Issue with DHCRELAY not forwarding requests correctly

Hi all,

Found an issue that has been annoying me for months now. Basically we have multiple VLANs that use the dhcp-relay option to listen and relay the request to dual DHCP servers in a load-balance mode (via Windows DHCP).

The issue is VLAN200 (for example) requests and IP; VyOS receives it; does things; then sends it to the server VLAN300 but its being submitted to the VLAN1 IP block.

Reference this reddit thread for more information Reddit - Dive into anything

Basically if I delete the service dhcp-relay configuration; then manually run DHCRELAY on the router (under sudo su) with the newer options of ‘-iu’ and ‘-id’ for the appropriate interfaces; the relay works correctly.

Packet capturing the switchport directly (via Meraki) shows the client is on the correct VLAN as well.

I’ll do a follow up post with some configurations and logs.

Config / Logs have been doctored from the actual settings to hide our configuration :slight_smile:

DHCP-Relay options

# VLAN 1 
set service dhcp-relay interface 'eth0'
# VLANs for Client Networks
set service dhcp-relay interface 'eth0.CLIENTNETWORK#1'
set service dhcp-relay interface 'eth0.CLIENTNETWORK#2'
# VLANs for Server Networks
set service dhcp-relay interface 'eth1.VOIP'
set service dhcp-relay interface 'eth1.SERVER'
set service dhcp-relay relay-options relay-agents-packets 'discard'
# Has a DHCP service, but only supplies options. Used for Microsoft Deployment Toolkit / Windows Deployment
set service dhcp-relay server MDTSERVER
# The 2 Windows DHCP servers in a load balance mode
set service dhcp-relay server DHCPSERVER#1
set service dhcp-relay server DHCPSERVER#2

These logs are from ‘monitor traffic interface <CLIENTVLAN#1> filter ‘ether host ’’

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.103, link-type EN10MB (Ethernet), capture size 262144 bytes
00:01:15.091224 ARP, Request who-has 172.20.0.1 tell VLAN1_IPSCOPE, length 46
00:01:17.193027 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 74:78:27:xx:xx:xx, length 300
00:01:17.194104 IP VyOSIP.67 > VLAN1_IPSCOPE.68: BOOTP/DHCP, Reply, length 313
00:01:17.196914 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 74:78:27:xx:xx:xx, length 343
00:01:17.198040 IP VyOSIP.3.67 > VLAN1_IPSCOPE.68: BOOTP/DHCP, Reply, length 318
00:01:17.260808 ARP, Request who-has 172.20.0.1 tell VLAN1_IPSCOPE, length 46

These logs are from DHCRELAY directly using the -i options as its configured by VyOS

Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to DHCPSERVER#1
Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to MDTSERVER
Forwarded BOOTREPLY for 74:78:27:xx:xx:xx to VLAN1_IPSCOPE
Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to DHCPSERVER#1
Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to MDTSERVER
Forwarded BOOTREPLY for 74:78:27:xx:xx:xx to VLAN1_IPSCOPE
Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to DHCPSERVER#1
Forwarded BOOTREQUEST for 74:78:27:xx:xx:xx to MDTSERVER
Forwarded BOOTREPLY for 74:78:27:xx:xx:xx to VLAN1_IPSCOPE

Using the -iu and -id for DHCRELAY then seems to force DHCRELAY to only listen on the correct networks and send the DHCP requests to the servers. Not causing any loopback requests as noted in their documentation if you listen and relay on the same interface. See ISC DHCP 4.4 Manual Pages - dhcrelay

My proposed solution would be to change the way VyOS handles the configuration to be

# For the listening side only
set service dhcp-relay listen interface xxx --> which sets DHCRELAY option to be -id xxx
# For the DHCP server side only
set service dhcp-relay server interface xxx --> which sets DHCRELAY option to be -iu xxx

Then completely stop using the -i option as it may cause loops when listening to the same interface that is serving the addresses.

1 Like

Hi @nephi.aust ,

Thank you for your research!
Would you like to submit a Feature Request in Phabricator?
https://phabricator.vyos.net

There’s already a task in phabricator: ⚓ T2408 DHCP Relay upstream and downstream interfaces

1 Like

I’ll leave it with that task.