[Kea-users] Advice for reconfigured reservations when implementing VLANs
Ubence Quevedo (thatrat)
thatrat at gmail.com
Sun May 26 17:06:29 UTC 2024
Hi David,
Thanks for the response.
I’ve used tcpdump a few times before. I’ll have to look around to see how best to run this. Any examples you can share on what I should be running and what I should be looking for?
I also turned debugging in the logging up to 75, but I’m not noticing much of a difference in the log files.
I had also turned on a feature with the VLANs in Unifi called DHCP Guarding and I assigned each individual interface IP to each VLAN for DHCP requests. Something about how that didn’t like my setup since in the Kea log files it showed that an IP address was being assigned to the connecting device but the device never got the address. As soon as I turned off that setting, I was getting addresses again.
I did away with the multiple interfaces to listen on and told the relay to se only the one IP address.
I’m obviously kind of new to all of this, so any advice or other recommendations would be greatly appreciated!
-Ubence
> On May 26, 2024, at 9:17 AM, David Farje <davidabelfarje at gmail.com> wrote:
>
> Hi Ubence,
>
> I would recommend taking tcpdump traffic captures on the three interfaces and see if traffic is arriving properly at the interfaces. I also recommend turning on debug logging to see if Kea is receiving those requests and how it is processing them.
>
> In terms of design it doesn't sound like good form having Kea listen on 3 interfaces and process broadcast traffic on 3 interfaces on a raspberry pi. I'd recommend using separate statically addressed VLAN having Kea listen on one interface using unicast ("dhcp-socket-type": "udp") Use relays from the rest of the 3 VLANs.
>
> Best Regards,
> David
>
> On Sun, May 26, 2024 at 11:04 AM Ubence Quevedo <thatrat at gmail.com <mailto:thatrat at gmail.com>> wrote:
>> Hi Everyone,
>>
>> I'm in the process of implementing VLANs on my home network to separate my IoT devices onto their own VLAN to eventually segment those devices from my main network.
>>
>> I currently have Kea setup with reservations for all of these devices, IoT, user systems, and other devices.
>>
>> I've taken my existing reservation information and separated out the IoT devices to their own network addresses for the VLAN they will reside on [192.168.12.0/24 <http://192.168.12.0/24>], with all of the user systems and other devices with another network [192.168.11.0/24 <http://192.168.11.0/24>], and all of the network and administratives devices on the default VLAN [192.168.10.0/24 <http://192.168.10.0/24>].
>>
>> I reconfigured my Kea system [a Rasberry Pi running Ubuntu 22.04 with Kea 2.0.2] with interfaces on all of these VLANs to listen for the DHCP requests. My network equipment is all Unifi and I reconfigured all of the relevant ports on the switches with the appropriate VLAN the device should be on. I also put the two separate SSIDs configured on their respective VLANs. My gateway device is a pfSense box with the network interfaces configured with the appropriate VLAN gateways.
>>
>> I restarted the Kea service aftyer making all of these changes and thought everything "would just work" and the devices would get the appropriate IP address reservation. I was wrong. Even though I had interfaces on all of the VLANs and set Kea to listen on those interfaces, I still needed to set the DHCP Relay feature on the pfSense device to point to my server.
>>
>> Things kind of started to work then, but I still wasn't getting addresses assigned.
>>
>> After some troubleshooting and frustration, I eventually reverted everything back to the original configuration [everything on the Default VLAN].
>>
>> I'm not entirely sure why things didn't work out the way I expected, but I have some hunches that I'd like to get some feedback on:
>> Existing reservations haven't expired - The time I had set for the lifetime of the reservation [7200 seconds] hadn't expired
>> Reservation database [flat file] - Still had entries for all of the devices
>> Something else? - Something else I'm not considering when making this change?
>> Ultimately it seems to me that I should have somehow "flushed" everything before making my change so that everything would be new and not have any type of existing reservation?
>>
>> I know that the reservations on the new VLANs work because I created test SSIDs, assigned them to the new VLANs, and connected wireless clients and they get the appropriate address I'm expecting [no MAC address reservation though].
>>
>> If anyone has done something similar or has any other advice on what I should be doing or looking at, it would be greatly appreciated!
>>
>> -Ubence
>> --
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>>
>> Kea-users mailing list
>> Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/kea-users
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240526/f3e201a0/attachment-0001.htm>
More information about the Kea-users
mailing list