<div dir="ltr"><br><div>This is what we added to our Kea configs to deal with the encapsulated requests:</div><div><br></div><div>""""</div><div><font face="monospace">...</font></div><font face="monospace"> "option-def": [<br></font><div><font face="monospace"> {<br></font></div><div><font face="monospace"> "name": "link",<br> "code": 150,<br> "space": "relay-cisco",<br> "type": "ipv4-address",<br> "record-types": "",<br> "array": false,<br> "encapsulate": ""<br> },<br> {<br> "name": "server-id",<br> "code": 152,<br> "space": "relay-cisco",<br> "type": "ipv4-address",<br> "record-types": "",<br> "array": false,<br> "encapsulate": ""<br> }<br></font></div><div><font face="monospace"> ],</font></div><div><font face="monospace">...</font></div><div>"""</div><div><br></div><div>We're using UDP sockets and the shared-networks option, with the relays in a separate file (as a JSON-formatted list):</div><div><br></div><div>"""</div><div><font face="monospace">...</font></div><div><font face="monospace"> "shared-networks": [<br> {<br> "name": "my-site-relays",<br> "relay": {<br> "ip-addresses": <?include "/etc/kea/kea-relay4.json"?><br> },<br> "subnet4": [<br> <?include "/etc/kea/kea-pool4.json"?><br> ]<br> }<br> ],<br></font></div><div><font face="monospace">...</font></div><div>"""</div><div><br></div><div>Hopefully this is useful to you ...</div><div><br></div><div>cheers,</div><div>Klaus</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jan 21, 2023 at 7:53 AM Simon <<a href="mailto:dhcp1@thehobsons.co.uk">dhcp1@thehobsons.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Stefan G. Weichinger <<a href="mailto:lists@xunil.at" target="_blank">lists@xunil.at</a>> wrote:<br>
<br>
>> I will start by stopping one of my 2 kea-nodes, and then remove the VLAN interfaces on the remaining one. Plus enable the DHCP-relay, plus adding that fw-rule.<br>
>> In kea I have to remove the various vlan-interfaces and edit the subnets to all listen on the same and only LAN-interface.<br>
> <br>
> Did my changes but today there are no more workers on site there so it's a bit hard to test for me from remote.<br>
> <br>
> Went back to the old setup for now.<br>
> <br>
> questions around config:<br>
> <br>
> Could I remove the separate interface lines from the subnets:<br>
> <br>
> <br>
> {<br>
> "interface": "enp0s31f6", # THIS LINE<br>
> "id": 3,<br>
> "subnet": "<a href="http://192.168.103.0/24" rel="noreferrer" target="_blank">192.168.103.0/24</a>",<br>
> <br>
> <br>
> In the first lines I already have:<br>
> <br>
> <br>
> {<br>
> "Dhcp4": {<br>
> "interfaces-config": {<br>
> "interfaces": [ "enp0s31f6" ],<br>
> "dhcp-socket-type": "raw",<br>
> "service-sockets-require-all": false,<br>
> "service-sockets-max-retries": 1000,<br>
> "service-sockets-retry-wait-time": 10000<br>
> },<br>
> <br>
> <br>
> That defines the interface anyway, right?<br>
<br>
I think so, but I’m not a Kea user and have only had a fairly quick look at the documentation - most of the previous advice is based on relaying being generic and not really affecting server config much/at all.<br>
With dhcpd (where my experience is for about 25 years !), the only config for interfaces is to specify which ones to listen on.<br>
<br>
> "dhcp-socket-type" is ok? "raw" seems to be the default anyway.<br>
<br>
<br>
The manual at <a href="https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#interface-configuration" rel="noreferrer" target="_blank">https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#interface-configuration</a> says :<br>
> Kea supports responding to directly connected clients which do not have an address configured. This requires the server to inject the hardware address of the destination into the data-link layer of the packet being sent to the client. The DHCPv4 server uses raw sockets to achieve this, and builds the entire IP/UDP stack for the outgoing packets. The downside of raw socket use, however, is that incoming and outgoing packets bypass the firewalls (e.g. iptables).<br>
<br>
<br>
> Using UDP sockets automatically disables the reception of broadcast packets from directly connected clients. This effectively means that UDP sockets can be used for relayed traffic only. When using raw sockets, both the traffic from the directly connected clients and the relayed traffic are handled.<br>
<br>
<br>
So it’s clear that you want to keep raw sockets (default, no need to specify it) if you have any locally connected clients - but if you have no locally connected clients and want packets to pass through a firewall then use UDP.<br>
<br>
<br>
Also, looking at <a href="https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#dhcp4-subnet-selection" rel="noreferrer" target="_blank">https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#dhcp4-subnet-selection</a> it seems fairly clear that you don’t need to tie subnets to interfaces in the config - simply defining the interfaces to listen on, and the subnets to be served, is sufficient for the server to automagically associate clients with the right subnet.<br>
<br>
<br>
Simon<br>
<br>
<br>
-- <br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
To unsubscribe visit <a href="https://lists.isc.org/mailman/listinfo/kea-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/kea-users</a>.<br>
<br>
Kea-users mailing list<br>
<a href="mailto:Kea-users@lists.isc.org" target="_blank">Kea-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/kea-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/kea-users</a><br>
</blockquote></div>