Troubleshoot DHCP relay problem

mbox can function as a DHCP server to issue IP addresses from its local pools, for both CMG and HSG, and it also supports DHCP relay to upstream DHCP server to issue IP addresses to users/clients.

For configuring local DHCP pool, refer to this guide on issuing DHCP from local interface, or from hotspot instance.

For configuration DHCP relay to upstream DHCP server, refer to this guide on relaying from local interface, or from hotspot instance.

But sometimes, when mbox is configured as a DHCP relay, we experience problems of not being able to get DHCP addresses from upstream DHCP server. In this guide, we focus on troubleshooting on relaying DHCP from HSG hotspot instance (similar concept for interface relay).

In this topology,

  1. we used a Linux DHCP server and HSG.
  2. HSG is a captive portal gateway, vlan1 assigns AP management address, and vlan500 is for user data.
  3. HSG vlan500 hotspot server (192.168.100.1) will receive clients' DHCP requests and relay to upstream DHCP server (192.168.7.224)
  4. DHCP server is expected to issue addresses for vlan500, range from 192.168.100.0/24, and user default gateway (router) is 192.168.100.1

NOTE: for any typical troubleshooting, always use tcpdump (with "detail" option if necessary) to check where the packet flows, eg.

  • "tcpdump interface vlan500 detail" to check incoming DHCP request, and
  • "tcpdump interface eth0 detail" to check if HSG relays requests to upstream DHCP server and/or if any replies from DHCP server.

A common problem is - we don't see replies from DHCP server! There are a few key points to check.

1. Configure the necessary network/IP settings on both HSG and DHCP server. Make sure HSG can ping to DHCP server, and DHCP server opens firewall rules (if any) for UDP/67/68

On DHCP server

2. Configure a local interface with an IP address in the same subnet as the address pool for vlan500, but different IP from the relay agent IP, which is the client router IP. eg.

  • local interface ip 192.168.100.2/24
  • address pool router ip 192.168.100.1 (this is vlan500 client default gateway IP, also HSG relay-agent IP or hotspot server IP)

3. Configure DHCP address pools to include both networks/pools

  • for the interface that's communicating with the HSG WAN (where the relayed DHCP requests coming in), so that DHCP server will respond DHCP requests from HSG
  • for the local interface configured in step #2 above, so that DHCP server will respond the DHCP requests from its local pool

3. Add a host route for 192.168.100.1/32 back to the HSG WAN. eg. ip route add 192.168.100.1/32 via 192.168.7.66. Because HSG will relay client DHCP requests using source IP 192.168.100.1 (relay-agent IP) to the DHCP server, and the server must have a route for the relay-agent IP, so that the reply can be returned to back to HSG.

On HSG (DHCP relay gateway)

4. If there's "firewall-snat" on WAN/eth0, exempt SNAT for connection to DHCP server, otherwise the DHCP server will see requests mis-match (the relayed packet will SNATed to HSG WAN IP (192.168.7.66, but the relay-agent IP is 192.168.100.1). It will not respond too.

Below are the sample config on HSG.

----------------------------------------------------------------------------

!

hostname mbox

!

interface eth0

description "Connection to WAN"

enable

ip address 192.168.7.66/24

!

interface eth1

description "Connection to LAN"

enable

ip address 192.168.88.1/24

!

interface eth2

!

interface eth3

!

interface vlan 1 500

enable

ip address 192.168.100.1/24

!

interface loopback

enable

ip address 2.1.2.1/32

!

ip dhcp-server start

!

ip name-server 8.8.8.8 8.8.4.4

ip host macc.ransnet.com 2.1.2.1 rewrite

ip host mail 127.0.0.1

ip host mysqldb 127.0.0.1

ip host splash.ransnet.com 2.1.2.1 rewrite

!

ip ntp-server 203.211.159.1 62.201.225.9

!

ip route 0.0.0.0/0 nexthop 192.168.7.1

!

macc start

!

firewall-dnat 12 redirect all udp dport 53 rdport 53 src 192.168.0.0/16 remark "rewrite DNS from LAN only"

!

firewall-input 11 permit all tcp dport 80 src 192.168.0.0/16 remark "portal access"

!

firewall-access 10 permit outbound eth0

!

!exempt SNAT for relayed DHCP requests to DHCP server

firewall-snat 00 exempt outbound eth0 dst 192.168.7.224

firewall-snat 10 overload outbound eth0

!

security radius-server

client 127.0.0.1 key testing123 name localhost

start

!

security hotspot vlan500

hotspot-wan eth0

!relay client DHCP requests to external DHCP server

client-dhcp-helper 192.168.7.224

client-static 192.168.100.1 255.255.255.0

radius-server localhost testing123

hotspot-portal http://splash.ransnet.com/pid/demo/login.php

start

!

Sample config on DHCP server

----------------------------------------------------------------------------

[root@dhcpsvr ~]# ifconfig

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.7.224 netmask 255.255.255.0 broadcast 192.168.7.255

inet6 fe80::21c:c0ff:feb5:a76d prefixlen 64 scopeid 0x20<link>

ether 00:1c:c0:b5:a7:6d txqueuelen 1000 (Ethernet)

RX packets 5660 bytes 412845 (403.1 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 179 bytes 27584 (26.9 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

!configure a local IP in the same subnet as the DHCP pool but different from relay-agent IP

enp2s0.500: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.100.2 netmask 255.255.255.0 broadcast 192.168.100.255

inet6 fe80::21c:c0ff:feb5:a76d prefixlen 64 scopeid 0x20<link>

ether 00:1c:c0:b5:a7:6d txqueuelen 0 (Ethernet)

RX packets 587 bytes 31768 (31.0 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 46 bytes 2220 (2.1 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@dhcpsvr ~]# ip route show

default via 192.168.7.1 dev enp2s0 proto static metric 100

192.168.7.0/24 dev enp2s0 proto kernel scope link src 192.168.7.224 metric 100

192.168.100.0/24 dev enp2s0.500 proto kernel scope link src 192.168.100.2

!add a host route for dhcp-relay agent IP so the DHCP can route back the reply to HSG

192.168.100.1 via 192.168.7.66 dev enp2s0

192.168.200.0/24 dev enp2s0.501 proto kernel scope link src 192.168.200.1 metric 400

[root@dhcpsvr ~]# more /etc/dhcp/dhcpd.conf

#

# DHCP Server Configuration file.

# see /usr/share/doc/dhcp*/dhcpd.conf.example

# see dhcpd.conf(5) man page

#

!add a pool for the interface communicating with HSG so it will respond DHCP requests coming from this interface

subnet 192.168.7.0 netmask 255.255.255.0

{

range 192.168.7.10 192.168.7.200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.7.255;

option routers 192.168.7.1;

option domain-name-servers 8.8.8.8, 4.4.4.4;

}

!add a pool for the vlan500 clients

subnet 192.168.100.0 netmask 255.255.255.0

{

range 192.168.100.10 192.168.100.200;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.100.255;

option routers 192.168.100.1;

option domain-name-servers 8.8.8.8, 4.4.4.4;

}