Issues with DHCP Relay

greenman1969 · June 30, 2023, 3:53am

Hey All,

I’ve been having a strange issue with one of my VyOS instances and the dhcp-relay. It seems that after a bit the relay process will crash but I don’t know enough on how to troubleshoot it. The issue is usually resolved by failing over to another router in the VRRP group but the main router remains broken. Can someone give some advice on getting logging from the DHCP relay or at least which service is responsible for it? Thank you all

Here is my configuration for DHCP-Relay:
listen-interface bond0
listen-interface bond0.20
listen-interface bond0.30
listen-interface bond0.40
listen-interface bond0.110
relay-options {
relay-agents-packets discard
}
server 10.0.10.10
server 10.0.10.11
upstream-interface bond0.10

a.hajiyev · June 30, 2023, 4:17am

Hi @greenman1969,
Which version of VyOS are you using?
Please share configurations routers (VRRP group).

greenman1969 · June 30, 2023, 4:38am

Version is 1.4 rolling that I built back in April, all routers in the vrrp are running the sane versions with very similar configurations.

gage@VyOS0# show high-availability vrrp
group VLAN1 {
address 10.0.0.1/24 {
}
interface bond0
priority 100
transition-script {
backup /config/scripts/vrrp-fail.sh
fault /config/scripts/vrrp-fail.sh
master /config/scripts/vrrp-master.sh
}
vrid 10
}
group VLAN10 {
address 10.0.10.1/24 {
}
interface bond0.10
priority 100
vrid 10
}
group VLAN20 {
address 10.0.20.1/24 {
}
interface bond0.20
priority 100
vrid 10
}
group VLAN30 {
address 10.0.30.1/24 {
}
interface bond0.30
priority 100
vrid 10
}
group VLAN40 {
address 10.0.40.1/24 {
}
interface bond0.40
priority 100
vrid 10
}
group VLAN110 {
address 10.0.110.1/24 {
}
interface bond0.110
priority 100
vrid 10
}
sync-group MAIN {
member VLAN1
member VLAN20
member VLAN30
member VLAN40
member VLAN110
member VLAN10
}

a.hajiyev · June 30, 2023, 5:14am

@greenman1969
Please share outputs

$ show version
$ show configuration commands

greenman1969 · June 30, 2023, 8:34pm

gage@VyOS0:~$ show version
Version: VyOS 1.4-04102023
Release train: current

Built by: gsggage@yahoo.com
Built on: Tue 11 Apr 2023 03:15 UTC
Build UUID: ec87fdd9-12a7-40d4-82a2-ada4b1111e7e
Build commit ID: 944f5b5c7c3fc3

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: Dell Inc.
Hardware model: OptiPlex 7060
Hardware S/N: 5CNZ0Q2
Hardware UUID: 4c4c4544-0043-4e10-805a-b5c04f305132

Copyright: VyOS maintainers and contributors

gage@VyOS0:~$ show configuration commands
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group address-group HAProxy address ‘10.0.30.150’
set firewall group address-group HAProxy address ‘10.0.30.10’
set firewall group address-group HAProxy address ‘10.0.30.11’
set firewall group address-group HAProxy address ‘10.0.30.12’
set firewall group address-group HAProxy description ‘HAProxy Hosts’
set firewall ip-src-route ‘disable’
set firewall ipv6-name default-relatedestablished-6 default-action ‘drop’
set firewall ipv6-name default-relatedestablished-6 rule 1 action ‘accept’
set firewall ipv6-name default-relatedestablished-6 rule 1 state established ‘enable’
set firewall ipv6-name default-relatedestablished-6 rule 1 state related ‘enable’
set firewall ipv6-name default-relatedestablished-6 rule 2 action ‘drop’
set firewall ipv6-name default-relatedestablished-6 rule 2 state invalid ‘enable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name DMZ-DNSDHCP default-action ‘drop’
set firewall name DMZ-DNSDHCP rule 10 action ‘accept’
set firewall name DMZ-DNSDHCP rule 10 destination port ‘53’
set firewall name DMZ-DNSDHCP rule 10 protocol ‘tcp_udp’
set firewall name DMZ-GenDev default-action ‘drop’
set firewall name DMZ-GenDev rule 1 action ‘accept’
set firewall name DMZ-GenDev rule 1 state established ‘enable’
set firewall name DMZ-GenDev rule 1 state related ‘enable’
set firewall name DMZ-GenDev rule 2 action ‘drop’
set firewall name DMZ-GenDev rule 2 state invalid ‘enable’
set firewall name DMZ-Infra default-action ‘drop’
set firewall name DMZ-Infra rule 1 action ‘accept’
set firewall name DMZ-Infra rule 1 state established ‘enable’
set firewall name DMZ-Infra rule 1 state related ‘enable’
set firewall name DMZ-Infra rule 2 action ‘drop’
set firewall name DMZ-Infra rule 2 state invalid ‘enable’
set firewall name DMZ-Infra rule 10 action ‘accept’
set firewall name DMZ-Infra rule 10 source group address-group ‘HAProxy’
set firewall name DMZ-RouterLocal default-action ‘drop’
set firewall name DMZ-RouterLocal description ‘DMZ to Router Address’
set firewall name DMZ-RouterLocal rule 1 action ‘accept’
set firewall name DMZ-RouterLocal rule 1 destination address ‘10.0.30.0/24’
set firewall name DMZ-RouterLocal rule 1 disable
set firewall name DMZ-WAN default-action ‘accept’
set firewall name DNSDHCP-GenDev default-action ‘accept’
set firewall name DNSDHCP-Infra default-action ‘accept’
set firewall name DNSDHCP-RouterLocal default-action ‘accept’
set firewall name DNSDHCP-WAN default-action ‘accept’
set firewall name GenDev-DMZ default-action ‘accept’
set firewall name GenDev-DNSDHCP default-action ‘accept’
set firewall name GenDev-IOT default-action ‘accept’
set firewall name GenDev-Infra default-action ‘accept’
set firewall name GenDev-RouterLocal default-action ‘accept’
set firewall name GenDev-RouterLocal description ‘GenDev to Router Address’
set firewall name GenDev-WAN default-action ‘accept’
set firewall name Guest-DMZ rule 10 action ‘accept’
set firewall name Guest-DMZ rule 10 destination address ‘10.0.30.11-10.0.30.12’
set firewall name Guest-DMZ rule 10 destination port ‘http,https’
set firewall name Guest-DMZ rule 10 protocol ‘tcp_udp’
set firewall name Guest-DNSDHCP default-action ‘drop’
set firewall name Guest-DNSDHCP rule 10 action ‘accept’
set firewall name Guest-DNSDHCP rule 10 destination address ‘10.0.10.15-10.0.10.16’
set firewall name Guest-DNSDHCP rule 10 destination port ‘53’
set firewall name Guest-DNSDHCP rule 10 protocol ‘udp’
set firewall name Guest-RouterLocal default-action ‘drop’
set firewall name Guest-RouterLocal description ‘Guest to Router Address’
set firewall name Guest-RouterLocal rule 1 action ‘accept’
set firewall name Guest-RouterLocal rule 1 destination address ‘10.0.110.0/24’
set firewall name Guest-RouterLocal rule 1 disable
set firewall name Guest-WAN default-action ‘accept’
set firewall name IOT-GenDev default-action ‘drop’
set firewall name IOT-GenDev rule 1 action ‘accept’
set firewall name IOT-GenDev rule 1 state established ‘enable’
set firewall name IOT-GenDev rule 1 state related ‘enable’
set firewall name IOT-GenDev rule 2 action ‘drop’
set firewall name IOT-GenDev rule 2 state invalid ‘enable’
set firewall name IOT-Infra default-action ‘drop’
set firewall name IOT-Infra rule 1 action ‘accept’
set firewall name IOT-Infra rule 1 state established ‘enable’
set firewall name IOT-Infra rule 1 state related ‘enable’
set firewall name IOT-Infra rule 2 action ‘drop’
set firewall name IOT-Infra rule 2 state invalid ‘enable’
set firewall name IOT-RouterLocal default-action ‘drop’
set firewall name IOT-RouterLocal description ‘IOT to Router Address’
set firewall name IOT-RouterLocal rule 1 action ‘accept’
set firewall name IOT-RouterLocal rule 1 destination address ‘10.0.20.0/24’
set firewall name IOT-RouterLocal rule 1 disable
set firewall name IOT-RouterLocal rule 2 action ‘accept’
set firewall name IOT-RouterLocal rule 2 destination port ‘123’
set firewall name IOT-RouterLocal rule 2 protocol ‘udp’
set firewall name IOT-WAN default-action ‘drop’
set firewall name IOT-WAN rule 10 action ‘accept’
set firewall name IOT-WAN rule 10 disable
set firewall name IOT-WAN rule 10 source address ‘10.0.20.10-10.0.20.19’
set firewall name Infra-DMZ default-action ‘accept’
set firewall name Infra-DNSDHCP default-action ‘accept’
set firewall name Infra-GenDev default-action ‘accept’
set firewall name Infra-IOT default-action ‘accept’
set firewall name Infra-RouterLocal default-action ‘accept’
set firewall name Infra-RouterLocal description ‘Infrastructure to Router Address’
set firewall name Infra-WAN default-action ‘accept’
set firewall name RouterLocal-DNSDHCP default-action ‘accept’
set firewall name RouterLocal-GenDev default-action ‘accept’
set firewall name WAN-DMZ default-action ‘drop’
set firewall name WAN-DMZ rule 1 action ‘accept’
set firewall name WAN-DMZ rule 1 state established ‘enable’
set firewall name WAN-DMZ rule 1 state related ‘enable’
set firewall name WAN-DMZ rule 2 action ‘drop’
set firewall name WAN-DMZ rule 2 state invalid ‘enable’
set firewall name WAN-DMZ rule 10 action ‘accept’
set firewall name WAN-DMZ rule 10 destination address ‘10.0.30.10’
set firewall name WAN-DMZ rule 10 destination port ‘80,443’
set firewall name WAN-DMZ rule 10 protocol ‘tcp_udp’
set firewall name WAN-DMZ rule 10 state new ‘enable’
set firewall name WAN-DMZ rule 11 action ‘accept’
set firewall name WAN-DMZ rule 11 destination address ‘10.0.30.151’
set firewall name WAN-DMZ rule 11 destination port ‘19132’
set firewall name WAN-DMZ rule 11 protocol ‘udp’
set firewall name WAN-IOT default-action ‘drop’
set firewall name WAN-IOT rule 10 action ‘accept’
set firewall name WAN-IOT rule 10 destination address ‘10.0.20.10-10.0.20.19’
set firewall name WAN-IOT rule 10 disable
set firewall name WAN-IOT rule 10 state established ‘enable’
set firewall name WAN-IOT rule 10 state related ‘enable’
set firewall name WAN-Infra default-action ‘drop’
set firewall name WAN-Infra rule 1 action ‘accept’
set firewall name WAN-Infra rule 1 state established ‘enable’
set firewall name WAN-Infra rule 1 state related ‘enable’
set firewall name WAN-Infra rule 2 action ‘drop’
set firewall name WAN-Infra rule 2 state invalid ‘enable’
set firewall name WAN-Infra rule 10 action ‘accept’
set firewall name WAN-Infra rule 10 destination address ‘10.0.0.58’
set firewall name WAN-Infra rule 10 destination port ‘1194’
set firewall name WAN-Infra rule 10 protocol ‘tcp_udp’
set firewall name WAN-Infra rule 10 state new ‘enable’
set firewall name WAN-Infra rule 20 action ‘accept’
set firewall name WAN-Infra rule 20 destination address ‘10.0.0.60’
set firewall name WAN-Infra rule 20 destination port ‘1194’
set firewall name WAN-Infra rule 20 protocol ‘tcp_udp’
set firewall name WAN-Infra rule 20 state new ‘enable’
set firewall name WAN-Infra rule 30 action ‘accept’
set firewall name WAN-Infra rule 30 destination address ‘10.0.0.53’
set firewall name WAN-Infra rule 30 destination port ‘51820’
set firewall name WAN-Infra rule 30 protocol ‘tcp_udp’
set firewall name WAN-Infra rule 30 state new ‘enable’
set firewall name WAN-Local default-action ‘drop’
set firewall name WAN-Local rule 1 action ‘accept’
set firewall name WAN-Local rule 1 state established ‘enable’
set firewall name WAN-Local rule 1 state related ‘enable’
set firewall name WAN-Local rule 2 action ‘drop’
set firewall name WAN-Local rule 2 state invalid ‘enable’
set firewall name WAN-Local rule 3 action ‘accept’
set firewall name WAN-Local rule 3 protocol ‘icmp’
set firewall name WAN-Local rule 10 action ‘accept’
set firewall name WAN-Local rule 10 description ‘WireGuard’
set firewall name WAN-Local rule 10 destination port ‘36730’
set firewall name WAN-Local rule 10 log ‘enable’
set firewall name WAN-Local rule 10 protocol ‘udp’
set firewall name default-relatedestablished default-action ‘drop’
set firewall name default-relatedestablished description ‘Drops traffic not related/established’
set firewall name default-relatedestablished rule 1 action ‘accept’
set firewall name default-relatedestablished rule 1 state established ‘enable’
set firewall name default-relatedestablished rule 1 state related ‘enable’
set firewall name local-Guest default-action ‘accept’
set firewall name local-Infra default-action ‘accept’
set firewall name local-WAN default-action ‘accept’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set firewall zone DMZ default-action ‘drop’
set firewall zone DMZ from DNSDHCP firewall name ‘default-relatedestablished’
set firewall zone DMZ from GenDev firewall name ‘GenDev-DMZ’
set firewall zone DMZ from Guest firewall name ‘Guest-DMZ’
set firewall zone DMZ from Infra firewall name ‘Infra-DMZ’
set firewall zone DMZ from WAN firewall ipv6-name ‘default-relatedestablished-6’
set firewall zone DMZ from WAN firewall name ‘WAN-DMZ’
set firewall zone DMZ interface ‘bond0.30’
set firewall zone DNSDHCP default-action ‘drop’
set firewall zone DNSDHCP from DMZ firewall name ‘DMZ-DNSDHCP’
set firewall zone DNSDHCP from GenDev firewall name ‘GenDev-DNSDHCP’
set firewall zone DNSDHCP from Guest firewall name ‘Guest-DNSDHCP’
set firewall zone DNSDHCP from Infra firewall name ‘Infra-DNSDHCP’
set firewall zone DNSDHCP from WAN firewall name ‘default-relatedestablished’
set firewall zone DNSDHCP from local firewall name ‘RouterLocal-DNSDHCP’
set firewall zone DNSDHCP interface ‘bond0.10’
set firewall zone GenDev default-action ‘drop’
set firewall zone GenDev from DMZ firewall name ‘DMZ-GenDev’
set firewall zone GenDev from DNSDHCP firewall name ‘DNSDHCP-GenDev’
set firewall zone GenDev from IOT firewall name ‘IOT-GenDev’
set firewall zone GenDev from Infra firewall name ‘Infra-GenDev’
set firewall zone GenDev from WAN firewall ipv6-name ‘default-relatedestablished-6’
set firewall zone GenDev from WAN firewall name ‘default-relatedestablished’
set firewall zone GenDev from local firewall name ‘RouterLocal-GenDev’
set firewall zone GenDev interface ‘bond0.40’
set firewall zone GenDev interface ‘wg0’
set firewall zone Guest default-action ‘drop’
set firewall zone Guest from DMZ firewall name ‘default-relatedestablished’
set firewall zone Guest from DNSDHCP firewall name ‘default-relatedestablished’
set firewall zone Guest from WAN firewall name ‘default-relatedestablished’
set firewall zone Guest from local firewall name ‘local-Guest’
set firewall zone Guest interface ‘bond0.110’
set firewall zone IOT default-action ‘drop’
set firewall zone IOT from GenDev firewall name ‘GenDev-IOT’
set firewall zone IOT from Infra firewall name ‘Infra-IOT’
set firewall zone IOT from WAN firewall name ‘WAN-IOT’
set firewall zone IOT from local firewall name ‘default-relatedestablished’
set firewall zone IOT interface ‘bond0.20’
set firewall zone Infra default-action ‘drop’
set firewall zone Infra from DMZ firewall name ‘DMZ-Infra’
set firewall zone Infra from DNSDHCP firewall name ‘DNSDHCP-Infra’
set firewall zone Infra from GenDev firewall name ‘GenDev-Infra’
set firewall zone Infra from IOT firewall name ‘IOT-Infra’
set firewall zone Infra from WAN firewall ipv6-name ‘default-relatedestablished-6’
set firewall zone Infra from WAN firewall name ‘WAN-Infra’
set firewall zone Infra from local firewall name ‘local-Infra’
set firewall zone Infra interface ‘bond0’
set firewall zone WAN default-action ‘drop’
set firewall zone WAN from DMZ firewall name ‘DMZ-WAN’
set firewall zone WAN from DNSDHCP firewall name ‘DNSDHCP-WAN’
set firewall zone WAN from GenDev firewall name ‘GenDev-WAN’
set firewall zone WAN from Guest firewall name ‘Guest-WAN’
set firewall zone WAN from IOT firewall name ‘IOT-WAN’
set firewall zone WAN from Infra firewall name ‘Infra-WAN’
set firewall zone WAN from local firewall name ‘local-WAN’
set firewall zone WAN interface ‘peth0’
set firewall zone local default-action ‘drop’
set firewall zone local from DMZ firewall name ‘DMZ-RouterLocal’
set firewall zone local from DNSDHCP firewall name ‘DNSDHCP-RouterLocal’
set firewall zone local from GenDev firewall name ‘GenDev-RouterLocal’
set firewall zone local from Guest firewall name ‘Guest-RouterLocal’
set firewall zone local from IOT firewall name ‘IOT-RouterLocal’
set firewall zone local from Infra firewall name ‘Infra-RouterLocal’
set firewall zone local from WAN firewall name ‘WAN-Local’
set firewall zone local local-zone
set high-availability vrrp group VLAN1 address 10.0.0.1/24
set high-availability vrrp group VLAN1 interface ‘bond0’
set high-availability vrrp group VLAN1 priority ‘100’
set high-availability vrrp group VLAN1 transition-script backup ‘/config/scripts/vrrp-fail.sh’
set high-availability vrrp group VLAN1 transition-script fault ‘/config/scripts/vrrp-fail.sh’
set high-availability vrrp group VLAN1 transition-script master ‘/config/scripts/vrrp-master.sh’
set high-availability vrrp group VLAN1 vrid ‘10’
set high-availability vrrp group VLAN10 address 10.0.10.1/24
set high-availability vrrp group VLAN10 interface ‘bond0.10’
set high-availability vrrp group VLAN10 priority ‘100’
set high-availability vrrp group VLAN10 vrid ‘10’
set high-availability vrrp group VLAN20 address 10.0.20.1/24
set high-availability vrrp group VLAN20 interface ‘bond0.20’
set high-availability vrrp group VLAN20 priority ‘100’
set high-availability vrrp group VLAN20 vrid ‘10’
set high-availability vrrp group VLAN30 address 10.0.30.1/24
set high-availability vrrp group VLAN30 interface ‘bond0.30’
set high-availability vrrp group VLAN30 priority ‘100’
set high-availability vrrp group VLAN30 vrid ‘10’
set high-availability vrrp group VLAN40 address 10.0.40.1/24
set high-availability vrrp group VLAN40 interface ‘bond0.40’
set high-availability vrrp group VLAN40 priority ‘100’
set high-availability vrrp group VLAN40 vrid ‘10’
set high-availability vrrp group VLAN110 address 10.0.110.1/24
set high-availability vrrp group VLAN110 interface ‘bond0.110’
set high-availability vrrp group VLAN110 priority ‘100’
set high-availability vrrp group VLAN110 vrid ‘10’
set high-availability vrrp sync-group MAIN member ‘VLAN1’
set high-availability vrrp sync-group MAIN member ‘VLAN20’
set high-availability vrrp sync-group MAIN member ‘VLAN30’
set high-availability vrrp sync-group MAIN member ‘VLAN40’
set high-availability vrrp sync-group MAIN member ‘VLAN110’
set high-availability vrrp sync-group MAIN member ‘VLAN10’
set interfaces bonding bond0 address ‘10.0.0.2/24’
set interfaces bonding bond0 hash-policy ‘layer3+4’
set interfaces bonding bond0 lacp-rate ‘fast’
set interfaces bonding bond0 member interface ‘eth1’
set interfaces bonding bond0 member interface ‘eth2’
set interfaces bonding bond0 mode ‘802.3ad’
set interfaces bonding bond0 vif 10 address ‘10.0.10.2/24’
set interfaces bonding bond0 vif 20 address ‘10.0.20.2/24’
set interfaces bonding bond0 vif 20 description ‘IOT’
set interfaces bonding bond0 vif 30 address ‘10.0.30.2/24’
set interfaces bonding bond0 vif 30 description ‘DMZ’
set interfaces bonding bond0 vif 40 address ‘10.0.40.2/24’
set interfaces bonding bond0 vif 40 description ‘GenDev’
set interfaces bonding bond0 vif 110 address ‘10.0.110.2/24’
set interfaces bonding bond0 vif 110 description ‘Guest’
set interfaces bonding bond0 vif 110 disable
set interfaces bonding bond0 vif 1000 description ‘Internet0’
set interfaces bonding bond0 vif 1001 description ‘Internet1’
set interfaces ethernet eth0 hw-id ‘54:bf:64:6b:a6:44’
set interfaces ethernet eth1 hw-id ‘00:0e:1e:79:f8:80’
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload lro
set interfaces ethernet eth1 offload rfs
set interfaces ethernet eth1 offload rps
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 hw-id ‘00:0e:1e:79:f8:82’
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload lro
set interfaces ethernet eth2 offload rfs
set interfaces ethernet eth2 offload rps
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces loopback lo
set interfaces pseudo-ethernet peth0 address ‘dhcp’
set interfaces pseudo-ethernet peth0 description ‘Internet’
set interfaces pseudo-ethernet peth0 mac ‘f0:9f:c2:05:4f:bf’
set interfaces pseudo-ethernet peth0 source-interface ‘bond0.1000’
set interfaces wireguard wg0 address ‘10.0.45.1/24’
set interfaces wireguard wg0 peer Dell7280 allowed-ips ‘10.0.45.12/32’
set interfaces wireguard wg0 peer Dell7280 public-key ‘dY7Ibf9CPENAPiuirmLN56fEtRZX+k6hGtePcBiOEXI=’
set interfaces wireguard wg0 peer S21FE allowed-ips ‘10.0.45.10/32’
set interfaces wireguard wg0 peer S21FE public-key ‘pOLsHqX29gFz5tLGMZMKGEXp02WTJZpeQdl/o9UKz1s=’
set interfaces wireguard wg0 peer XPS13 allowed-ips ‘10.0.45.11/32’
set interfaces wireguard wg0 peer XPS13 public-key ‘rLBCg+SsYWo55KWsE2V2kYRstmdRn4iTvBVoo6ElWlM=’
set interfaces wireguard wg0 port ‘36730’
set interfaces wireguard wg0 private-key ‘qFm047Oo3cTXx4lqCNX/dMMML5VBNOoXUNcfyhhESkU=’
set nat destination rule 1 description ‘HAProxy P443’
set nat destination rule 1 destination port ‘443’
set nat destination rule 1 inbound-interface ‘peth0’
set nat destination rule 1 protocol ‘tcp_udp’
set nat destination rule 1 translation address ‘10.0.30.10’
set nat destination rule 2 description ‘HAProxy P80’
set nat destination rule 2 destination port ‘80’
set nat destination rule 2 inbound-interface ‘peth0’
set nat destination rule 2 protocol ‘tcp_udp’
set nat destination rule 2 translation address ‘10.0.30.10’
set nat source rule 10 outbound-interface ‘peth0’
set nat source rule 10 protocol ‘all’
set nat source rule 10 source address ‘10.0.0.0/8’
set nat source rule 10 translation address ‘masquerade’
set service dhcp-relay listen-interface ‘bond0’
set service dhcp-relay listen-interface ‘bond0.20’
set service dhcp-relay listen-interface ‘bond0.30’
set service dhcp-relay listen-interface ‘bond0.40’
set service dhcp-relay listen-interface ‘bond0.110’
set service dhcp-relay relay-options relay-agents-packets ‘discard’
set service dhcp-relay server ‘10.0.10.10’
set service dhcp-relay server ‘10.0.10.11’
set service dhcp-relay upstream-interface ‘bond0.10’
set service dns dynamic interface peth0 service namecheap host-name ‘@’
set service dns dynamic interface peth0 service namecheap host-name ‘wg’
set service dns dynamic interface peth0 service namecheap login ‘lytebyte.net’
set service dns dynamic interface peth0 service namecheap password ‘53824523eaee441e8ce48b57842c9a05’
set service mdns repeater interface ‘wg0’
set service mdns repeater interface ‘bond0.40’
set service mdns repeater interface ‘bond0.20’
set service ntp allow-client address ‘0.0.0.0/0’
set service ntp allow-client address ‘::/0’
set service ntp listen-address ‘10.0.20.1’
set service ntp listen-address ‘10.0.0.1’
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh listen-address ‘10.0.40.2’
set service ssh listen-address ‘10.0.0.2’
set service ssh listen-address ‘10.0.40.1’
set service ssh listen-address ‘10.0.0.1’
set service ssh loglevel ‘verbose’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘VyOS0’
set system login user gage authentication encrypted-password ‘$6$t3cHjybgRTMFcZis$RLaH8u8pkAUj3NQU.BSrN873i99dPOPgB5iRguViwJUVxjp6sIGV/sBYAMqCGNN0usBBKMnCf0qaxOsARh2tq.’
set system name-server ‘1.1.1.1’
set system name-server ‘1.0.0.1’
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’

a.hajiyev · July 4, 2023, 5:14am

Hi, @greenman1969.
I have created a lab and tested dhcp-relay with releases:
VyOS 1.4-rolling-202304130846 and VyOS 1.4-rolling-202307030317.
During the day I have not observed any issues. I have done many DHCP requests. Router relayed all to the DHCP server.
Could you use one of the newest rolling releases and update one of the routers and test it?

greenman1969 · July 6, 2023, 4:27am

I’ve been running the current rolling release for most of the day today without issues. I think I figured out what happened and it relates to VRRP: When I go to forcefully shift vrrp from one router to another I usually do it by disabling an interface causing vrrp to notice the fault and fail over. My thinking (after looking at the logs for the isc-dhcp-relay) is that when I disable that interface the Isc-dhcp-relay breaks causing it to crash and stop forwarding dhcp requests until it is restarted with all of the interfaces enabled and working again.

On another quick note, is there a known good way to cause vrrp to failover in the cli without having to edit the configuration on the device?

greenman1969 · July 11, 2023, 4:11am

Hey so after running it solidly for about a week, I ran into the issue again. The isc-dhcp-relay service is failing due to a segmentation fault and failing to restart. Here are the excerpts from the logs:

Please note that the service is only configured to listen on bond0, bond0.20, bond0.30, bond0.40, and bond0.110, and forward to bond0.10. I do not know why it is listening to every port in the system.

Jul 11 04:04:36 VyOS0 systemd[1]: Starting isc-dhcp-relay.service - ISC DHCP IPv4 relay…
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0.40 as upstream: N downstream: Y
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0 as upstream: N downstream: Y
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0.20 as upstream: N downstream: Y
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0.30 as upstream: N downstream: Y
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0.110 as upstream: N downstream: Y
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Requesting: bond0.10 as upstream: Y downstream: N
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Internet Systems Consortium DHCP Relay Agent 4.4.3-P1
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Copyright 2004-2022 Internet Systems Consortium.
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: All rights reserved.
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: For info, please visit ISC DHCP - ISC
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Internet Systems Consortium DHCP Relay Agent 4.4.3-P1
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Copyright 2004-2022 Internet Systems Consortium.
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: All rights reserved.
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: For info, please visit ISC DHCP - ISC
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/peth0/f0:9f:c2:05:4f:bf
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/peth0/f0:9f:c2:05:4f:bf
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/peth0/f0:9f:c2:05:4f:bf
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/peth0/f0:9f:c2:05:4f:bf
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.1001/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.1001/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.1001/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.1001/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.1000/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.1000/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.1000/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.1000/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth2/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth2/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth2/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth2/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth1/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth1/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth1/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth1/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth0/54:bf:64:6b:a6:44
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/eth0/54:bf:64:6b:a6:44
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth0/54:bf:64:6b:a6:44
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/eth0/54:bf:64:6b:a6:44
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.10/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.10/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.10/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.10/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.110/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.110/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.110/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.110/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.30/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.30/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.30/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.30/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.20/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.20/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.20/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.20/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.40/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Listening on LPF/bond0.40/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.40/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on Socket/fallback
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on LPF/bond0.40/00:0e:1e:79:f8:80
Jul 11 04:04:36 VyOS0 dhcrelay[28008]: Sending on Socket/fallback
Jul 11 04:04:36 VyOS0 systemd[1]: Started isc-dhcp-relay.service - ISC DHCP IPv4 relay.
Jul 11 04:05:01 VyOS0 dhcrelay[28008]: Packet to bogus giaddr 10.0.30.4.
Jul 11 04:05:01 VyOS0 dhcrelay[28008]: Packet to bogus giaddr 10.0.30.3.
Jul 11 04:05:01 VyOS0 dhcrelay[28008]: Packet to bogus giaddr 10.0.30.4.
Jul 11 04:05:01 VyOS0 dhcrelay[28008]: Packet to bogus giaddr 10.0.30.3.
Jul 11 04:05:27 VyOS0 dhcrelay[28008]: Discarding packet received on eth2 interface that has no IPv4 address assigned.
Jul 11 04:05:27 VyOS0 systemd[1]: isc-dhcp-relay.service: Main process exited, code=killed, status=11/SEGV
Jul 11 04:05:27 VyOS0 systemd[1]: isc-dhcp-relay.service: Failed with result ‘signal’.
Jul 11 04:05:27 VyOS0 systemd[1]: isc-dhcp-relay.service: Scheduled restart job, restart counter is at 1.

greenman1969 · July 11, 2023, 4:20am

More testing shows that having other routers serving as DHCP relays on the same networks may be causing the failures. Might need to test that further. It’s working now that I’ve shut down the two other routers.

Apachez · July 11, 2023, 10:17am

Even if you got rogue dhcp servers in your network the dhcp server in VyOS shouldnt crash to begin with.

I think there might be some issue between VRRP and DHCP in VyOS where the VRRP scripts should stop the DHCP when the lokal box is no longer VRRP active (and start it once it becomes active).

To avoid the hazzle of dhcp leases I prefer to setup semi-static using Option82. This way whatever is connected to SW3-INT4 will always get the same IP-address assigned by the DHCP-server.

greenman1969 · July 11, 2023, 11:13am

They’re not rogue DHCP servers, they’re just other relays that operate on the same network that I’ve configured the relay to ignore to prevent a dhcp broadcast storm.

n.fort · July 14, 2023, 6:59pm

In next rolling releases you may test disabling relay services through transition scripts in vrrp.

github.com/vyos/vyos-1x

T5059: relay: add disable options for dhcp-relay and dhcpv6-relay

vyos:current ← nicolas-fort:T5059

opened 11:12AM - 13 Jul 23 UTC

nicolas-fort

+10 -7

## Change Summary Add disable option for relay services. ## Types of chang…es  - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://vyos.dev/T5059 ## Component(s) name dhcp-relay dhcpv6-relay ## Proposed changes Add disable options for dhcp-relay and dhcpv6-relai. Also add validor for dhcpv6-relay which was missing. ## How to test  ``` #### Running configuration for relays, status and files: vyos@RELAY:~$ show config comm | grep "relay\|eth1\|eth2" set interfaces ethernet eth1 address '198.51.100.1/24' set interfaces ethernet eth1 address '2001:db8::1/64' set interfaces ethernet eth1 hw-id '50:00:00:01:00:01' set interfaces ethernet eth2 address '203.0.113.1/24' set interfaces ethernet eth2 address '2001:ddd::1/64' set interfaces ethernet eth2 hw-id '50:00:00:01:00:02' set service dhcp-relay listen-interface 'eth2' set service dhcp-relay server '198.51.100.254' set service dhcp-relay upstream-interface 'eth1' set service dhcpv6-relay listen-interface eth2 set service dhcpv6-relay upstream-interface eth1 address '2001:db8::55' vyos@RELAY:~$ sudo ps aux | grep relay root 1756 0.0 0.3 6180 3900 ? Ss 11:07 0:00 /usr/sbin/dhcrelay -6 -pf /run/dhcp-relay/dhcrelay6.pid -l eth2 -u 2001:db8::55 eth1 -c 10 root 1828 0.0 0.3 5880 3480 ? Ss 11:07 0:00 /usr/sbin/dhcrelay -4 -pf /run/dhcp-relay/dhcrelay.pid -c 10 -a -m forward -A 576 -id eth2 -iu eth1 198.51.100.254 vyos 2159 0.0 0.2 6332 2092 ttyS0 S+ 11:08 0:00 grep relay vyos@RELAY:~$ ls /run/dhcp-relay/ dhcrelay6.conf dhcrelay6.pid dhcrelay.conf dhcrelay.pid ## Now disbale both relays vyos@RELAY:~$ conf [edit] vyos@RELAY# set service dhcp-relay disable [edit] vyos@RELAY# set service dhcpv6-relay disable [edit] vyos@RELAY# commit [edit] vyos@RELAY# sudo ps aux | grep relay vyos 2405 0.0 0.2 6332 2096 ttyS0 S+ 11:10 0:00 grep relay [edit] vyos@RELAY# ls /run/dhcp-relay/ [edit] vyos@RELAY# ``` ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [x] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [x] My change requires a change to the documentation - [ ] I have updated the documentation accordingly

greenman1969 · July 14, 2023, 8:57pm

That’ll be helpful! Have yall added information into the configuration guide directing that the network should only have one active relay at a time?