<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Jeff,<br>
As you have discovered, classes based on option 82 values will
only match relayed traffic.<br>
Therefore, all things being equal, Kea will not be able to select
a subnet for renewing clients.<br>
Have you considered using host reservations with "circuit-id" as
the identifier?<br>
<br>
Kind Regards Peter<br>
</p>
<div class="moz-cite-prefix">On 03/04/2024 21.09, Jeff Kletsky
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:98787c61-9086-42a5-a857-afd11f3720a1@allycomm.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I had hoped that someone would post a better "solution" than
what I've been using. <br>
</p>
<p>My topology is a Cisco SG-series switch in Level 3 mode that is
supplying DHCP (v4) relay to a dedicated subnet with the Kea
hosts.</p>
<p>With the caveat that I have not tested this approach for
robustness under attack, what I do is check to see if the
request appears to be a valid REBIND and then select a client
class based on either the VLAN from the circuit ID or that it
appears to be a directly sent rebind.</p>
<p>I don't recall how I decided that Kea would select the proper
subnet on these direct rebind requests. I am probably relying on
undocumented behavior. I recall not performing a match against
the IP range for a given VLAN as I didn't want to have to keep
the subnet information in sync across different files.<br>
</p>
<p>If anyone can improve on this, I'd appreciate the feedback. <br>
</p>
<p>Jeff</p>
<p><br>
</p>
<p>// Renew prefers to go direct to the issuing server<br>
// so there is no circuit identifier or topology<br>
//<br>
// Kea doesn't check the existing leases and its<br>
// KNOWN selector appears to be related to the client<br>
// having a reservation.<br>
//<br>
// Select based on it being a Request (renew) packet<br>
// that went direct with matching Ip addresses<br>
<br>
{<br>
"name": "is_request",<br>
"test": "option[53].hex == 0x3"<br>
},<br>
<br>
{<br>
"name": "is_direct",<br>
"test": "pkt4.giaddr == 0.0.0.0"<br>
},<br>
<br>
{<br>
"name": "addresses_match",<br>
"test": "pkt4.ciaddr == pkt.src"<br>
},<br>
<br>
{<br>
"name": "is_direct_rebind",<br>
"test": "member('is_request') and member('is_direct') and
member('addresses_match')"<br>
},<br>
<br>
// Try just the combination of relay circuit check or rebind<br>
<br>
{<br>
"name": "VLAN_84",<br>
"test": "member('circuit_84') or member('is_direct_rebind')"<br>
},<br>
</p>
<p>[continues for other VLANs in use]<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/28/24 10:40 AM, <a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Brazda.Libor@seznam.cz" moz-do-not-send="true">Brazda.Libor@seznam.cz</a>
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7VF.PTjd.1vNQKim2fdY.1c1Qkb@seznam.cz">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<div>Hi, I am trying to start kea dhcp with client
classification using option 82 through dhcp relay server.</div>
<div><br>
</div>
<div>When client tries to do renew of ip address, tries to
prolongate his lease, kea <span
style="background-color:transparent">response with NAK.</span></div>
<div>The problem is that when client makes simple dhcp discover,
the packet goes <span style="background-color:transparent">broadcast
through the router, router acts like dhcp relay and relays
packet to </span><span style="background-color:transparent">dhcp
server kea with added option 82.</span></div>
<div>But when client makes dhcp renewal-packet goes unicast
directly to dhcp server <span
style="background-color:transparent">without option 82. As I
understand, this causes kea to response </span><span
style="background-color:transparent">with NAK, because
packet doesn't match to subnet rule </span><span
style="background-color:transparent">criteria. In the logs I
see message "</span><span
style="background-color:transparent">ailed to select a
subnet for incoming packet, src 100.64.1.1, type
DHCPREQUEST"</span></div>
<div><br>
</div>
<div>Is there a way to configure kea to accept renewal requests
if lease already <span style="background-color:transparent">exists
and mac address of a client corresponds to stores lease?</span></div>
<div><span style="background-color:transparent"><br>
</span></div>
<div><span style="background-color:transparent">Full log - </span><span
style="background-color:transparent"><a
class="moz-txt-link-freetext"
href="https://pastebin.com/yviEFneL"
moz-do-not-send="true">https://pastebin.com/yviEFneL</a></span></div>
<div><span style="background-color:transparent">Full config - </span><span
style="background-color:transparent"><a
class="moz-txt-link-freetext"
href="https://pastebin.com/2DxfQKb6"
moz-do-not-send="true">https://pastebin.com/2DxfQKb6</a></span></div>
<div><span style="background-color:transparent"><br>
</span></div>
<div>Thanks for any advice<br>
</div>
<div><br>
</div>
<div>Libor</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<pre class="moz-signature" cols="72">--
Peter Davies
Support Engineer
Internet Systems Corporation
</pre>
</body>
</html>