This is what we added to our Kea configs to deal with the encapsulated requests:
"""" ... "option-def": [ { "name": "link", "code": 150, "space": "relay-cisco", "type": "ipv4-address", "record-types": "", "array": false, "encapsulate": "" }, { "name": "server-id", "code": 152, "space": "relay-cisco", "type": "ipv4-address", "record-types": "", "array": false, "encapsulate": "" } ], ... """ We're using UDP sockets and the shared-networks option, with the relays in a separate file (as a JSON-formatted list): """ ... "shared-networks": [ { "name": "my-site-relays", "relay": { "ip-addresses": <?include "/etc/kea/kea-relay4.json"?> }, "subnet4": [ <?include "/etc/kea/kea-pool4.json"?> ] } ], ... """ Hopefully this is useful to you ... cheers, Klaus On Sat, Jan 21, 2023 at 7:53 AM Simon <dh...@thehobsons.co.uk> wrote: > Stefan G. Weichinger <li...@xunil.at> wrote: > > >> I will start by stopping one of my 2 kea-nodes, and then remove the > VLAN interfaces on the remaining one. Plus enable the DHCP-relay, plus > adding that fw-rule. > >> In kea I have to remove the various vlan-interfaces and edit the > subnets to all listen on the same and only LAN-interface. > > > > Did my changes but today there are no more workers on site there so it's > a bit hard to test for me from remote. > > > > Went back to the old setup for now. > > > > questions around config: > > > > Could I remove the separate interface lines from the subnets: > > > > > > { > > "interface": "enp0s31f6", # THIS LINE > > "id": 3, > > "subnet": "192.168.103.0/24", > > > > > > In the first lines I already have: > > > > > > { > > "Dhcp4": { > > "interfaces-config": { > > "interfaces": [ "enp0s31f6" ], > > "dhcp-socket-type": "raw", > > "service-sockets-require-all": false, > > "service-sockets-max-retries": 1000, > > "service-sockets-retry-wait-time": 10000 > > }, > > > > > > That defines the interface anyway, right? > > I think so, but I’m not a Kea user and have only had a fairly quick look > at the documentation - most of the previous advice is based on relaying > being generic and not really affecting server config much/at all. > With dhcpd (where my experience is for about 25 years !), the only config > for interfaces is to specify which ones to listen on. > > > "dhcp-socket-type" is ok? "raw" seems to be the default anyway. > > > The manual at > https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#interface-configuration > says : > > Kea supports responding to directly connected clients which do not have > an address configured. This requires the server to inject the hardware > address of the destination into the data-link layer of the packet being > sent to the client. The DHCPv4 server uses raw sockets to achieve this, and > builds the entire IP/UDP stack for the outgoing packets. The downside of > raw socket use, however, is that incoming and outgoing packets bypass the > firewalls (e.g. iptables). > > > > Using UDP sockets automatically disables the reception of broadcast > packets from directly connected clients. This effectively means that UDP > sockets can be used for relayed traffic only. When using raw sockets, both > the traffic from the directly connected clients and the relayed traffic are > handled. > > > So it’s clear that you want to keep raw sockets (default, no need to > specify it) if you have any locally connected clients - but if you have no > locally connected clients and want packets to pass through a firewall then > use UDP. > > > Also, looking at > https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#dhcp4-subnet-selection > it seems fairly clear that you don’t need to tie subnets to interfaces in > the config - simply defining the interfaces to listen on, and the subnets > to be served, is sufficient for the server to automagically associate > clients with the right subnet. > > > Simon > > > -- > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users >
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users