Dynamic DHCP lease not visible outside of ARP table

Gertjan

@scotrod

Like these :

?
For me, they show up.
Most obvious reason if the lease doesn't show up : it wasn't pfSense (== kea) attributing the lease, but some other DHCP server.

This "192.168.2.0/24" network is my captive portal network, used by 'hotel clients'.

That said, I can't recall 24.11 very well, but kea was doing its work for me. I'm using the Beta when it was aviable, and now using the latest RC version of pfSense plus, it rocks.

On my company's pfSense LAN network (192.168.1.0/24), most LAN devices have static MAC leases set up.
Works flawlessly.

You have pfSense plus, so you have "Boot Boot Environments".
You can go to 25.07 RC right away and test drive it.
If something happens, you can go back to 24.11 with one mouse click.

scotrod

@Gertjan

This is the field where I expect to see the dynamic DHCP leases. Above that, you can see two devices from my static pool (this is the Leases pool visible on your screenshot). I did not see the dynamic DHCP leases there or in the Lease Utilization menu. Nowhere but the ARP table menu.

Edit: I don't have other DHCP server but pfsense.

Gertjan

@scotrod

That looks like what I have ^^

pfSense, the DHCP server and gateway, uses 192.168.2.1
Then I have some Unifi stuff :
a PPPOE swicth on 192.168.2.2 (using a static mac lease)
Several Unifi access points, powered by this switch - 192.168.5->192.168.2.7
Then two devices that I gave a static mac lease also : my phone and a colleague : 192.168.10 and 11

from then on, starting with .64, are the visiting captive portal (Wifi) clients.

You could ask yourself this question :
Do the DHCP request actually arrive at pfSense, and the served a lease by pfSense's DHCP server, kea ?
The answer is two clicks away :
Goto Diagnostics > Packet Capture
Fill in the screen :

= select the interface, select high details, select UDP and the DHCP ports 67 87.
Hit start at the bottom.
From now on, you can see if DHCP requests arriving at the pfSense interface, and what the kea reply (the lease) was.

edit : the leases page does show 2 leases.
How is this interface set up ?
If it's for example, a 192.168.2.1/31 then only 4 IPs are posible, and one is already taken by pfSense itself.
How big is your DHCP pool ?
Is kea "really" running ?

[25.07-RC][root@pfSense.bhf.tld]/root: ps aux | grep 'kea'
root    11894   0.0  0.6  50424  24744  -  S    Fri13       1:07.78 /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf
root    12748   0.0  0.6  47824  24380  -  S    Fri13       0:32.08 /usr/local/sbin/kea-dhcp6 -c /usr/local/etc/kea/kea-dhcp6.conf

This tells me that I've two instances of kea : one for IPv4 and one for IPv6.
Both 'serve' multiple LAN interfaces (for me).

scotrod

@Gertjan

There you go:

12:48:50.394653 f8:e4:3b:76:88:74 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 128, id 11180, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from f8:e4:3b:76:88:74, length 300, xid 0xd1984a72, Flags [none] (0x0000)
	  Client-Ethernet-Address f8:e4:3b:76:88:74
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Client-ID (61), length 7: ether f8:e4:3b:76:88:74
	    Requested-IP (50), length 4: 192.168.2.128
	    Hostname (12), length 2: "HP"
	    FQDN (81), length 5: "HP"
	    Vendor-Class (60), length 8: "MSFT 5.0"
	    Parameter-Request (55), length 14: 
	      Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Domain-Name (15)
	      Router-Discovery (31), Static-Route (33), Vendor-Option (43), Netbios-Name-Server (44)
	      Netbios-Node (46), Netbios-Scope (47), Unknown (119), Classless-Static-Route (121)
	      Classless-Static-Route-Microsoft (249), Unknown (252)
12:48:50.412994 48:df:37:0d:02:f6 > f8:e4:3b:76:88:74, ethertype IPv4 (0x0800), length 335: (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto UDP (17), length 321)
    192.168.2.1.67 > 192.168.2.128.68: [udp sum ok] BOOTP/DHCP, Reply, length 293, xid 0xd1984a72, Flags [none] (0x0000)
	  Your-IP 192.168.2.128
	  Client-Ethernet-Address f8:e4:3b:76:88:74
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: ACK
	    Subnet-Mask (1), length 4: 255.255.255.0
	    Default-Gateway (3), length 4: 192.168.2.1
	    Domain-Name-Server (6), length 4: 192.168.2.1
	    Domain-Name (15), length 9: "home.arpa"
	    Lease-Time (51), length 4: 7200
	    Server-ID (54), length 4: 192.168.2.1
	    FQDN (81), length 6: [N] "hp."

So it did assign it. I still don't see that lease anywhere under Status > DHCP Leases

My DHCP pool is from 192.168.2.100 to 192.168.2.200. I put my static leases under 100 - so from 192.168.2.1 to 192.168.2.100

Gertjan

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

My DHCP pool is from 192.168.2.100 to 192.168.2.200. I put my static leases under 100 - so from 192.168.2.1 to 192.168.2.100

192.168.2.2 to 192.168.2.100 I presume, as 192.168.2.1 is already taken = static pfSense IP of the network ^^

Do you see this "192.168.2.128" lease written to the 'kea' lease file ?: here : /var/lib/kea/dhcp4.leases

About the DHCP reply, the second part :
Looks ok, but the host name is missing ?
Like "

	    Hostname (12), length 14: "iphone-gertjan"

This host name is given by the DHCP server to DCP client, and you have entered something 'valid' here :
My DHCP Static setup for my phone :

Still, maybe there were some initial issues with 24.11, I can't remember anymore.
I prefer the new bugs (from 25.08 RC) - but can't find any

I guess your DHCP leases, dynamac and static, are registered, but just not shown by the Status > DHCP Leases page - as that page does a DNS reverse lookup, and if no answers found, nothing is shown.
Does it take long time for the page to show up (and showing no leases nothing) ?

Check also you /etc/hosts file, everything is coherent ?

scotrod

@Gertjan said in Dynamic DHCP lease not visible outside of ARP table:

Do you see this "192.168.2.128" lease written to the 'kea' lease file ?: here : /var/lib/kea/dhcp4.leases

Well I guess I should start from here since this file is empty. Are we sure that this is where the Kea is supposed to log? I do have it enabled and we already saw that it assigns a DHCP lease from the packet capture.

About the missing hostname - do you mean that the 2nd part of the message should contain the hostname again? I already see it in the first part as an "HP". The Leases page is loading as usual - fast I would say.

I want to troubleshoot this on "stable" release. After so much shit going on a what is supposed to be a stable release I don't want to upgrade to a release candidate.

About the /etc/hosts files - I'm not sure what's supposed go in there. I've just opened it and all I see are static leases. Currently, I do not see the HP laptop (my test subject) there.

Edit: Well the Internet saying that "it's always DNS" may come true again. I'm using unbound because of pfblockerng. If Kea doesn't work with that, it may explain why ALL of my dynamic DHCP leases do not have hostnames assigned to them currently. I was not aware of the thing you mentioned - that this page uses DNS reverse lookup. So if I don't have hostnames on my dynamic DHCP leases because Kea is handicapped and it can't use unbound, then I guess the field under Leases won't populate.

Gertjan

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

Are we sure that this is where the Kea is supposed to log?

'Kea' is a process, so there is a process "config" file.
It's this file that is created by pfSense before the process is started (or restarted).
Check this file /usr/local/etc/kea/kea-dhcp4.conf

It list all the important info, like :

so, yeah, I'm pretty sure ^^

That said, we're not using the same pfSense version.

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

do you mean that the 2nd part of the message should contain the hostname again?

Earlier pfSense versions - I can't recall which ones - didn't support DHCP static MAC lease support (etc). It was a bare bone DHCP server;, with no options, gadgets and other tricks. maybe this is your case ( so : upgrade ? )

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

Edit: Well the Internet saying that "it's always DNS" may come true again

It's always DNS .... ^^

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

I'm using unbound because of pfblockerng. If Kea doesn't work

I use unbound with defaults Netgate DNS settings (aka : I did not change remove add anything )as it works out of the box.
I do use pfBlockerng ..... IP and DNSBL feeds.

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

that this page uses DNS reverse lookup. So if I don't have hostnames on my dynamic DHCP leases

Be ware : there are many devices out there that do not expose (include it when doing the REQUEST) their host name, or hand over a domain name that contains illegal chars ... etc.
If you want to use a host name for a local device :
Give it a static DHCP lease
and while setting it up, give it a host name on the pfSense side of things.
From now on, DNS works.
That is :
First :

and for a LAN :

Btw : I've "Early DNS Registration" active, as this option will include the "DHCP Mac Static lease" into the DNS.
Not the DHCP dynamic leases coming in afterwards, as these are - imho - occasionally connected devices and you don't need to connect to them == they won't be a "server type" of devices (I don't need to connect t the phone of my colleagues ^^) - so, for me, their existance in the pfSense DNS cache isn't important.

Be ware also that you're probably dealing with the opposite of what you just said :

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

I want to troubleshoot this on "stable" release. After so much shit going on a what is supposed to be a stable release

The recent "25.07-RC" has much better kea/unbound support and - for me - the version I was waiting for for .... a bit more then a decade.
I don't use any 'special' stuff. Just a DHCP based WAN, and 3 LANs.
I do use full stack IPv6 & IPv4, which means I've loads of DHCPv6 leases also, and I use the captive portal (which is IPv4 also by design) with package FreeRadius authentication because "why not". The pfSense package acme.sh because I need certificates that are trusted (portal https obliged).

That said, 24.11 was ok for me also (with some initial shortcomings as kea was just implemented and most stuff wasn't coded in jet.

johnpoz

@scotrod if your having issues I would just go back to ISC.. There are many reasons why kea is not quite ready for primetime..

I am on 24.11 I just run ISC.. Not like it stopped working, or some series security issue with it. When you move to the next plus release 25.07 you can give it another go.

Gertjan

@johnpoz

Sure.
Metoo, I've nothing against ISC, worked well for many, many years, still works well.

The thing is :
As this is a Plus, thus boot envs are available, a sneak peak for 25.07-RC is possible with zero risk.
Btw : I've said 25.08 above, that must be 25.07.

A kea with a bunch of Windows devices using DHCP ... that's the case of the majority of all the "pfSense" networks out there, there must be hundreds of thousands doing that right now.
The @scotrod issue is :

Dynamic DHCP lease not visible

which has been modified to : It shows some DHCPv4 leases, but not others ( @scotrod : right ? )

Vanilla "DHCP dynmaic leases" should work fine using 24.11 Release, as it did for me.

@scotrod : can you show a static mac DHCP lease setup ?

scotrod

@Gertjan said in Dynamic DHCP lease not visible outside of ARP table:

which has been modified to : It shows some DHCPv4 leases, but not others ( @scotrod : right ? )

Vanilla "DHCP dynmaic leases" should work fine using 24.11 Release, as it did for me.

@scotrod : can you show a static mac DHCP lease setup ?

Sorry, which comment are you exactly referring to?

Here's how my static leases start:

Later today I'll try to switch to ISC. I have the wife WFH so I don't really have much time of yeeting infrastructure around.

Gertjan

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

Sorry, which comment are you exactly referring to?

That leases do show up.
As you've shown.
More precise : some do, some don't.

For kea (and ISC), there is very little to no difference between a static and dynamic DHCPv4 lease.
If a lease request comes in, the requester MAC is checked against the MAC list you found in the kea config file = /usr/local/etc/kea/kea-dhcp4.conf see the last part :

it's the "reservations" block.
If the MAC isn't listed, a 'random' IP from the DHCP server pool is picked.

Btw : probably important : a valid host name must be listed, like the one I've shown : "bureau" (if this is not the case, DNS will bite you)

scotrod

@Gertjan said in Dynamic DHCP lease not visible outside of ARP table:

That leases do show up.
As you've shown.
More precise : some do, some don't.

That's how we started. At this point I have no way of showing dynamic leases anywhere but the ARP table and I expect to see that under DHCP leases. Also, assigning a static lease on a particular MAC address won't work (I've tried that several times) until i check the Create an ARP Table Static Entry for this MAC & IP Address pair. checkbox. I don't know if that's by design, but if it is, it's just a dumb design.

Later today I'll just try to fallback to ISC as I have no intention to troubleshoot something that broken. I've just tried to assign a static lease using the Create an ARP Table Static Entry for this MAC & IP Address pair. and it doesn't fucking work. For the past 30 minutes I've attempted to assign a static lease to a single device. I guess the Internet is really getting dumber by the day.

Gertjan

@scotrod said in Dynamic DHCP lease not visible outside of ARP table:

That's how we started. At this point I have no way of showing dynamic leases anywhere but the ARP table and I expect to see that under DHCP leases. Also, assigning a static lease on a particular MAC address won't work (I've tried that several times) until i check the Create an ARP Table Static Entry for this MAC & IP Address pair. checkbox. I don't know if that's by design, but if it is, it's just a dumb design.

Not needed because not related - and sure enough not by design. I never look at the ARP page ...

Also : look at my ARP table :

ARP requests are cached (on pfSense) and stay valid for (default) 1200 seconds = 20 minutes.
The ARP relation IP <=> MAC has nothing to do with the fact that the IP was obtained originally by a static IP assignment, or or DHCP request (static MAC or dynamic).
See here for a nice example.

Not a solution, but this would help you : Nearly all my LAN devices have a static MAC DHCP setup, so my NAS, printers, airco, all the networked LAN PCs and other stuff I need to access to control have a 'fixed' but DHCP assigned IP = static MAC DHCP. You could do the same for your setup if the network isn't very big. As you don't change all your equipment very often, this is a one time job.
I don't care, for my network, if I I don't see the IPv4 of a device that is merely visiting for a while, and then vanished, like the phone IP of a friend that uses my network. I'm not going to connect to his IP anyway, neither sharing info with it etc.

According to this blog post, kea DHCP worked since Plus 23.09.
This means that classic dynamic leases woild be served, and shwon on the leases page.
Back then, as shown in the "restrictions" list, static MAC leases weren't even supported yet.
That changed with 24.11 - and yiou' shwon that that part works.
So : imho, your issue isn't "kea" (as we both use it - and it works for me). There must be some setting somewhere that explains this all ....