[Kea-users] Advice for reconfigured reservations when implementing VLANs

[David Farje]

Hi Ubence,

I would recommend taking tcpdump traffic captures on the three interfaces
and see if traffic is arriving properly at the interfaces.  I also
recommend turning on debug logging to see if Kea is receiving those
requests and how it is processing them.

In terms of design it doesn't sound like good form  having Kea listen on 3
interfaces and process broadcast traffic on 3 interfaces on a raspberry
pi.  I'd recommend using separate statically addressed VLAN having Kea
listen on one interface using unicast ("dhcp-socket-type": "udp") Use
relays from the rest of the 3 VLANs.

Best Regards,
David

On Sun, May 26, 2024 at 11:04 AM Ubence Quevedo <thatrat at gmail.com> wrote:

> Hi Everyone,
>
> I'm in the process of implementing VLANs on my home network to separate my
> IoT devices onto their own VLAN to eventually segment those devices from my
> main network.
>
> I currently have Kea setup with reservations for all of these devices,
> IoT, user systems, and other devices.
>
> I've taken my existing reservation information and separated out the IoT
> devices to their own network addresses for the VLAN they will reside on [
> 192.168.12.0/24], with all of the user systems and other devices with
> another network [192.168.11.0/24], and all of the network and
> administratives devices on the default VLAN [192.168.10.0/24].
>
> I reconfigured my Kea system [a Rasberry Pi running Ubuntu 22.04 with Kea
> 2.0.2] with interfaces on all of these VLANs to listen for the DHCP
> requests.  My network equipment is all Unifi and I reconfigured all of the
> relevant ports on the switches with the appropriate VLAN the device should
> be on.  I also put the two separate SSIDs configured on their respective
> VLANs.  My gateway device is a pfSense box with the network interfaces
> configured with the appropriate VLAN gateways.
>
> I restarted the Kea service aftyer making all of these changes and thought
> everything "would just work" and the devices would get the appropriate IP
> address reservation.  I was wrong.  Even though I had interfaces on all of
> the VLANs and set Kea to listen on those interfaces, I still needed to set
> the DHCP Relay feature on the pfSense device to point to my server.
>
> Things kind of started to work then, but I still wasn't getting addresses
> assigned.
>
> After some troubleshooting and frustration, I eventually reverted
> everything back to the original configuration [everything on the Default
> VLAN].
>
> I'm not entirely sure why things didn't work out the way I expected, but I
> have some hunches that I'd like to get some feedback on:
>
>    - *Existing reservations haven't expired* - The time I had set for the
>    lifetime of the reservation [7200 seconds] hadn't expired
>    - *Reservation database [flat file]* - Still had entries for all of
>    the devices
>    - *Something else?* - Something else I'm not considering when making
>    this change?
>
> Ultimately it seems to me that I should have somehow "flushed" everything
> before making my change so that everything would be new and not have any
> type of existing reservation?
>
> I know that the reservations on the new VLANs work because I created test
> SSIDs, assigned them to the new VLANs, and connected wireless clients and
> they get the appropriate address I'm expecting [no MAC address reservation
> though].
>
> If anyone has done something similar or has any other advice on what I
> should be doing or looking at, it would be greatly appreciated!
>
> -Ubence
> --
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240526/16147752/attachment.htm>