KeaDHCP dynamic DHCP question

[stauf]

I'm relatively new to OpnSense (migrated over from pfSense after being disappointed in their release cadence).  I have my setup working pretty much the way I want.  I generally use all static DHCP on my network so I can better understand what is going on when problems arise.  However, the other day, I noticed that on my primary LAN pool, while I have a pool of addresses defined (none of which currently in use), if I alter the MAC address on one of my static entries so my device now has to get an IP address dynamically from the pool, I never get allocated an address.

Is there some setting in KeaDHCP to prevent the use of pools?  I've poked through the GUI but don't see any settings that would appear to cause this functionality.  Is this a defect in 26.1.4?  Its certainly possible I have just missed this issue for a while.  As I said, most devices on my network have a static DHCP Reservation associated with them.

[stauf]

Yeah, if I switch my Reservation MAC back to match my device, voila, it comes right up.  I've tested on multiple devices, if they ask for a DHCP address without matching a Reservation KeaDHCP knows about, it gets ignored.  If I have a Reservation setup for the device, it works fine.  My subnet is a class C and my pool goes from .11 to .40, so there should be plenty of addresses for it to doll out, if necessary.

[stauf]

Not sure if it matters but I don't have ISC DHCP installed anymore.  I also have multiple subnets defined that are each on different VLANs.  The subnet I am trying to use is the "default" LAN subnet.  I believe this used to work, but its been a while since I might have even noticed.  I'm not intentionally trying to do anything to prevent the use of DHCP IP pools.

[stauf]

Sorry for so many spam messages here.  I believe I figured out part of the issue.  On the Leases DHCPv4 tab, it is showing that KeaDHCP has dolled out all addresses in the pool.  I guess it makes sense why it can't doll out any new ones.  I am confused what these leases are though.  One of them appears to be valid and has a hostname associated with my wife's phone (and a lifetime of 4000, the configured value of "valid lifetime").  The rest all have a large lifetime of 86400 and no hostnames or MAC addresses associated with any of them.  Why would KeaDHCP doll out an address to a device without a MAC address?

[Monviech (Cedrik)]

A trick, you can leave the pool in a subnet empty (dont specify a range in it), then you can work reservation only.

[stauf]

I understand why someone might want to only allow reserved MACs on their network (with this issue, that is essentially where I am at now) but I am not interested in being that tight with my security.  I am trying to figure out why OpnSense has dolled out all my pool addresses seemingly to devices not on my network (None of them have hostnames or MAC addresses associated with them)?  I can reboot my router when I get a chance (after work) but this seems like a pretty bad "bug"/unintended consequence of something.  Anytime KeaDHCP dolls out an IP address, there should be a MAC address associated with it, regardless of being a reservation (static) or not.  Am I missing something?

[Monviech (Cedrik)]

Kea uses client identifiers per default. If you have some device that spams a lot of these they get a lease for each of them.

You can turn that behavior off in each subnet:

Match client-id
By default, KEA uses client-identifiers instead of MAC addresses to locate clients, disabling this option changes back to matching on MAC address which is used by most dhcp implementations.

[stauf]

I appreciate the suggestion but I already have that turned off.

[Monviech (Cedrik)]

Then you probably have misconfigured vlans.

Check if your setup follows the best practice for them:

https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

I run a complex HA setup with many vlans, lagg and trunk and managed switches and KEA works fine with no weird things going on. I assume its a configuration or infrastructure issue on your end.

[stauf]

Technically I have VLANs on my network but in this case, OpnSense is running on Proxmox and Proxmox is configured with VLANs and exposes the interfaces to OpnSense.  I also don't understand why KeaDHCP dolling out MAC-less IP addresses would have anything to do with VLANs.  Everything with a Static reservation is working fine.

I also just rebooted, hoping that would flush the existing DHCP entries but it did not.  There are still 39 dolled out IP addresses without a MAC associated with them (even though "Match client-id" is disabled).

Maybe I can ask this another way.  If my "valid-lifetime" setting for the KeaDHCP server is 4000 (the default I believe), what does it mean when there is an entry with a lifetime of 86400?

Is there a way to flush the current DHCP cache?  I've tried stopping and starting KeaDHCP, I have tried rebooting OpnSense but the entries remain.  They are supposed to expire tomorrow.  Is my only option really to wait?

I also checked my secondary VLAN which I have all my cloud-connected devices on (thermostats, smart light-bulbs, etc...).  It has a pool configured as well but there are no DHCP entries other than ones with a lifetime of 4000.

How can I better debug this?  Just hearing "it works for me" isn't very helpful.  Can I attach some sort of config here to be analyzed?  This used to work just fine.  I'm not sure which upgrade caused the problem.  Given 86400 is 24 hours, I suppose these could have been dolled out multiple times.  I did recently upgrade to 26.1.4 but this doesn't necessarily mean that was the issue.  As 95+% of my devices have Reservations, I may not have noticed this for a while.

This also all "just worked" in pfSense.  If I can't get DHCP to work reliably in OpnSense, there really isn't a reason to use it.