DHCP-server should listen on vif interface inside VRF

jm789 · February 23, 2024, 3:55pm

Hello community,

vyos version: VyOS 1.5-rolling-202402220022

I´m trying to setup a dhcp-server on my vyos router. Client DHCP request is going in, but vyos DHCP server does not respond.

15:49:17.356971 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:50:79:66:68:12 (oui Unknown), length 364

The DHCP-Server should listen to vif (sub-interface) subnet, which is part of a VRF. On main interface eth2 there is no specific config.

show log dhcp server (multitiple times - for every main interface + vif):
Feb 23 15:26:39 kea-dhcp4[25993]: 2024-02-23 15:26:39.549 WARN [kea-dhcp4.dhcpsrv/25993.140134949181888] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: the interface eth2 has no usable IPv4 addresses configured
Feb 23 15:26:39 kea-dhcp4[25993]: 2024-02-23 15:26:39.550 WARN [kea-dhcp4.dhcpsrv/25993.140134949181888] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface eth2.301, reason: failed to bind fallback socket to address 10.2.66.17, port 67, reason: Cannot assign requested address - is another DHCP server running?

Config example looks like:

set interfaces ethernet eth2 vif 301 address ‘10.2.66.17/28’
set interfaces ethernet eth2 vif 301 vrf ‘internet’

set service dhcp-server hostfile-update
set service dhcp-server shared-network-name Internet-edge1 authoritative
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 option default-router ‘10.2.66.17’
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 option domain-name ‘domain.com’
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 option name-server ‘10.2.66.2’
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 range 0 start ‘10.2.66.18’
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 range 0 stop ‘10.2.66.18’
set service dhcp-server shared-network-name Internet-edge1 subnet 10.2.66.16/28 subnet-id ‘6616’

Did I miss any required configuration, or is this type of config not supported?

Thank you for your help.

Best regards
Jan

n.fort · February 23, 2024, 4:57pm

Did you use set vrf bind-to-all command?
Feature already added and tested: ⚓ T4733 Feature Request: dhcp server: add VRF support

jm789 · February 26, 2024, 8:38am

Hello n.fort,

thanks for support!

I wasn´t aware of that command. But the behavoir didn´t change after adding it to my configuration. In ⚓ T4733 Feature Request: dhcp server: add VRF support daniil said, that this will not work, but he shared a workaround:

I’m using a workaround. I’m running a process in a script /config/scripts/vyos-postconfig-bootup.script:

ip vrf exec office /usr/sbin/dhcpd -4 -q -user dhcpd -group vyattacfg -pf /run/dhcp-server/office-dhcpd.pid -cf /config/user-data/office-dhcpd.conf -lf /config/office-dhcpd.leases

So I think that office seems to be the VRF. I´ve edited /config/scripts/vyos-postconfig-bootup.script with “sudo vi …”. Added this two lines and reboot my vyos. I think that there is still something wrong, because my DHCP client still don´t get an IP-Address.
ip vrf exec internet /usr/sbin/dhcpd -4 -q -user dhcpd -group vyattacfg -pf /run/dhcp-server/internet-dhcpd.pid -cf /config/user-data/internet-dhcpd.conf -lf /config/internet-dhcpd.leases
ip vrf exec mpls /usr/sbin/dhcpd -4 -q -user dhcpd -group vyattacfg -pf /run/dhcp-server/mpls-dhcpd.pid -cf /config/user-data/mpls-dhcpd.conf -lf /config/mpls-dhcpd.leases

Any idea?

Best regards
Jan

fahadysf · June 15, 2025, 3:23pm

As of 2025, vyos has moved over to kea-dhcp4 server and I can see that ‘set vrf bind-to-all’ is still only working intermittently and just stops working for DHCP from time to time. Posting my config if someone can look into this. The DHCP server in management vrf (eth15) doesn’t seem to respond to requests.

vyos@vyos-pnet-gw:~$ show config commands | egrep "service|vrf"
set interfaces dummy dum01 vrf 'internet'
set interfaces ethernet eth0 vrf 'internet'
set interfaces ethernet eth1 vrf 'cust-dia'
set interfaces ethernet eth2 vrf 'cust-isp2'
set interfaces ethernet eth15 vrf 'management'
set interfaces tunnel tun10 vrf 'internet'
set interfaces virtual-ethernet veth002 vrf 'internet'
set interfaces virtual-ethernet veth003 vrf 'management'
set interfaces virtual-ethernet veth004 vrf 'internet'
set service dhcp-server hostfile-update
set service dhcp-server listen-interface 'eth15'
set service dhcp-server shared-network-name oob-mgmt authoritative
set service dhcp-server shared-network-name oob-mgmt option name-server '192.168.100.1'
set service dhcp-server shared-network-name oob-mgmt subnet 172.18.11.0/24 lease '7200'
set service dhcp-server shared-network-name oob-mgmt subnet 172.18.11.0/24 option default-router '172.18.11.1'
set service dhcp-server shared-network-name oob-mgmt subnet 172.18.11.0/24 range dhcp-range start '172.18.11.10'
set service dhcp-server shared-network-name oob-mgmt subnet 172.18.11.0/24 range dhcp-range stop '172.18.11.99'
set service dhcp-server shared-network-name oob-mgmt subnet 172.18.11.0/24 subnet-id '100'
set service dns forwarding allow-from '172.16.0.0/12'
set service dns forwarding allow-from '10.0.0.0/8'
set service dns forwarding allow-from '192.168.0.0/16'
set service dns forwarding allow-from '192.0.2.0/24'
set service dns forwarding authoritative-domain pnet.lab records a @ address '172.16.50.1'
set service dns forwarding authoritative-domain pnet.lab records a fw1 address '172.16.50.51'
set service dns forwarding authoritative-domain pnet.lab records a fw2 address '172.16.50.52'
set service dns forwarding authoritative-domain pnet.lab records aaaa @ address 'fed0:cafe:7ab:50::1'
set service dns forwarding authoritative-domain sdwan.lab
set service dns forwarding listen-address '172.18.11.1'
set service dns forwarding listen-address '10.165.217.2'
set service dns forwarding listen-address '10.165.221.2'
set service dns forwarding listen-address '192.0.2.250'
set service dns forwarding listen-address '192.168.100.221'
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 9.9.9.9
set service dns forwarding source-address '192.168.255.128'
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh listen-address '0.0.0.0'
set service ssh listen-address '192.168.100.221'
set vrf bind-to-all
set vrf name cust-dia protocols bgp address-family ipv4-unicast export vpn
set vrf name cust-dia protocols bgp address-family ipv4-unicast import vpn
set vrf name cust-dia protocols bgp address-family ipv4-unicast rd vpn export '65009:3'
set vrf name cust-dia protocols bgp address-family ipv4-unicast redistribute connected
set vrf name cust-dia protocols bgp address-family ipv4-unicast route-target vpn export '65009:3'
set vrf name cust-dia protocols bgp address-family ipv4-unicast route-target vpn import '65009:1'
set vrf name cust-dia protocols bgp parameters router-id '10.165.217.1'
set vrf name cust-dia protocols bgp system-as '65009'
set vrf name cust-dia table '201'
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast export vpn
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast import vpn
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast rd vpn export '65009:4'
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast redistribute connected
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast route-target vpn export '65009:4'
set vrf name cust-isp2 protocols bgp address-family ipv4-unicast route-target vpn import '65009:1'
set vrf name cust-isp2 protocols bgp parameters router-id '10.165.221.1'
set vrf name cust-isp2 protocols bgp system-as '65009'
set vrf name cust-isp2 table '202'
set vrf name internet protocols bgp address-family ipv4-unicast export vpn
set vrf name internet protocols bgp address-family ipv4-unicast import vpn
set vrf name internet protocols bgp address-family ipv4-unicast rd vpn export '65009:1'
set vrf name internet protocols bgp address-family ipv4-unicast redistribute connected
set vrf name internet protocols bgp address-family ipv4-unicast redistribute static
set vrf name internet protocols bgp address-family ipv4-unicast route-target vpn export '65009:1'
set vrf name internet protocols bgp address-family ipv4-unicast route-target vpn import '65009:2 65009:3 65009:4'
set vrf name internet protocols bgp neighbor 192.0.2.40 address-family ipv4-unicast soft-reconfiguration inbound
set vrf name internet protocols bgp neighbor 192.0.2.40 remote-as '65010'
set vrf name internet protocols bgp neighbor 192.0.2.42 address-family ipv4-unicast
set vrf name internet protocols bgp neighbor 192.0.2.42 remote-as 'internal'
set vrf name internet protocols bgp parameters router-id '192.168.100.221'
set vrf name internet protocols bgp system-as '65009'
set vrf name internet protocols static route 0.0.0.0/0 dhcp-interface 'eth0'
set vrf name internet table '100'
set vrf name management description 'OOB Management VRF'
set vrf name management protocols bgp address-family ipv4-unicast export vpn
set vrf name management protocols bgp address-family ipv4-unicast import vpn
set vrf name management protocols bgp address-family ipv4-unicast rd vpn export '65009:2'
set vrf name management protocols bgp address-family ipv4-unicast redistribute connected
set vrf name management protocols bgp address-family ipv4-unicast route-target vpn export '65009:2'
set vrf name management protocols bgp address-family ipv4-unicast route-target vpn import '65009:1'
set vrf name management protocols bgp parameters router-id '172.18.11.1'
set vrf name management protocols bgp system-as '65009'
set vrf name management protocols static route 0.0.0.0/0 next-hop 192.168.255.131
set vrf name management table '140'

And in the logs (show log dhcp server)

d fallback socket to address 172.18.11.1, port 67, reason: Cannot assign requested address - is another DHCP server running?
Jun 15 14:32:31 kea-dhcp4[4080]: 2025-06-15 14:32:31.212 WARN  [kea-dhcp4.dhcpsrv/4080.139719584109056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface eth15, reason: failed to bind fallback socket to address 172.18.11.1, port 67, reason: Cannot assign requested address - is another DHCP server running?
Jun 15 14:32:36 kea-dhcp4[4080]: 2025-06-15 14:32:36.218 WARN  [kea-dhcp4.dhcpsrv/4080.139719584109056] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface eth15, reason: failed to bind fallback socket to address 172.18.11.1, port 67, reason: Cannot assign requested address - is another DHCP server running?

This is on:

vyos@vyos-pnet-gw:~$ show version
Version:          VyOS 2025.06.06-0019-rolling
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Fri 06 Jun 2025 00:19 UTC
Build UUID:       26090a22-a560-450a-9270-bef486e8115c
Build commit ID:  8350580ac5e21d

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      n/a (BIOS)

Hardware vendor:  Bochs
Hardware model:   Bochs
Hardware S/N:
Hardware UUID:    82a3b95e-4cff-4de6-99a6-ab9bc962c2e7

Copyright:        VyOS maintainers and contributors

Viacheslav · June 15, 2025, 5:26pm

DHCP does not work for VRF
It requires an additional config for DHCP in the context VRF
More details in ⚓ T6211 kea DHCP server not vrf aware
and
PR kea: T6211: add VRF support for KEA dhcp server by davi2367 · Pull Request #4508 · vyos/vyos-1x · GitHub