Am 20.01.23 um 15:44 schrieb Simon:
Stefan G. Weichinger <li...@xunil.at> wrote:
It seems I have to rebuild my DHCP setup.
I suggest “rebuild” is a strong word - modify would be more appropriate.
You are right, yes ;-)
Ignore circuit-id and agent-id, they are a fairly advanced configuration
relating to identifying individual ports on a switch, or subscribers on a WAN
system. They are not required at all for what you want.
ok
You will simply need to configure a relay agent on each network (technically,
collision domain) to be served. These are typically configured on routers for
convenience, but that is not required and it can be any device as long as it’s
in the same broadcast domain as the clients to be served.
If KEA is not explicitly configured with a subnet (or shared-network) to local
interface mapping, then the config will not need modifying.
How it works is :
When the relay agent identifies a broadcast DHCP packet on the remote network,
it captures it, modifies it by adding “Agent-ID” (typically it's interface IP
address on the remote network), and then forwards it to the server(s)
configured (typically as unicast packet(s).
When the server gets the packet, it sees that the Agent-ID field is filled in
and uses this to identify the network to which the client is connected - the
logic is basically the same as using the IP address of the local interface in
the case of locally connected clients.
When the server has assembled the reply packet (offer or acknowledge), it sends
it to the address in the Agent-ID field of the incoming packet.
The relay agent picks it up, and broadcasts it on the client's network.
The client receives it just as though it was from a local server.
For renewals, the client will unicast it’s renewal request to the IP of the
server, and the server will reply directly - the relay agent is not involved
with this. For this reason, the clients and server(s) must be able to address
IP packets between them.
Good to know. So there has to be a specific firewall rule for that in
each VLAN.
TL;DR
Change nothing on your DHCP server config.
Configure DHCP relay agent for each remote network - ensuring that the relay
agent uses the correct IP address for the Agent-ID for each network. This
should be automagic but I have heard of some systems with “interesting” issues
in this area.
It should “just work”.
You answered my open questions, thank you very much. I didn't yet know
how the requests would be matched with the configured subnets etc ... I
was *assuming* that the relay IP might play a role. Now I know that,
this gives me confidence to start modifying things.
One issue I can think of ...
Is pfsense (I assume it’s doing your routing) running on this box or a
different one ? If it’s on a different box then all you’ll need to do is
configure the relay agent and remove the interface from the DHCP server. If
it’s on the same box, then things get a bit more “interesting”. Can you answer
this ?
different box
I will start by stopping one of my 2 kea-nodes, and then remove the VLAN
interfaces on the remaining one. Plus enable the DHCP-relay, plus adding
that fw-rule.
In kea I have to remove the various vlan-interfaces and edit the subnets
to all listen on the same and only LAN-interface.
That should do it ... looking forward to try that.
thanks!
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
