Wrong Server-IP with multihomed server

Hi all,

Since my colleague and I are getting frustrated in getting the solution
for this weird issue, I'm checking in with the community. The goal is
to service two different interfaces/subnets with their own
configuration. I really hope someone can shed some light on this and
help us figure this out. I hope I provided enough information below.

== Situation:
- 1 CentOS7 VM (one VMWare)
-- dhcpd installed
# rpm -qa |grep -i dhcp
dhcp-4.2.5-68.el7.centos.1.x86_64
dhcp-common-4.2.5-68.el7.centos.1.x86_64
dhcp-libs-4.2.5-68.el7.centos.1.x86_64

-- Two nics:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether 00:50:56:b1:36:1f brd ff:ff:ff:ff:ff:ff
    inet 10.38.5.110/24 brd 10.38.5.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:361f/64 scope link 
       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether 00:50:56:b1:76:24 brd ff:ff:ff:ff:ff:ff
    inet 10.0.103.110/24 brd 10.0.103.255 scope global noprefixroute
eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:7624/64 scope link 
       valid_lft forever preferred_lft forever

-- DHCPd config:
# cat /etc/dhcp/dhcpd.conf 

ddns-update-style none;

allow booting;
allow bootp;

ignore client-updates;


set vendorclass = option vendor-class-identifier;

option pxe-system-type code 93 = unsigned integer 16;

subnet 10.38.5.0 netmask 255.255.255.0 {
        option routers             10.38.5.1;
        option domain-name-servers 10.38.5.200, 10.38.5.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.38.5.111 10.38.5.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.38.5.110;
        class "pxeclients" {
                match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
                if option pxe-system-type = 00:06 or option pxe-system-
type = 00:07 or option pxe-system-type = 00:09 {
                        filename "ipxe.efi";
                } else {
                        filename "esxi65u2/pxelinux.0";
                }
        }
}

subnet 10.0.103.0 netmask 255.255.255.0 {
        option routers             10.0.103.1;
        option domain-name-servers 10.0.103.200, 10.0.103.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.0.103.111 10.0.103.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.0.103.110;
        class "pxeclients" {
                match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
                if option pxe-system-type = 00:06 or option pxe-system-
type = 00:07 or option pxe-system-type = 00:09 {
                        filename "ipxe.efi";
                } else {
                        filename "esxi65u2/pxelinux.0";
                }
        }
}


== Expected result:
Hosts running PXE/requesting IP in subnet on eth0 get an IP from
the 10.38.5.x subnet, and hosts running PXE/requesting IP in subnet on
eth1 get IP from the 10.0.103.x subnet

== Actual result:
Hosts requesting IP on eth0 do get IP successfully from the 10.38.5.x
pool. However, hosts requesting IP on eth1 don't get (correctly) IP.


== Debug info
When running dhcpd with one of the other pool active, it works for that
specific subnet. However, when both pools active, it turns out the
wrong "Server-IP" is given on reply's on eth1:

********* OK (@eth0):
13:40:54.919721 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],
proto UDP (17), length 328)
    10.38.5.110.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300,
xid 0x9b459539, Flags [Broadcast]
          Your-IP 10.38.5.111
          Server-IP 10.38.5.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]

********* FAIL (@eth1):
13:45:46.296813 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],
proto UDP (17), length 328)
    10.0.103.110.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length
300, xid 0xc7e7af3c, Flags [Broadcast]
          Your-IP 10.0.103.113
          Server-IP 10.38.5.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]

^--- Server-IP should be 10.0.103.110 instead of 10.38.5.110 on eth1

********* OK (@eth1, when subnet 10.38.5.0/24 has been removed from the
config):
13:56:18.250993 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],
proto UDP (17), length 328)
    10.0.103.110.67 > 10.0.103.111.68: BOOTP/DHCP, Reply, length 300,
xid 0xf5d07466, secs 18, Flags [none]
          Your-IP 10.0.103.111
          Server-IP 10.0.103.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]


Meanwhile we tried almost every option dhcp-server-identifier / server-
identifier combination, but non work. Server starts without errors and
is responding to requests on the right interfaces:

Dec 20 14:09:27 mydhcpserver systemd: Starting DHCPv4 Server Daemon...
Dec 20 14:09:27 mydhcpserver dhcpd: Internet Systems Consortium DHCP
Server 4.2.5
Dec 20 14:09:27 mydhcpserver dhcpd: Copyright 2004-2013 Internet
Systems Consortium.
Dec 20 14:09:27 mydhcpserver dhcpd: All rights reserved.
Dec 20 14:09:27 mydhcpserver dhcpd: For info, please visit https://www.
isc.org/software/dhcp/
Dec 20 14:09:27 mydhcpserver dhcpd: Not searching LDAP since ldap-
server, ldap-port and ldap-base-dn were not specified in the config
file
Dec 20 14:09:27 mydhcpserver dhcpd: Wrote 0 class decls to leases file.
Dec 20 14:09:27 mydhcpserver dhcpd: Wrote 3 leases to leases file.
Dec 20 14:09:27 mydhcpserver dhcpd: Listening on
LPF/eth1/00:50:56:b1:76:24/eth1
Dec 20 14:09:27 mydhcpserver dhcpd: Sending
on   LPF/eth1/00:50:56:b1:76:24/eth1
Dec 20 14:09:27 mydhcpserver dhcpd: Listening on
LPF/eth0/00:50:56:b1:36:1f/eth0
Dec 20 14:09:27 mydhcpserver dhcpd: Sending
on   LPF/eth0/00:50:56:b1:36:1f/eth0
Dec 20 14:09:27 mydhcpserver dhcpd: Sending
on   Socket/fallback/fallback-net
Dec 20 14:09:27 mydhcpserver systemd: Started DHCPv4 Server Daemon.
Dec 20 14:09:49 mydhcpserver dhcpd: DHCPDISCOVER from 48:df:37:64:cd:a0
via eth1
Dec 20 14:09:50 mydhcpserver dhcpd: DHCPOFFER on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPREQUEST for 10.0.103.113
(10.0.103.110) from 48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPACK on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPREQUEST for 10.0.103.113
(10.0.103.110) from 48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPACK on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
(SNIP)

Thanks for anyones time.

Kind regards,
Onno.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Check out the 'server-identifier' option.

-----Original Message-----
From: dhcp-users <[hidden email]> On Behalf Of Onno van der Leun
Sent: Thursday, December 20, 2018 7:34 AM
To: [hidden email]
Subject: Wrong Server-IP with multihomed server

Hi all,

Since my colleague and I are getting frustrated in getting the solution for this weird issue, I'm checking in with the community. The goal is to service two different interfaces/subnets with their own configuration. I really hope someone can shed some light on this and help us figure this out. I hope I provided enough information below.

== Situation:
- 1 CentOS7 VM (one VMWare)
-- dhcpd installed
# rpm -qa |grep -i dhcp
dhcp-4.2.5-68.el7.centos.1.x86_64
dhcp-common-4.2.5-68.el7.centos.1.x86_64
dhcp-libs-4.2.5-68.el7.centos.1.x86_64

-- Two nics:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b1:36:1f brd ff:ff:ff:ff:ff:ff
    inet 10.38.5.110/24 brd 10.38.5.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:361f/64 scope link
       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b1:76:24 brd ff:ff:ff:ff:ff:ff
    inet 10.0.103.110/24 brd 10.0.103.255 scope global noprefixroute
eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:7624/64 scope link
       valid_lft forever preferred_lft forever

-- DHCPd config:
# cat /etc/dhcp/dhcpd.conf 

ddns-update-style none;

allow booting;
allow bootp;

ignore client-updates;


set vendorclass = option vendor-class-identifier;

option pxe-system-type code 93 = unsigned integer 16;

subnet 10.38.5.0 netmask 255.255.255.0 {
        option routers             10.38.5.1;
        option domain-name-servers 10.38.5.200, 10.38.5.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.38.5.111 10.38.5.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.38.5.110;
        class "pxeclients" {
                match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
                if option pxe-system-type = 00:06 or option pxe-system- type = 00:07 or option pxe-system-type = 00:09 {
                        filename "ipxe.efi";
                } else {
                        filename "esxi65u2/pxelinux.0";
                }
        }
}

subnet 10.0.103.0 netmask 255.255.255.0 {
        option routers             10.0.103.1;
        option domain-name-servers 10.0.103.200, 10.0.103.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.0.103.111 10.0.103.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.0.103.110;
        class "pxeclients" {
                match if substring (option vendor-class-identifier, 0,
9) = "PXEClient";
                if option pxe-system-type = 00:06 or option pxe-system- type = 00:07 or option pxe-system-type = 00:09 {
                        filename "ipxe.efi";
                } else {
                        filename "esxi65u2/pxelinux.0";
                }
        }
}


== Expected result:
Hosts running PXE/requesting IP in subnet on eth0 get an IP from the 10.38.5.x subnet, and hosts running PXE/requesting IP in subnet on
eth1 get IP from the 10.0.103.x subnet

== Actual result:
Hosts requesting IP on eth0 do get IP successfully from the 10.38.5.x pool. However, hosts requesting IP on eth1 don't get (correctly) IP.


== Debug info
When running dhcpd with one of the other pool active, it works for that specific subnet. However, when both pools active, it turns out the wrong "Server-IP" is given on reply's on eth1:

********* OK (@eth0):
13:40:54.919721 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    10.38.5.110.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x9b459539, Flags [Broadcast]
          Your-IP 10.38.5.111
          Server-IP 10.38.5.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]

********* FAIL (@eth1):
13:45:46.296813 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    10.0.103.110.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0xc7e7af3c, Flags [Broadcast]
          Your-IP 10.0.103.113
          Server-IP 10.38.5.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]

^--- Server-IP should be 10.0.103.110 instead of 10.38.5.110 on eth1

********* OK (@eth1, when subnet 10.38.5.0/24 has been removed from the
config):
13:56:18.250993 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    10.0.103.110.67 > 10.0.103.111.68: BOOTP/DHCP, Reply, length 300, xid 0xf5d07466, secs 18, Flags [none]
          Your-IP 10.0.103.111
          Server-IP 10.0.103.110
          Client-Ethernet-Address 48:df:37:64:cd:a0
          file "ipxe.efi"[|bootp]


Meanwhile we tried almost every option dhcp-server-identifier / server- identifier combination, but non work. Server starts without errors and is responding to requests on the right interfaces:

Dec 20 14:09:27 mydhcpserver systemd: Starting DHCPv4 Server Daemon...
Dec 20 14:09:27 mydhcpserver dhcpd: Internet Systems Consortium DHCP Server 4.2.5 Dec 20 14:09:27 mydhcpserver dhcpd: Copyright 2004-2013 Internet Systems Consortium.
Dec 20 14:09:27 mydhcpserver dhcpd: All rights reserved.
Dec 20 14:09:27 mydhcpserver dhcpd: For info, please visit https://urldefense.proofpoint.com/v2/url?u=https-3A__www&d=DwIGaQ&c=09aR81AqZjK9FqV5BSCPBw&r=_SdnJx6ElYZR_PnpLjF43SWpy9INwIUCE0XeiwamRXU&m=2YKEwhdXFbmf1D-esbdR-_8T-EFCOICFO3XtjCj6o74&s=6Iz2CJLLZPf2tqRxMXbUvdwsLT27FJt9yCao3BpMZYs&e=.
isc.org/software/dhcp/
Dec 20 14:09:27 mydhcpserver dhcpd: Not searching LDAP since ldap- server, ldap-port and ldap-base-dn were not specified in the config file Dec 20 14:09:27 mydhcpserver dhcpd: Wrote 0 class decls to leases file.
Dec 20 14:09:27 mydhcpserver dhcpd: Wrote 3 leases to leases file.
Dec 20 14:09:27 mydhcpserver dhcpd: Listening on
LPF/eth1/00:50:56:b1:76:24/eth1
Dec 20 14:09:27 mydhcpserver dhcpd: Sending on   LPF/eth1/00:50:56:b1:76:24/eth1 Dec 20 14:09:27 mydhcpserver dhcpd: Listening on
LPF/eth0/00:50:56:b1:36:1f/eth0
Dec 20 14:09:27 mydhcpserver dhcpd: Sending on   LPF/eth0/00:50:56:b1:36:1f/eth0 Dec 20 14:09:27 mydhcpserver dhcpd: Sending on   Socket/fallback/fallback-net Dec 20 14:09:27 mydhcpserver systemd: Started DHCPv4 Server Daemon.
Dec 20 14:09:49 mydhcpserver dhcpd: DHCPDISCOVER from 48:df:37:64:cd:a0 via eth1 Dec 20 14:09:50 mydhcpserver dhcpd: DHCPOFFER on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPREQUEST for 10.0.103.113
(10.0.103.110) from 48:df:37:64:cd:a0 via eth1 Dec 20 14:09:52 mydhcpserver dhcpd: DHCPACK on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
Dec 20 14:09:52 mydhcpserver dhcpd: DHCPREQUEST for 10.0.103.113
(10.0.103.110) from 48:df:37:64:cd:a0 via eth1 Dec 20 14:09:52 mydhcpserver dhcpd: DHCPACK on 10.0.103.113 to
48:df:37:64:cd:a0 via eth1
(SNIP)

Thanks for anyones time.

Kind regards,
Onno.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_dhcp-2Dusers&d=DwIGaQ&c=09aR81AqZjK9FqV5BSCPBw&r=_SdnJx6ElYZR_PnpLjF43SWpy9INwIUCE0XeiwamRXU&m=2YKEwhdXFbmf1D-esbdR-_8T-EFCOICFO3XtjCj6o74&s=Y4hszrZ6sKPbWb2McYhWFg88e0nklx2gBsdNwUwF-0I&e=
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Are eth0 and eth1 connected to the same (V)LAN?  If so, you have a
shared network and need to enclose both subnets in a "shared-network {
}" block.

shared-network eth0-eth1 {
    subnet 10.38.5.0 netmask 255.255.255.0 {
...
    }
    subnet 10.0.103.0 netmask 255.255.255.0 {
...
    }
}

You will also need define to use some way to differentiate clients
between the two subnets if they are shared, such as class matching or
fixed-address statements, otherwise either subnet will satify requests
from all clients, and you may have most clients getting an IP from one
of the two subnets and none/few from the other.

Finally, I would move the class definitions to the global scope.  It
is rarely correct to have class or host statements enclosed inside of
subnets and can cause unexpected behavior due to inheritance of
options (though I do not think it is the cause of your specific
issue).

On Thu, Dec 20, 2018 at 02:33:58PM +0100, Onno van der Leun wrote: _______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hello:

I believe your issue stems from defining classes within subnets. Classes
are globally defined.  When packets arrive, they are classified before
anything else.  While our configuration parser does not (currently) emit
an error when you define classes within subnets, it does appear to cause
oddities in behavior.  More over, you are defining the same class
twice.  The server is only going to retain the last one of that name.

Try extracting your class definition out of the subnets and define it
once at the global level:


# cat /etc/dhcp/dhcpd.conf

ddns-update-style none;
allow booting;
allow bootp;
ignore client-updates;

class "pxeclients" {
   match if substring (option vendor-class-identifier, 0,9) = "PXEClient";
   if option pxe-system-type = 00:06 or option pxe-system-type = 00:07 or option pxe-system-type = 00:09 {
     filename "ipxe.efi";
   } else {
        filename "esxi65u2/pxelinux.0";
   }
}


set vendorclass = option vendor-class-identifier;

option pxe-system-type code 93 = unsigned integer 16;

subnet 10.38.5.0 netmask 255.255.255.0 {
        option routers             10.38.5.1;
        option domain-name-servers 10.38.5.200, 10.38.5.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.38.5.111 10.38.5.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.38.5.110;
}

subnet 10.0.103.0 netmask 255.255.255.0 {
        option routers             10.0.103.1;
        option domain-name-servers 10.0.103.200, 10.0.103.205;
        option subnet-mask         255.255.255.0;
        range dynamic-bootp        10.0.103.111 10.0.103.125;
        default-lease-time         3600;
        max-lease-time             7200;
        next-server                10.0.103.110;
}


Regards,

Thomas Markwalder
ISC Software Engineering

On 12/20/18 8:33 AM, Onno van der Leun wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On do, 2018-12-20 at 09:16 -0500, Thomas Markwalder wrote:
He he awesome, thanks Thomas!
My colleague just confirmed that this was indeed the cause/issue. Like
you said, at least a warning from the config parser would be nice ;o)
Especially because lots of examples we'd find showed the class def
within the subnet definition.

Problem solved. We kinda already figured it had to be something that
simple. Thanks again!

Cheers,
Onno.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users