opnsense
Kea DHCPv4: Unable to obtain lease when Socket Type is 'udp'
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
I'm experimenting with the different DHCP server options and when I switch to Kea I see that DHCP works as long as I keep the default socket type ('raw'). Once I change it to 'udp' then I am starting to see failures to get a lease on some clients and DHCP requests not appearing in packet capture anymore.
One thing I notice is that when Kea is active there is one less firewall rule than there is usually with ISC or Dnsmasq. The auto-generated out pass rule for UDP on src port 67 and dst port 68 is missing.
To Reproduce
Steps to reproduce the behavior:
- Enable Kea DHCPv4 for a range
- Change the Socket Type in 'Settings' to 'udp'
Screenshots
DHCP rules generated under ISC:
DHCP rules generated under Kea:
Relevant log files
I see repeated "DHCP Discover" messages when capturing in Wireshark (filter: "dhcp") but no Request or Offer. Finally the "ipconfig /renew" request fails.
Environment
OPNsense 25.1.7_4 (amd64)
Possibly unrelated / incidental, but when Kea is active and I try to use option "11) Reload all services" from the console, the reload procedure becomes stuck after 'Firewall rules loaded.' and does not finish unless I interrupt with Control+C. This is repeatable.
Enter an option: 11
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Setting timezone: America/New_York
Setting hostname: firewall.h1.home.arpa
Generating /etc/resolv.conf...done.
Generating /etc/hosts...done.
Configuring loopback interface...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring GUEST interface...done.
Configuring HOME interface...done.
Configuring IOT interface...done.
Configuring LAB interface...done.
Configuring LAN interface...done.
Configuring VPN interface...done.
Configuring WAN interface...done.
Setting up routes...done.
Setting up gateway monitor...done.
Configuring firewall.......done.
Starting NTP service...done.
Configuring OpenSSH...done.
Starting router advertisement service...done.
Starting Unbound DNS...done.
Starting web GUI...done.
Syncing OpenVPN settings...done.
Configuring WireGuard VPN...done.
Stopping flowd.
Waiting for PIDS: 27339 27725.
Stopping mdns_repeater.
Waiting for PIDS: 18313.
Stopping flowd_aggregate...done
Stopping ddclient_opn...done
Stopping monit.
Waiting for PIDS: 74380.
INFO/keactrl: Stopping kea-dhcp4...
INFO/keactrl: kea-dhcp6 isn't running.
INFO/keactrl: kea-dhcp-ddns isn't running.
INFO/keactrl: kea-ctrl-agent isn't running.
setup vlan0.20
setup vlan0.30
setup vlan0.40
setup vlan0.60
setup vlan0.1
setup vlan0.50
setup igc1 [egress only]
Sync KEA DHCP config...done.
Starting kea.
INFO/keactrl: Starting /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf
Starting monit.
Starting Monit 5.35.2 daemon with http interface at /var/run/monit.sock
Starting ddclient_opn.
Starting flowd_aggregate.
Starting mdns_repeater.
Starting flowd.
Firewall rules loaded.
Doing some reading on this, things get a little confusing. Apparently the purpose of UDP sockets is for relaying DHCP and won't work with local subnets as per https://kb.isc.org/docs/aa-00379. But other (A.I.) sources suggest that raw sockets will bypass the firewall and not possible to filter in OPNsense (?) which seems undesirable and defeats the purpose of the built-in rules.
I didn't see mention of this Socket Type setting in the Kea OPNsense docs: https://docs.opnsense.org/manual/dhcp.html#kea-dhcpv4
I've since switched back to the working defaults and moved on. I'm OK to close this, but leaving it up to the devs if it should remain open as a request for information / documentation update for this feature.
I was experimenting with this today and experienced the same issue. I was trying to figure out how to eliminate this warning that kept appearing in the KEA logs:
WARN [kea-dhcp4.dhcpsrv.0x57c41b65c008] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated
When I switch to UDP, that warning disappears; however, like OP stated, devices are unable to obtain a lease. RAW seems to be the only option that works. I even tried rebooting after changing to UDP, but that didn't have any effect on the behavior. Since that message that appears in the logs is just a warning, I'll just ignore it. I'm just hoping that it won't end up becoming a problem in the future.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
