Feature: DHCP server able to handle non-interface configured subnets

[willjones]

It would be very nice to be able to use a pair of OPNsense boxes for HA DHCP for setups where DHCP relay is being used and the OPNsense setup is functioning more like a DHCP server appliance than a full firewall, i.e. there is only one configured interface on the OPN side but we would require multiple networks served via the DHCP server.

I am not awaare of any open source or indeed low cost commercial products that provides a nice, simple GUI for DHCPD and HA configuration like we have in OPNsense, but obviously having to have the DHCP server with a presence in every subnet is not idea, nor often desirable for large networks.

[aes512]

👍

[fichtner]

The "problem" with this feature: it requires to mock a subnet block before adding a range.

[githubatf2f10]

https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/ *for pfSense

[githubatf2f10]

Another effort is here, https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/

another here, https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

[githubatf2f10]

https://forum.pfsense.org/index.php?topic=65736.15 pfsense/pfsense#816 pfsense/pfsense#3836

[FlorianHeigl]

Historians at work

"but obviously having to have the DHCP server with a presence in every subnet is not ideal, nor often desirable for large networks."

Is the understatement of the week. It's an architectural sadness to have to do this!

a stuck feature

I've been looking into this (or #2238) today, since it also blocks the firewall to serve as a dhcp server in a vlan setup with L3 core switches doing DHCP relay (since you just can't enter or generate the no-brainer lines for the subnet definitions)

For what it's worth, the story goes back to at least the year 2006, when the first patches for pfSense had been submitted to support working behind dhcp relay agents. (and they got mostly ignored. They were followed by more patches, that of course met a similar fate)

which is a pre-historic feature

This is RFCed functionality available in probably every enterprise switch on the planet... and in dhcpd, of course. Even W2K had it. And whatever it was that made the pfSense guys block this for over a decade, please, please there needs to be a way out of this...

It's not super common to be used in a setup where the firewall is also doing DHCP, but there are NOT only windows shops, and most of the threads that have been linked above mention those people switched to a normal linux/unix based dhcp server BECAUSE THEY HAD TO because the feature was missing.

Possible ways out

Until then, tbh it would probably be enough to be allow to include a block in the config??? What do you think?

IMO there's two parts of the "problem":

1. being able to configure it in a neat way
2. not being blocked from configuring to do it at all by the lack of 1.

Solving 2. seems a lot more important than finding a nice way to do 1.

[gizahNL]

I think a simple approach could be to: -have a master DHCP page to configure on what interfaces it listens. -then instead of detecting interfaces we do now, and labeling them as interfaces we should be detecting subnets per listening interface, so subnet pages would replace interface pages.

The logic should write a subnet declaration at least for every subnet on the interfaces it listens on, and only when DHCP server is enabled in the GUI for such subnets and a range is specified should this configuration then be written to the config file.

[fichtner]

Fair points, but I would ask anyone with the vision to do this to submit at least a POC as a base for discussion. Some topics drag on forever, mainly because people think they are easily solved while it actually takes considerable work and time active contributors do not have to fix use cases that are not in their immediate work scope.

[FlorianHeigl]

TBH: This has already cost me all the time I could have spent this year to work on OPNsense (i.e. making a check_mk package. And it was for nothing.

[fichtner]

Sure, I can relate.

[Fohdeesha]

How much money do I have to throw at this to make it happen? I do not understand why in 2018 such an ancient RFC'd function of DHCP is totally missing from all the *sense projects. I'm serious, give me a $ ballpark so we can get this over with.

It's gotten to the point where people are resorting to killing the dhcp daemon on boot just so they can load in a config that does this

[githubatf2f10]

Here's what I did:

1. set up "static" ip on interface
2. use two desperate linux box running dhcp in failover mode, along with IP helper on Cisco switch and vlans.

Ideal solution would be: Whether we have "dhcp" service for the *sense's interface subnet or not, we need define a empty dhcp scope for that "listening" interface; then, define rest of subnets accordingly as normal.

The important part is the one with first "interface" subnet defined, even though not used. I am not a developer, but this solution was done by guys for pfsense and should be able to be done here as well for workaround. But, best is that Developer of *sense can make it happen within box so that we don't have to do these workaround.

root@dhcp2:~# cat /etc/dhcp/dhcpd.conf authoritative; ddns-update-style none;

option definitions common to all supported networks...

option domain-name "abc.com"; option domain-name-servers 10.16.244.1,10.16.244.3;

option domain-name-servers 192.168.0.60;

option ntp-servers 10.16.244.1,10.16.244.3; option custom-opt6-0 code 156 = text; option custom-opt7-0 code 156 = text; option cisco-tftp-server code 150 = array of ip-address; option cisco-tftp-server 10.16.244.1, 10.16.244.3;

default-lease-time 3600; max-lease-time 7200;

log-facility local7;

Secondary DHCP server

failover peer "dhcp-failover" { secondary; # declare this to be the secondary server address 10.16.161.3; port 647; peer address 10.16.160.3; peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; }

################################################################################

This subnet is the one that the DHCP server is in, has to be here in order

the server to hand out addresses. It won't hand out IPs on that subnet since

there is nothing between the curly brackets.

subnet 10.16.161.0 netmask 255.255.255.240 { }

VLAN - 501

subnet 10.16.16.0 netmask 255.255.255.0 { option routers 10.16.16.1; option subnet-mask 255.255.255.0; option domain-search "abc.com"; option custom-opt6-0 "configServers=192.168.9.11,ftpservers=192.168.9.11,country=2,language=1,layer2tagging=1,vlanid=502"; pool { failover peer "dhcp-failover"; range 10.16.16.10 10.16.16.249; } }

VLAN - 502

subnet 10.16.20.0 netmask 255.255.255.0 { option routers 10.16.20.1; option subnet-mask 255.255.255.0; option domain-search "abc.com"; option custom-opt7-0 "configServers=192.168.9.11,ftpservers=192.168.9.11,country=2,language=1,layer2tagging=1,vlanid=502"; pool { failover peer "dhcp-failover"; range 10.16.20.10 10.16.20.249; } }

VLAN - 503

subnet 10.16.24.0 netmask 255.255.255.0 { option routers 10.16.24.1; option subnet-mask 255.255.255.0; option domain-search "abc.com"; option custom-opt7-0 "configServers=192.168.9.11,ftpservers=192.168.9.11,country=2,language=1,layer2tagging=1,vlanid=502"; pool { failover peer "dhcp-failover"; range 10.16.24.10 10.16.24.249; } }

[githubatf2f10]

On bottom of this post, https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans

This is the person who posed the solution for linux JRC Dec 20, 2017 at 5:47 PM

[N3m3515]

Is this still not implemented? I can`t believe that windows is doing something better than a purposely build networking device.

[fichtner]

No, do you want to help implement?

On 5. Oct 2018, at 20:57, N3m3515 notifications@github.com wrote:

Is this still not implemented? I can`t believe that windows is doing something better than a purposely build networking device.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

[N3m3515]

Since i can`t code very well i don't know how i could help. But i am open to Beta testing this feature or help in other ways if possible.

[net1q]

I left pfSense hoping that OPNSense had it figured out. I didn't know that it was that difficult to implement this. I guess I will have to stick with my Edgerouter then.

[fabianfrz]

@N3m3515 you can start with the guide by @mimugmail: https://www.routerperformance.net/opnsense/plugin-development/create-a-new-plugin-from-scratch-by-example-pt-1-lldp/

[mimugmail]

I could offer my time, building a new dhcp service as plugin, lets call dhcp-relay with basic stuff borrowed from original one.

But for this we would need a different implementation than isc-dhcp AND an working conf example.

Then I'll build you one in two weeks for 0 $ :)

[fabianfrz]

Here are just two (I have not used any of them but maybe this list helps you):

• https://wiki.freeradius.org/features/DHCP (you do already maintain that plugin )
• https://kea.isc.org/

[fichtner]

Dnsmasq could do it too. But Michael proposed a nice plan: add a new DHCP plugin for this specific use case. No need to deal with the current complexity of core DHCP IPv4 and IPv6 implementations....

On 23. Nov 2018, at 17:51, Fabian Franz BSc notifications@github.com wrote:

Here are just two (I have not used any of them but maybe this list helps you):

https://wiki.freeradius.org/features/DHCP (you do already maintain that plugin ) https://kea.isc.org/ — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

[mimugmail]

FreeRadius .. nice! I'll have look :)

[mimugmail]

I'll start with a PoC tomorrow .. at first only one pool available just to check if and how it works in general:

If someone wants to join testing, everyone is very welcome. :)

[fichtner]

Here's an idea about what we were talking about earlier.... since isc-dhcp is used in the static code we could add an MVC equivalent and use the rc system for the external network tasks... only thing that may be required is moving the old DHCPv4 / v6 out of the way for rc to not confuse them (e.g. PID).

[mimugmail]

ATM I'm testing FreeRADIUS .. I already sending replies but the notebook doesn't receive an IP. Sadly I'm not in the office and co-worker is gone to read the logs at the client :)

Received DHCP-Discover of Id 5d31573b from 192.168.0.1:67 to 1.1.1.1:67
        DHCP-Opcode = Client-Message
        DHCP-Hardware-Type = Ethernet
        DHCP-Hardware-Address-Length = 6
        DHCP-Hop-Count = 1
        DHCP-Transaction-Id = 1563514683
        DHCP-Number-of-Seconds = 36
        DHCP-Flags = 0
        DHCP-Client-IP-Address = 0.0.0.0
        DHCP-Your-IP-Address = 0.0.0.0
        DHCP-Server-IP-Address = 0.0.0.0
        DHCP-Gateway-IP-Address = 192.168.0.1
        DHCP-Client-Hardware-Address = 54:04:a6:3f:78:49
        DHCP-Message-Type = DHCP-Discover
        DHCP-Requested-IP-Address = 192.168.2.113
        DHCP-Hostname = "maxis-P53E"
        DHCP-Parameter-Request-List = DHCP-Subnet-Mask
        DHCP-Parameter-Request-List = DHCP-Broadcast-Address
        DHCP-Parameter-Request-List = DHCP-Time-Offset
        DHCP-Parameter-Request-List = DHCP-Router-Address
        DHCP-Parameter-Request-List = DHCP-Domain-Name
        DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
        DHCP-Parameter-Request-List = DHCP-Domain-Search
        DHCP-Parameter-Request-List = DHCP-Hostname
        DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
        DHCP-Parameter-Request-List = DHCP-NETBIOS
        DHCP-Parameter-Request-List = DHCP-Interface-MTU-Size
        DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
        DHCP-Parameter-Request-List = DHCP-NTP-Servers
        DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
        DHCP-Parameter-Request-List = DHCP-Site-specific-25
        DHCP-Parameter-Request-List = DHCP-Static-Routes
        DHCP-Parameter-Request-List = DHCP-Site-specific-28
        DHCP-Parameter-Request-List = DHCP-NTP-Servers
(27) Received code 1025 Id 1563514683 from 192.168.0.1:67 to 1.1.1.1:67 length 300
(27)   DHCP-Opcode = Client-Message
(27)   DHCP-Hardware-Type = Ethernet
(27)   DHCP-Hardware-Address-Length = 6
(27)   DHCP-Hop-Count = 1
(27)   DHCP-Transaction-Id = 1563514683
(27)   DHCP-Number-of-Seconds = 36
(27)   DHCP-Flags = 0
(27)   DHCP-Client-IP-Address = 0.0.0.0
(27)   DHCP-Your-IP-Address = 0.0.0.0
(27)   DHCP-Server-IP-Address = 0.0.0.0
(27)   DHCP-Gateway-IP-Address = 192.168.0.1
(27)   DHCP-Client-Hardware-Address = 54:04:a6:3f:78:49
(27)   DHCP-Message-Type = DHCP-Discover
(27)   DHCP-Requested-IP-Address = 192.168.2.113
(27)   DHCP-Hostname = "maxis-P53E"
(27)   DHCP-Parameter-Request-List = DHCP-Subnet-Mask
(27)   DHCP-Parameter-Request-List = DHCP-Broadcast-Address
(27)   DHCP-Parameter-Request-List = DHCP-Time-Offset
(27)   DHCP-Parameter-Request-List = DHCP-Router-Address
(27)   DHCP-Parameter-Request-List = DHCP-Domain-Name
(27)   DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
(27)   DHCP-Parameter-Request-List = DHCP-Domain-Search
(27)   DHCP-Parameter-Request-List = DHCP-Hostname
(27)   DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
(27)   DHCP-Parameter-Request-List = DHCP-NETBIOS
(27)   DHCP-Parameter-Request-List = DHCP-Interface-MTU-Size
(27)   DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
(27)   DHCP-Parameter-Request-List = DHCP-NTP-Servers
(27)   DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
(27)   DHCP-Parameter-Request-List = DHCP-Site-specific-25
(27)   DHCP-Parameter-Request-List = DHCP-Static-Routes
(27)   DHCP-Parameter-Request-List = DHCP-Site-specific-28
(27)   DHCP-Parameter-Request-List = DHCP-NTP-Servers
Trying sub-section dhcp DHCP-Discover {...}
(27)   dhcp DHCP-Discover {
(27)     update reply {
(27)       DHCP-Message-Type = DHCP-Offer
(27)     } # update reply = noop
(27)     update reply {
(27)       &DHCP-Domain-Name-Server = 8.8.8.8
(27)       &DHCP-Domain-Name-Server = 8.8.4.4
(27)       &DHCP-Subnet-Mask = 255.255.255.0
(27)       &DHCP-Router-Address = 192.168.0.1
(27)       &DHCP-IP-Address-Lease-Time = 86400
(27)       &DHCP-DHCP-Server-Identifier = 1.1.1.1
(27)     } # update reply = noop
(27) mac2ip: Added DHCP-Your-IP-Address: '192.168.0.10' to reply_items
(27)     [mac2ip] = ok
(27)     [ok] = ok
(27)   } # dhcp DHCP-Discover = ok
(27) DHCP: Reply will be unicast to giaddr from original packet
(27) Sent code 1026 Id 1563514683 from 1.1.1.1:67 to 192.168.0.1:67 length 0
(27)   DHCP-Relay-IP-Address = 192.168.0.1
(27)   DHCP-Message-Type = DHCP-Offer
(27)   DHCP-Domain-Name-Server = 8.8.8.8
(27)   DHCP-Subnet-Mask = 255.255.255.0
(27)   DHCP-Router-Address = 192.168.0.1
(27)   DHCP-IP-Address-Lease-Time = 86400
(27)   DHCP-DHCP-Server-Identifier = 1.1.1.1
(27)   DHCP-Your-IP-Address = 192.168.0.10
(27)   DHCP-Opcode = Server-Message
(27)   DHCP-Hardware-Type = Ethernet
(27)   DHCP-Hardware-Address-Length = 6
(27)   DHCP-Hop-Count = 1
(27)   DHCP-Transaction-Id = 1563514683
(27)   DHCP-Flags = 0
(27)   DHCP-Client-IP-Address = 0.0.0.0
(27)   DHCP-Gateway-IP-Address = 192.168.0.1
(27)   DHCP-Client-Hardware-Address = 54:04:a6:3f:78:49
        DHCP-Opcode = Server-Message
        DHCP-Hardware-Type = Ethernet
        DHCP-Hardware-Address-Length = 6
        DHCP-Hop-Count = 1
        DHCP-Transaction-Id = 1563514683
        DHCP-Number-of-Seconds = 0
        DHCP-Flags = 0
        DHCP-Client-IP-Address = 0.0.0.0
        DHCP-Your-IP-Address = 192.168.0.10
        DHCP-Server-IP-Address = 0.0.0.0
        DHCP-Gateway-IP-Address = 192.168.0.1
        DHCP-Client-Hardware-Address = 54:04:a6:3f:78:49
        DHCP-Server-Host-Name = ""
        DHCP-Boot-Filename = ""
        DHCP-Subnet-Mask = 255.255.255.0
        DHCP-Router-Address = 192.168.0.1
        DHCP-Domain-Name-Server = 8.8.8.8
        DHCP-IP-Address-Lease-Time = 86400
        DHCP-DHCP-Server-Identifier = 1.1.1.1
Sending DHCP-Offer Id 5d31573b from 1.1.1.1:67 to 192.168.0.1:67
(27) Finished request

[mimugmail]

Ok, it seems to work now with one network. I'll try to add some functionality to allow multiple networks. I explicitly don't speak about pools as they wont be supported! This is a limitation cause this would need a SQL server and SQLite is highly experimental (unsupported) for pooling. So it's obligatory to add EVERY IP/mac pair manually.

Hope this is ok for you ...

[mimugmail]

3 limitations:

• only works for relay dhcp
• can't be combined with local dhcp
• only works with static leases, but you have api to add via scripting