RansNet Doc - Troubleshoot DHCP relay problem

Troubleshoot DHCP relay problem

mbox can function as a DHCP server to issue IP addresses from its local pools, for both CMG and HSG, and it also supports DHCP relay to upstream DHCP server to issue IP addresses to users/clients.

For configuring local DHCP pool, refer to this guide on issuing DHCP from local interface, or from hotspot instance.

For configuration DHCP relay to upstream DHCP server, refer to this guide on relaying from local interface, or from hotspot instance.

But sometimes, when mbox is configured as a DHCP relay, we experience problems of not being able to get DHCP addresses from upstream DHCP server. In this guide, we focus on troubleshooting on relaying DHCP from HSG hotspot instance (similar concept for interface relay).

In this topology,

we used a Linux DHCP server and HSG.
HSG is a captive portal gateway, vlan1 assigns AP management address, and vlan500 is for user data.
HSG vlan500 hotspot server (192.168.100.1) will receive clients' DHCP requests and relay to upstream DHCP server (192.168.7.224)
DHCP server is expected to issue addresses for vlan500, range from 192.168.100.0/24, and user default gateway (router) is 192.168.100.1

NOTE: for any typical troubleshooting, always use tcpdump (with "detail" option if necessary) to check where the packet flows, eg.

"tcpdump interface vlan500 detail" to check incoming DHCP request, and
"tcpdump interface eth0 detail" to check if HSG relays requests to upstream DHCP server and/or if any replies from DHCP server.

A common problem is - we don't see replies from DHCP server! There are a few key points to check.

1. Configure the necessary network/IP settings on both HSG and DHCP server. Make sure HSG can ping to DHCP server, and DHCP server opens firewall rules (if any) for UDP/67/68

On DHCP server

2. Configure a local interface with an IP address in the same subnet as the address pool for vlan500, but different IP from the relay agent IP, which is the client router IP. eg.

local interface ip 192.168.100.2/24
address pool router ip 192.168.100.1 (this is vlan500 client default gateway IP, also HSG relay-agent IP or hotspot server IP)

3. Configure DHCP address pools to include both networks/pools

for the interface that's communicating with the HSG WAN (where the relayed DHCP requests coming in), so that DHCP server will respond DHCP requests from HSG
for the local interface configured in step #2 above, so that DHCP server will respond the DHCP requests from its local pool

3. Add a host route for 192.168.100.1/32 back to the HSG WAN. eg. ip route add 192.168.100.1/32 via 192.168.7.66. Because HSG will relay client DHCP requests using source IP 192.168.100.1 (relay-agent IP) to the DHCP server, and the server must have a route for the relay-agent IP, so that the reply can be returned to back to HSG.

On HSG (DHCP relay gateway)

4. If there's "firewall-snat" on WAN/eth0, exempt SNAT for connection to DHCP server, otherwise the DHCP server will see requests mis-match (the relayed packet will SNATed to HSG WAN IP (192.168.7.66, but the relay-agent IP is 192.168.100.1). It will not respond too.

Below are the sample config on HSG.

----------------------------------------------------------------------------

!hostname mbox!interface eth0 description "Connection to WAN" enable ip address 192.168.7.66/24!interface eth1 description "Connection to LAN" enable ip address 192.168.88.1/24!interface eth2!interface eth3!interface vlan 1 500 enable ip address 192.168.100.1/24!interface loopback enable ip address 2.1.2.1/32!ip dhcp-server start!ip name-server 8.8.8.8 8.8.4.4ip host macc.ransnet.com 2.1.2.1 rewriteip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 2.1.2.1 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!ip route 0.0.0.0/0 nexthop 192.168.7.1!macc start!firewall-dnat 12 redirect all udp dport 53 rdport 53 src 192.168.0.0/16 remark "rewrite DNS from LAN only"!firewall-input 11 permit all tcp dport 80 src 192.168.0.0/16 remark "portal access"!firewall-access 10 permit outbound eth0!!exempt SNAT for relayed DHCP requests to DHCP serverfirewall-snat 00 exempt outbound eth0 dst 192.168.7.224firewall-snat 10 overload outbound eth0!security radius-server client 127.0.0.1 key testing123 name localhost start!security hotspot vlan500 hotspot-wan eth0!relay client DHCP requests to external DHCP server client-dhcp-helper 192.168.7.224 client-static 192.168.100.1 255.255.255.0 radius-server localhost testing123 hotspot-portal http://splash.ransnet.com/pid/demo/login.php start!Sample config on DHCP server----------------------------------------------------------------------------[root@dhcpsvr ~]# ifconfigenp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.7.224 netmask 255.255.255.0 broadcast 192.168.7.255 inet6 fe80::21c:c0ff:feb5:a76d prefixlen 64 scopeid 0x20<link> ether 00:1c:c0:b5:a7:6d txqueuelen 1000 (Ethernet) RX packets 5660 bytes 412845 (403.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 179 bytes 27584 (26.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0!configure a local IP in the same subnet as the DHCP pool but different from relay-agent IPenp2s0.500: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.2 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::21c:c0ff:feb5:a76d prefixlen 64 scopeid 0x20<link> ether 00:1c:c0:b5:a7:6d txqueuelen 0 (Ethernet) RX packets 587 bytes 31768 (31.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 46 bytes 2220 (2.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@dhcpsvr ~]# ip route showdefault via 192.168.7.1 dev enp2s0 proto static metric 100 192.168.7.0/24 dev enp2s0 proto kernel scope link src 192.168.7.224 metric 100 192.168.100.0/24 dev enp2s0.500 proto kernel scope link src 192.168.100.2!add a host route for dhcp-relay agent IP so the DHCP can route back the reply to HSG192.168.100.1 via 192.168.7.66 dev enp2s0 192.168.200.0/24 dev enp2s0.501 proto kernel scope link src 192.168.200.1 metric 400 [root@dhcpsvr ~]# more /etc/dhcp/dhcpd.conf ## DHCP Server Configuration file.# see /usr/share/doc/dhcp*/dhcpd.conf.example# see dhcpd.conf(5) man page#!add a pool for the interface communicating with HSG so it will respond DHCP requests coming from this interfacesubnet 192.168.7.0 netmask 255.255.255.0{ range 192.168.7.10 192.168.7.200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.7.255; option routers 192.168.7.1; option domain-name-servers 8.8.8.8, 4.4.4.4;}!add a pool for the vlan500 clientssubnet 192.168.100.0 netmask 255.255.255.0{ range 192.168.100.10 192.168.100.200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.100.255; option routers 192.168.100.1; option domain-name-servers 8.8.8.8, 4.4.4.4;}