Troubleshoot DHCP relay problem

mbox can function as a DHCP server to issue IP addresses from its local pools, for both CMG and HSG, and it also supports DHCP relay to upstream DHCP server to issue IP addresses to users/clients.

For configuring local DHCP pool, refer to this guide on issuing DHCP from local interface, or from hotspot instance. For configuration DHCP relay to upstream DHCP server, refer to this guide on relaying from local interface, or from hotspot instance.

But sometimes, when mbox is configured as a DHCP relay, we experience problems of not being able to get DHCP addresses from upstream DHCP server.
In this guide, we focus on troubleshooting on relaying DHCP from HSG hotspot instance (similar concept for interface relay).

In this topology,

  1. we used a Linux DHCP server and HSG.
  2. HSG is a captive portal gateway, vlan1 assigns AP management address, and vlan500 is for user data.
  3. HSG vlan500 hotspot server (192.168.100.1) will receive clients’ DHCP requests and relay to upstream DHCP server (192.168.7.224)
  4. DHCP server is expected to issue addresses for vlan500, range from 192.168.100.0/24, and user default gateway (router) is 192.168.100.10

.

NOTE

for any typical troubleshooting, always use tcpdump (with “detail” option if necessary) to check where the packet flows, eg:
“tcpdump interface vlan500 detail” to check incoming DHCP request, and
“tcpdump interface eth0 detail” to check if HSG relays requests to upstream DHCP server and/or if any replies from DHCP server.

A common problem is – we don’t see replies from DHCP server! There are a few key points to check.

  1. Configure the necessary network/IP settings on both HSG and DHCP server. Make sure HSG can ping to DHCP server, and DHCP server opens firewall rules (if any) for UDP/67/68

On DHCP server

  1. Configure a local interface with an IP address in the same subnet as the address pool for vlan500, but different IP from the relay agent IP, which is the client router IP. eg.
    • local interface ip 192.168.100.2/24
    • address pool router ip 192.168.100.1 (this is vlan500 client default gateway IP, also HSG relay-agent IP or hotspot server IP)
  1. Configure DHCP address pools to include both networks/pools
    • for the interface that’s communicating with the HSG WAN (where the relayed DHCP requests coming in), so that DHCP server will respond DHCP requests from HSG
    • for the local interface configured in step #2 above, so that DHCP server will respond the DHCP requests from its local pool
  1. Add a host route for 192.168.100.1/32 back to the HSG WAN. eg. Ip route add 192.168.100.1/32 via 192.168.7.66. Because HSG will relay client DHCP requests using source IP 192.168.100.1 (relay-agent IP) to the DHCP server, and the server must have a route for the relay-agent IP, so that the reply can be returned to back to HSG.

On HSG (DHCP relay gateway)

  1. If there’s “firewall-snat” on WAN/eth0, exempt SNAT for connection to DHCP server, otherwise the DHCP server will see requests mis-match (the relayed packet will SNAT to HSG WAN IP (192.168.7.66, but the relay-agent IP is 192.168.100.1). It will not respond too.

.

!
hostname mbox
!
interface eth0
 description "Connection to WAN"
 enable
 ip address 192.168.7.66/24
!
interface eth1
 description "Connection to LAN"
 enable
 ip address 192.168.88.1/24
!
interface eth2
!
interface eth3
!
interface vlan 1 500
 enable
 ip address 192.168.100.1/24
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip dhcp-server start
!
ip name-server 8.8.8.8 8.8.4.4
ip host macc.ransnet.com 2.1.2.1 rewrite
ip host mail 127.0.0.1
ip host mysqldb 127.0.0.1
ip host splash.ransnet.com 2.1.2.1 rewrite
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip route 0.0.0.0/0 nexthop 192.168.7.1
!
macc start
!
firewall-dnat 12 redirect all udp dport 53 rdport 53 src 192.168.0.0/16 remark "rewrite DNS from LAN only"
!
firewall-input 11 permit all tcp dport 80 src 192.168.0.0/16 remark "portal access"
!
firewall-access 10 permit outbound eth0
!
!exempt SNAT for relayed DHCP requests to DHCP server
firewall-snat 00 exempt outbound eth0 dst 192.168.7.224
firewall-snat 10 overload outbound eth0
!
security radius-server
 client 127.0.0.1 key testing123 name localhost
 start
!
security hotspot vlan500
 hotspot-wan eth0
!relay client DHCP requests to external DHCP server
 client-dhcp-helper 192.168.7.224
 client-static 192.168.100.1 255.255.255.0
 radius-server localhost testing123
 hotspot-portal http://splash.ransnet.com/pid/demo/login.php
 start
!
[root@dhcpsvr ~]# ifconfig
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.7.224  netmask 255.255.255.0  broadcast 192.168.7.255
        inet6 fe80::21c:c0ff:feb5:a76d  prefixlen 64  scopeid 0x20<link>
        ether 00:1c:c0:b5:a7:6d  txqueuelen 1000  (Ethernet)
        RX packets 5660  bytes 412845 (403.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 179  bytes 27584 (26.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
!configure a local IP in the same subnet as the DHCP pool but different from relay-agent IP
enp2s0.500: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.2  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::21c:c0ff:feb5:a76d  prefixlen 64  scopeid 0x20<link>
        ether 00:1c:c0:b5:a7:6d  txqueuelen 0  (Ethernet)
        RX packets 587  bytes 31768 (31.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46  bytes 2220 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@dhcpsvr ~]# ip route show
default via 192.168.7.1 dev enp2s0  proto static  metric 100 
192.168.7.0/24 dev enp2s0  proto kernel  scope link  src 192.168.7.224  metric 100 
192.168.100.0/24 dev enp2s0.500  proto kernel  scope link  src 192.168.100.2
!add a host route for dhcp-relay agent IP so the DHCP can route back the reply to HSG
192.168.100.1 via 192.168.7.66 dev enp2s0 
192.168.200.0/24 dev enp2s0.501  proto kernel  scope link  src 192.168.200.1  metric 400 
[root@dhcpsvr ~]# more /etc/dhcp/dhcpd.conf 
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
!add a pool for the interface communicating with HSG so it will respond DHCP requests coming from this interface
subnet 192.168.7.0 netmask 255.255.255.0
{
        range 192.168.7.10 192.168.7.200;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.7.255;
        option routers 192.168.7.1;
        option domain-name-servers 8.8.8.8, 4.4.4.4;
}
!add a pool for the vlan500 clients
subnet 192.168.100.0 netmask 255.255.255.0
{
        range 192.168.100.10 192.168.100.200;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.100.255;
        option routers 192.168.100.1;
        option domain-name-servers 8.8.8.8, 4.4.4.4;
}