24.1 - DHCP server moves to KEA - implications?

[pkejval]

It's far from perfect, but I hope someone finds this useful?

https://gist.github.com/h3krn/17c6610281e585d6b4efb43d1395802d

Grtz, Harm

Thank you very much! This is most missing feature of KEA DHCP for me. You should try to upstream this into OPNsense.
I adjusted it little bit because it gave me double domain for some hosts: https://gist.github.com/pkejval/49ff234bb81da59fde6ca1b03f4d4240/revisions

[h3krn]

Thnks for the feedback pkejval. I already found several more issues with my version.
- when kea cleans the memfile, the inode nr does not change. So the tailing stops.
- sending a break, stops csv.dictreader from tailing the file.
- need to add parsing of the kea config to assign the correct dns domain to a range.

I'll try to improve over time, but for now its a WiP. Once I have something that's actually running, we can try to get it upstream.

It's far from perfect, but I hope someone finds this useful?

https://gist.github.com/h3krn/17c6610281e585d6b4efb43d1395802d

Grtz, Harm

Thank you very much! This is most missing feature of KEA DHCP for me. You should try to upstream this into OPNsense.
I adjusted it little bit because it gave me double domain for some hosts: https://gist.github.com/pkejval/49ff234bb81da59fde6ca1b03f4d4240/revisions

[h3krn]

@pkejval, I've just posted a update to my gist that should tackle points 1 and 2.

Now I need to add some logic to parse the kea dhcp ranges to pull the dns domains.

Thnks for the feedback pkejval. I already found several more issues with my version.
- when kea cleans the memfile, the inode nr does not change. So the tailing stops.
- sending a break, stops csv.dictreader from tailing the file.
- need to add parsing of the kea config to assign the correct dns domain to a range.

[kinch]

in pfsense 24.03 you can easily switch dhcp backend from ISC to KEA (and vice versa) with 2 click. I wish Opnsense would implement something similar. reservation and so on are still in place.

see attachment.

[franco]

in pfsense 24.03 you can easily switch dhcp backend from ISC to KEA (and vice versa) with 2 click.

I heard more nuanced feedback from this approach to be honest, but I agree it is easy from a user perspective as long as it works. ;)

However, it's never easy especially with DHCP being one of the most complex pieces of code in the projects and people having discussed how to get rid of this code for over a decade already.


Cheers,
Franco

[kbhsn4]

I have struggled getting Kea HA to work - it seems it only works for me, when I configure the Peer/HA ports to be the same as the Control Agent port. (contrary to what the GUI says).

When I run the CA on port 8000 and the Peers on port 8001. I can connect to the Peer HA port with telnet/curl from the local device only - it does not work from the remote/partner device. The traffic is not blocked by the firewall.

I can confirm with netstat -a that it is listening on port 8001, but it does for some strange reason not work...

Running everything on port 8000 works like a charm.

[dMopp]

Thnks for the feedback pkejval. I already found several more issues with my version.
- when kea cleans the memfile, the inode nr does not change. So the tailing stops.
- sending a break, stops csv.dictreader from tailing the file.
- need to add parsing of the kea config to assign the correct dns domain to a range.

I'll try to improve over time, but for now its a WiP. Once I have something that's actually running, we can try to get it upstream.

It's far from perfect, but I hope someone finds this useful?

https://gist.github.com/h3krn/17c6610281e585d6b4efb43d1395802d

Grtz, Harm

Thank you very much! This is most missing feature of KEA DHCP for me. You should try to upstream this into OPNsense.
I adjusted it little bit because it gave me double domain for some hosts: https://gist.github.com/pkejval/49ff234bb81da59fde6ca1b03f4d4240/revisions

Sadly this script breaks v6 leases (still dhcpd)

[chrcoluk]

Did ISC reveal the reason they abandoning software that works in favour of something thats incomplete and buggy?

I am guessing they have a new generational of developers who dont want to work on the old code so its the typical solution of rewriting.

Please dont remove ISC DHCP from future builds of opnsense.

[Patrick M. Hausen]

Kea isn't incomplete and buggy. It's the integration of Kea into OPNsense that is completely new and therefore work in progress. One might debate if shipping it at this early stage was a clever move or not. Anyway it will "just" take more work and I am quite sure DHCPd won't be removed before Kea is ready for production (in OPNsense).

As for ISC's reasons:

https://www.isc.org/kea/

[DEC670airp414user]

I've been running Kea on the latest business edition since May 10th.

2 Vlans
18 static reservations.  zero issues with those devices staying on those reservations btw

the Only issue I have noticed.     is if I change my wireless MacBook from Vlan1. my primary Vlan.   to the IOT vlan.    stay on that network briefly then move back to the primary Vlan.  I do not get an IP address.. kind of a problem! 

I have been tinkering around with lease time.   and changed it too 28800.  from 7200 which was the default previous Opnsense ISC lease time. (at least from what I have read/ searching online)

we shall see

[dinguz]

As for ISC's reasons:

https://www.isc.org/kea/

I'm somewhat alarmed bij KEA having 'premium (commercial/paid) extensions'. How does the OPNsense team look at this? Don't we risk more and more extensions being made paid options over time once people have switched over from ISC?

[franco]

> Kea isn't incomplete and buggy.

If you don't count the premium stuff in their shop as being "incomplete open source" then yes. I'm also sure there are more bugs and oddities as ISC DHCP has at the moment (or simply documentation oversights). But exposure is rare due to the limited feature presented set in the GUI.

We did plan to offer DHCP options and the code is ready, but it doesn't work with the service for one reason or another:

https://github.com/opnsense/core/pull/7361#issuecomment-2112933052

> I'm somewhat alarmed bij KEA having 'premium (commercial/paid) extensions'.

Not a fan personally. We just have to see how this will develop in the future.

We did discuss deprecation of ISC and some day some year it may move to plugins and keep working there for a long time if things do not improve considerably. I expect the rest of the open source world to follow the same approach.


Cheers,
Franco

[almodovaris]

It may sound like a dumb question, but what if you use dnsmasq for DHCP?

[franco]

Yes. The main argument against it is the lack of HA support and the feature set is much more condensed.


Cheers,
Franco

[tangofan]

EDITED:  I Figured it out!!

Previously, I Had a problem with KEA DHCP reservations being ignored.  (several posts above)

Simple mistake.  For subnet I entered

192.168.1.0/24  instead of
192.168.1.1/24

I honestly thought it needed to be "zero" at the end, and not "one" for subnet name.   The docs section for KEA DHCP even uses 192.168.1.0/24 as the prime example.   

Maybe someone may be able to explain why mine has to be 192.168.1.1/24 in order to get reservations to work.  <please>   

Live and learn.   Back to using KEA DHCP. 

Thanks all for the help!!

FWIW, this problem appears to be fixed, at least in my 24.1.10 test installation, KEA honors a static reservation in my 192.168.102.0/24 subnet.