.1 but kea still complains it's unable to start properly

Code Select Expand

WARN [kea-dhcp4.dhcpsrv.0x83359d000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface ix1_vlan630, reason: failed to bind fallback socket to address 192.168.63.1, port 67, reason: Address already in use - is another DHCP server running?


Checking netstat, I see *:67 so I guess ISC is listening on *:67 and prevents kea from running side-by-side.

Still trying to see if there is a way around this...

I have multiple vlans and was getting the same type of error messages. What worked for me was stopping the ISC DHCP service and then starting the KEA DHCP service. Before shutting down ISC DHCP service (clicking the red square button) I only disabled the particular VLAN interface within ISC DHCP that I wanted to test in KEA DHCP. I thought that was enough but it wasn't because ISC DHCP was still running and binding to the VLAN interface eventhough I had disabled listening on it in ISC DHCP.