Troubleshoot DHCP relay problem

mbox can function as a DHCP server to issue IP addresses from its local pools, for both CMG and HSG, and it also supports DHCP relay to upstream DHCP server to issue IP addresses to users/clients.

For configuring local DHCP pool, refer to this guide on issuing DHCP from local interface, or from hotspot instance.

For configuration DHCP relay to upstream DHCP server, refer to this guide on relaying from local interface, or from hotspot instance.

But sometimes, when mbox is configured as a DHCP relay, we experience problems of not being able to get DHCP addresses from upstream DHCP server. In this guide, we focus on troubleshooting on relaying DHCP from HSG hotspot instance (similar concept for interface relay). 

In this topology, 

NOTE: for any typical troubleshooting, always use tcpdump (with "detail" option if necessary) to check where the packet flows, eg. 

A common problem is - we don't see replies from DHCP server! There are a few key points to check.

1. Configure the necessary network/IP settings on both HSG and DHCP server. Make sure HSG can ping to DHCP server, and DHCP server opens firewall rules (if any) for UDP/67/68

On DHCP server

2. Configure a local interface with an IP address in the same subnet as the address pool for vlan500, but different IP from the relay agent IP, which is the client router IP. eg. 

3. Configure DHCP address pools to include both networks/pools

3. Add a host route for 192.168.100.1/32 back to the HSG WAN. eg. ip route add 192.168.100.1/32 via 192.168.7.66. Because HSG will relay client DHCP requests using source IP 192.168.100.1 (relay-agent IP) to the DHCP server, and the server must have a route for the relay-agent IP, so that the reply can be returned to back to HSG.

On HSG (DHCP relay gateway)

4. If there's "firewall-snat" on WAN/eth0, exempt SNAT for connection to DHCP server, otherwise the DHCP server will see requests mis-match (the relayed packet will SNATed to HSG WAN IP (192.168.7.66, but the relay-agent IP is 192.168.100.1). It will not respond too.

Below are the sample config on HSG.

----------------------------------------------------------------------------

!hostname mbox!interface eth0 description "Connection to WAN" enable ip address 192.168.7.66/24!interface eth1 description "Connection to LAN" enable ip address 192.168.88.1/24!interface eth2!interface eth3!interface vlan 1 500 enable ip address 192.168.100.1/24!interface loopback enable ip address 2.1.2.1/32!ip dhcp-server start!ip name-server 8.8.8.8 8.8.4.4ip host macc.ransnet.com 2.1.2.1 rewriteip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 2.1.2.1 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!ip route 0.0.0.0/0 nexthop 192.168.7.1!macc start!firewall-dnat 12 redirect all udp dport 53 rdport 53 src 192.168.0.0/16 remark "rewrite DNS from LAN only"!firewall-input 11 permit all tcp dport 80 src 192.168.0.0/16 remark "portal access"!firewall-access 10 permit outbound eth0!!exempt SNAT for relayed DHCP requests to DHCP serverfirewall-snat 00 exempt outbound eth0 dst 192.168.7.224firewall-snat 10 overload outbound eth0!security radius-server client 127.0.0.1 key testing123 name localhost start!security hotspot vlan500 hotspot-wan eth0!relay client DHCP requests to external DHCP server client-dhcp-helper 192.168.7.224 client-static 192.168.100.1 255.255.255.0 radius-server localhost testing123 hotspot-portal http://splash.ransnet.com/pid/demo/login.php start!Sample config on DHCP server----------------------------------------------------------------------------[root@dhcpsvr ~]# ifconfigenp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.7.224  netmask 255.255.255.0  broadcast 192.168.7.255        inet6 fe80::21c:c0ff:feb5:a76d  prefixlen 64  scopeid 0x20<link>        ether 00:1c:c0:b5:a7:6d  txqueuelen 1000  (Ethernet)        RX packets 5660  bytes 412845 (403.1 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 179  bytes 27584 (26.9 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0!configure a local IP in the same subnet as the DHCP pool but different from relay-agent IPenp2s0.500: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.100.2  netmask 255.255.255.0  broadcast 192.168.100.255        inet6 fe80::21c:c0ff:feb5:a76d  prefixlen 64  scopeid 0x20<link>        ether 00:1c:c0:b5:a7:6d  txqueuelen 0  (Ethernet)        RX packets 587  bytes 31768 (31.0 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 46  bytes 2220 (2.1 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@dhcpsvr ~]# ip route showdefault via 192.168.7.1 dev enp2s0  proto static  metric 100 192.168.7.0/24 dev enp2s0  proto kernel  scope link  src 192.168.7.224  metric 100 192.168.100.0/24 dev enp2s0.500  proto kernel  scope link  src 192.168.100.2!add a host route for dhcp-relay agent IP so the DHCP can route back the reply to HSG192.168.100.1 via 192.168.7.66 dev enp2s0 192.168.200.0/24 dev enp2s0.501  proto kernel  scope link  src 192.168.200.1  metric 400 [root@dhcpsvr ~]# more /etc/dhcp/dhcpd.conf ## DHCP Server Configuration file.#   see /usr/share/doc/dhcp*/dhcpd.conf.example#   see dhcpd.conf(5) man page#!add a pool for the interface communicating with HSG so it will respond DHCP requests coming from this interfacesubnet 192.168.7.0 netmask 255.255.255.0{        range 192.168.7.10 192.168.7.200;        option subnet-mask 255.255.255.0;        option broadcast-address 192.168.7.255;        option routers 192.168.7.1;        option domain-name-servers 8.8.8.8, 4.4.4.4;}!add a pool for the vlan500 clientssubnet 192.168.100.0 netmask 255.255.255.0{        range 192.168.100.10 192.168.100.200;        option subnet-mask 255.255.255.0;        option broadcast-address 192.168.100.255;        option routers 192.168.100.1;        option domain-name-servers 8.8.8.8, 4.4.4.4;}