KeaDHCP dynamic DHCP question

[stauf]

I'm relatively new to OpnSense (migrated over from pfSense after being disappointed in their release cadence).  I have my setup working pretty much the way I want.  I generally use all static DHCP on my network so I can better understand what is going on when problems arise.  However, the other day, I noticed that on my primary LAN pool, while I have a pool of addresses defined (none of which currently in use), if I alter the MAC address on one of my static entries so my device now has to get an IP address dynamically from the pool, I never get allocated an address.

Is there some setting in KeaDHCP to prevent the use of pools?  I've poked through the GUI but don't see any settings that would appear to cause this functionality.  Is this a defect in 26.1.4?  Its certainly possible I have just missed this issue for a while.  As I said, most devices on my network have a static DHCP Reservation associated with them.

[stauf]

Yeah, if I switch my Reservation MAC back to match my device, voila, it comes right up.  I've tested on multiple devices, if they ask for a DHCP address without matching a Reservation KeaDHCP knows about, it gets ignored.  If I have a Reservation setup for the device, it works fine.  My subnet is a class C and my pool goes from .11 to .40, so there should be plenty of addresses for it to doll out, if necessary.

[stauf]

Not sure if it matters but I don't have ISC DHCP installed anymore.  I also have multiple subnets defined that are each on different VLANs.  The subnet I am trying to use is the "default" LAN subnet.  I believe this used to work, but its been a while since I might have even noticed.  I'm not intentionally trying to do anything to prevent the use of DHCP IP pools.

[stauf]

Sorry for so many spam messages here.  I believe I figured out part of the issue.  On the Leases DHCPv4 tab, it is showing that KeaDHCP has dolled out all addresses in the pool.  I guess it makes sense why it can't doll out any new ones.  I am confused what these leases are though.  One of them appears to be valid and has a hostname associated with my wife's phone (and a lifetime of 4000, the configured value of "valid lifetime").  The rest all have a large lifetime of 86400 and no hostnames or MAC addresses associated with any of them.  Why would KeaDHCP doll out an address to a device without a MAC address?

[Monviech (Cedrik)]

A trick, you can leave the pool in a subnet empty (dont specify a range in it), then you can work reservation only.

[stauf]

I understand why someone might want to only allow reserved MACs on their network (with this issue, that is essentially where I am at now) but I am not interested in being that tight with my security.  I am trying to figure out why OpnSense has dolled out all my pool addresses seemingly to devices not on my network (None of them have hostnames or MAC addresses associated with them)?  I can reboot my router when I get a chance (after work) but this seems like a pretty bad "bug"/unintended consequence of something.  Anytime KeaDHCP dolls out an IP address, there should be a MAC address associated with it, regardless of being a reservation (static) or not.  Am I missing something?

[Monviech (Cedrik)]

Kea uses client identifiers per default. If you have some device that spams a lot of these they get a lease for each of them.

You can turn that behavior off in each subnet:

Match client-id
By default, KEA uses client-identifiers instead of MAC addresses to locate clients, disabling this option changes back to matching on MAC address which is used by most dhcp implementations.

[stauf]

I appreciate the suggestion but I already have that turned off.

[Monviech (Cedrik)]

Then you probably have misconfigured vlans.

Check if your setup follows the best practice for them:

https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

I run a complex HA setup with many vlans, lagg and trunk and managed switches and KEA works fine with no weird things going on. I assume its a configuration or infrastructure issue on your end.

[stauf]

Technically I have VLANs on my network but in this case, OpnSense is running on Proxmox and Proxmox is configured with VLANs and exposes the interfaces to OpnSense.  I also don't understand why KeaDHCP dolling out MAC-less IP addresses would have anything to do with VLANs.  Everything with a Static reservation is working fine.

I also just rebooted, hoping that would flush the existing DHCP entries but it did not.  There are still 39 dolled out IP addresses without a MAC associated with them (even though "Match client-id" is disabled).

Maybe I can ask this another way.  If my "valid-lifetime" setting for the KeaDHCP server is 4000 (the default I believe), what does it mean when there is an entry with a lifetime of 86400?

Is there a way to flush the current DHCP cache?  I've tried stopping and starting KeaDHCP, I have tried rebooting OpnSense but the entries remain.  They are supposed to expire tomorrow.  Is my only option really to wait?

I also checked my secondary VLAN which I have all my cloud-connected devices on (thermostats, smart light-bulbs, etc...).  It has a pool configured as well but there are no DHCP entries other than ones with a lifetime of 4000.

How can I better debug this?  Just hearing "it works for me" isn't very helpful.  Can I attach some sort of config here to be analyzed?  This used to work just fine.  I'm not sure which upgrade caused the problem.  Given 86400 is 24 hours, I suppose these could have been dolled out multiple times.  I did recently upgrade to 26.1.4 but this doesn't necessarily mean that was the issue.  As 95+% of my devices have Reservations, I may not have noticed this for a while.

This also all "just worked" in pfSense.  If I can't get DHCP to work reliably in OpnSense, there really isn't a reason to use it.

[hharry]

kea dhcpv4 has the concept of lease affinity, which i use instead, so that returning dhcp clients can obtain the same IP lease, even after the lease has technically expired, but lease affinity not yet expired, it works great, and zero need to mess around with reserved DHCP leases...

Kea DHCPv4 Affinity lifetime is already exposed in OPNsense GUI

Defines in seconds for how long a returning client will be able to retrieve the same lease.

I have kea dhcpv4 lease time = 86400 seconds == 24 hours
and Kea DHCPv4 Affinity lifetime = 2592000 seconds == 30 days.

[stauf]

Ok, interesting side-note, thank you.  I would still want reservations as the actual address given to specific hosts on my network is important to me (i.e. I know my printer is .110, my PC is .100, etc...).  I don't just want addresses consistent, I want them consistently a specific value.  While this information is interesting, thank you, it doesn't appear to be relevant to my issue.

Kea has dolled out 39 IP addresses with a lifetime value that doesn't appear to exist in my configuration and there is no MAC address or hostname associated with these entries.  The entirety of the information in the DHCP Leases table is the interface they are on, the IP address given, blank MAC address, 86400 second lifetime (seemingly not configured anywhere I can find), expire time (tomorrow), blank hostname, and the fact they are dynamic leases.

I can't find a way to debug why these leases were given out, nor can I find a way to flush these entries.  The only option OpnSense appears to give me is the option to make these entries static.  I'm not even sure what that means though.  With "Match client-id" disabled on this subnet, the entry should be a link between a MAC address and an IP address.  Without a MAC address, how can I make this a reservation?

Thank you for the help.

[hharry]

For both devices that are always on, and devices that are intermittently on, but reconnect before lease affinity expires, zero need for dhcp reservations, it just works thanks to lease affinity.


And printers for several decades now, use SSDP | Bonjour mDNS protocol to advertise their IP address and service information, and modern OS also learn from both SSDP and mDNS propagation advertisements, to dynamically learn printer IP address and service to connect to.


Once the DHCP lease is assigned, it stays assigned ( reserved ) for the affinity lease period when devices are offline, and re-allocated when device connects, and re-allocated when DHCP renew event occurs..

The only time this would not work, is when the dhcp pool has insufficient number of leases, for the number of devices connecting to that particular L2 segment...or for device that do a DHCP release upon shutdown, i've only found one device that behaves this way...

[meyergru]

I use KEA, but not actually with DHCPv6.

If you really have disabled DUID-based handout, one would argue that there must be different MACs associated with the filling of the pool. That could in theory by caused by some device(s) that change their MACs for privacy reasons, like iPhones do it these days.

However, what is strange is that apparently, the lease entries do not have a MAC or DUID associated.

My observation is that sometimes, I saw an abundance of IPv4s answering to my ping detection service on my LAN when I had "Interfaces: Neighbors: Automatic Discovery" active. If that serive is active on your OpnSense, I would disable it completely, stop Kea, clean out the DHCPv6 leases manually, restart Kea afterwards and observe if the problem goes away.

Do not ask why this happens - I never investigated any further, I just disabled the service. I cannot even tell if there were actual DHCPv4 leases in those situations. My theory here would be something like: The cause may be the way DHCP makes sure that no IP collisions occur by first pinging a tentative IP:

A (legitimate) client asks for an IP, Kea chooses one, but always gets a ping answer and sets it as reserved (but with no DUID and no MAC), afterwards, it switches to the next free IP, to which it again gets a ping answer, and this repeats until there are no pool IPs left.

[stauf]

Thank you meyergru.  You are the first person to suggest something that could theoretically be relevant to my issue.  While I don't have KeaDHCPv6 enabled, I did have the Automatic Discovery Enabled.  I disabled it to give this a try.  Nothing appears to have changed yet, but I guess I would not expect anything to change until these Leases expire.

When you say "clean out DHCPv6 leases manually", as I don't have DHCPv6 enabled, there are no leases currently under v6.  Is there a mechanism to clean out v4 leases?  On the leases page for these (invalid) entries without a hostname or MAC address, the only option OpnSense gives me for these entries is "add reservation".  While I don't want these entries to have a reservation, I tried anyway (as that appears to be my only option).  I was thinking maybe I could find a "pool" of addresses I wasn't using and assign these to different addresses outside of my DHCP pool.  However, as there is no MAC address associated with these entries, the resulting pop-up to add the reservation fails telling me that a MAC address is required to add a reservation.

This feels like an OpnSense bug to me.  Affinity or no, Automatic Discovery or no, any feature I can think of on or off, why would DHCPv4 add leases to devices without a hostname or MAC address?  I won't claim to know the entire workings of the DHCP protocol, but my understanding is that a device configured for DHCP simply sends out a broadcast DHCP Discover packet with it's MAC address as the source.  As OpnSense is my only DHCP server on my network, it receives that broadcast request and replies with an Offer.  As I have "Match client-id" disabled, the DHCP server must use the MAC address of the request as it's key to the dolled out IP address (regardless if a Client ID is present in the discover).

So I am left with 2 questions:

1. How do I clear out DHCPv4 address mappings?  I've tried rebooting the entire router, I've tried stopping KeaDHCP but whenever it comes back up, the cache remains.
2. Is there a mechanism for me to log a bug here?  Or does anyone have an explanation as to why there are DHCPv4 entries without a hostname or MAC address associated with them?  Especially with "Match client-id" disabled.

As I have been looking at this issue closer, I noticed one more thing.  There are 3 devices on my network that I have existing reservations for but these invalid leases of time 86400 seconds and no MAC or hostname associated are set to use these IP addresses.  So, not only can these leases be given addresses from within my DHCPv4 pool, they can also be given addresses that I have explicitly configured to be reserved for specific MAC addresses (outside of the pool configured for this subnet).  Luckily I don't need to use these specific devices for anything right now but this makes the issue more severe from my point of view.

One of these devices is a Proxmox server.  It is set to boot using the static IP address I assigned this reservation to, but I can't get to it on my network.  This tells me this problem is pretty recent (around the time I upgraded to 26.1.4) as I was using this Proxmox server just a few days ago.

If whatever is going on here can overlap with any IP address on my network and make it unusable, how do I protect this from happening?

If I have not heard any relevant theories on this issue, I will try restoring my 26.1.3 OpnSense VM this evening.  I make sure to backup my OpnSense VM prior to any upgrades.

Thank you.