Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    KEA dhcp not controlling acess as used in previous versions.

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 264 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Ramosel
      last edited by

      If you have short attention span, stop here... this is going to get long. This is a weekend, enjoy it.

      I'm not sure if I'm here asking for help... or if this is a KEA DHCP bug report.

      I run a system (at home) with multiple VLANs and have multiple WAPS using OpenWRT for it's DSA components that allow me to transport VLANs both as ethernet and wifi around the house and property. Where possible, I always try to run hard wired. My IOT netowork is the one I run all my thermostats, cameras and smart switches. I have an IOT instance within my DHCP setup. On ALL of the devices on this network I use the DHCP server to assign static mapping for organization and to deny unknown clients.

      Everything has been running fine until now. I have one of my security cameras (all hardwired) starting to fail and needed to be replaced. The manufacturer doesn't provide the MAC address or Hostname in the literature so I have to bring them up on a phone app, get that information then edit the existing entry in the "DHCP Static Mappings" reboot the device and it comes up with the new address and I proceed with configuration before I climb a ladder to put it into it's position... or at least that is how I've done it under the old DHCP server.
      So here is how yesterday went.

      • Go to the DHCP Server/IOT and change the "allow known clients only on this interface" to "allow all clients"
      • 10.10.20.1 is the IOT network and the IP range is 199 to 254.
      • put my phone on the IOT network and it instantly gets an address of 10.10.20.201 on the IOT network and it shows under Service/DHCP Leases page
      • Plug camera into an ethernet port assigned to this VLAN and power it up. Access camera with phone, go into settings and turn off WIFI, turn on ethernet. Save settings
      • New camera setup screen shows it has address of 10.10.20.200
      • 10.10.20.200. Address responds to a ping from my workstation.

      Here is the FIRST problem: That IP address, MAC address and hostname NEVER show under the "Status/DHCP Leases" list. It is valid, it is pinging, the camera output flows to the view screen on the app. My phone does show.

      • Oh well, it pings, it's there, lets move on. I go back to the camera, confirm it is now set to DHCP, save the settings and it stays at address 200? Still doesn't show on Status/DHCP Leases screen. why
      • Reboot device, comes back at address 200. So I set Services/DHCP Server/IOT back to "allow known clients only from this interface". Reboot the device, comes back up at address 200.

      Here is the SECOND problem: this process has always worked before on the prior to KEA DHCP server. Once the MAC is in the Static list, it should get the static assignment.

      • Go back to phone app/config on camera and turn off DHCP, put in the static IP of 36. Save, reboot, camera comes up at 36. All is well. Stop/Start DHCP server on pfSense. Change the camera back to DHCP, save, reboot camera. Comes back up on address 200? Why?
      • So maybe KEA needs the prior address to time out? DHCP leases are still on the 7200 sec default, it's getting late... manually set the camera to 36, save it, stop/start DHCP server again, quit for the night.
      • This morning go back to confirm DHCP Server is set to "allow only known clients..." and set the Camera to DHCP, save and it gets address 203. Why?

      Here is the Third Problem: The KEA DHCP server is assigning addresses but ignoring static mappings. I've double and triple checked the MAC and Hostname from the camera are correct in the static mappings. They are just being ignored.

      Am I doing something wrong?

      I just read another post from @KB8DOA about KEA not taking changes until the system is rebooted. I've got some processes running on my CAD/CAM in the shop so I need to wait a bit before I reboot pfSense. Maybe, that will be the difference.

      Rather than just rebooting, I'm going to halt the pfSense (SG-4860) and while it's down, physically unplug the new camera for a few minutes then turn on pfSense before I bring the camera back up.

      If you have any ideas in the interim, I'm all ears and willing to try any suggestions.
      Are there any command line operations to take care of KEA without a reboot?

      Rick

      R 1 Reply Last reply Reply Quote 0
      • R
        Ramosel @Ramosel
        last edited by Ramosel

        Just an update: As per @KB8DOA post, I did reboot pfSense and the camera got the correct address as specified in my DHCP Static Mappings list.

        I'm not so sure the KEA is wise choice... hopefully the Devs get it tightened up or revert back to what we had. The ISC worked, at least for me.

        So I suppose this thread is a bug report on several fronts!

        Let me know if anyone needs any further information. The dying camera was a camera issue, not an ethernet interface issue. It's of no real use for me so if the Dev's want it for interface testing, I'll be glad to send it to you.

        Rick

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          What version of pfSense are you running? Is it 2.7.2 CE or the latest Plus 24.11? Note there are a ton of fixes for Kea in the latest pfSense Plus release, but those fixes have NOT been applied to Kea in the 2.7.2 CE release of pfSense.

          At this point in time, with the considerable divergence in the code of the original Kea in pfSense CE 2.7.2 and the latest Kea in pfSense Plus 24.11, it is important to note what pfSense version you have (and thus which Kea code family tree you are running) when reporting issues with Kea.

          R 1 Reply Last reply Reply Quote 0
          • R
            Ramosel @bmeeks
            last edited by

            @bmeeks said in KEA dhcp not controlling acess as used in previous versions.:

            What version of pfSense are you running? Is it 2.7.2 CE or the latest Plus 24.11?

            Bill, It’s on one of my SG-4860s, so it’s +24.11. There is one Kea related patch showing in the list and it was installed a couple of weeks ago.

            It’s been years since I’ve had to reboot pfSense to fix a problem so that just never crossed my mind. But, sure enough, a reboot fixed this. And, I had restarted the DHCP service a dozen times yesterday and this morning and got nowhere.

            Rick

            1 Reply Last reply Reply Quote 0
            • R
              Ramosel
              last edited by

              As an add-on for the bug report on Kea DHCP...

              Remember that I use DHCP extensively to create Static Mappings in various DHCP pools.
              While I was working on this issue, I did notice that the Status/DHCP Leases screen was ONLY showing my iphone in the unmapped listings at the bottom of this Status Screen (ie: with the circle with check mark on far left side of the Status/DHCP leases screen). Just to add information, I believe this is because I had moved the phone to the IOT network and back. So it was a recent change... but NONE of the rest of my true DHCP clients that have been up for months and never leave the house were showing. This is about 9 addresses total.

              After the reboot to fix the static mapping issue on the security camera, the 9 devices that use DHCP for non-static addresses that did reappear at the bottom of the list.

              Is this the appropriate venue for this bug report or should this be input elsewhere??

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Ramosel
                last edited by

                @Ramosel said in KEA dhcp not controlling acess as used in previous versions.:

                Is this the appropriate venue for this bug report or should this be input elsewhere??

                Bug reports should be made to the pfSense Redmine site here: https://redmine.pfsense.org/projects/pfsense. That is the official site where the developers track bugs. Posting on the forum generally will not specifically bring a bug to the attention of the developers.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.