Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    KEA DHCP NTP server option behavior

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Sergei_ShablovskyS
      Sergei_Shablovsky
      last edited by Sergei_Shablovsky

      Dear pfSense Gurus!

      Little background-off topic:
      Recently find the bug in KEA DHCP server:
      not starting when find FQDN name in settings, mean when You put FQDN instead of IP in “NTP Server [x]” field in
      In log: ERROR [kea-dhcp4.dhcp4.0xbe6c7012000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': option data does not match option definition (space: dhcp4, code: 42): Failed to convert string to address 'int-time.local.lan': Invalid argument (/usr/local/etc/kea/kea-dhcp4.conf:377:33)

      But doing experiments with the KEA DHCP server push me to dive in it’s behavior.

      Because official docs are SHOCKING LY brief I have several questions:

      Please teach me, what’s the behavior of KEA DHCP server if:

      SETTINGS 1 ——————————
      (local time-server IP + Interface IP)

      NTP Server 1
      192.168.50.1 (local IP of dedicated internal time-server)
      NTP Server 2
      192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

      SETTINGS 2 ——————————
      (Interface IP only)

      NTP Server 1
      192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

      SETTINGS 3 ——————————
      (local time-server IP, 2 (two) different external IP on himself, Interface IP)

      NTP Server 1
      192.168.50.1 (local IP of dedicated internal time-server)
      NTP Server 2
      23.65.144.12 (external static IP entry of the same pfSense, UPLINK A)
      NTP Server 3
      47.12.168.4 (external static IP entry of the same pfSense, UPLINK B)
      NTP Server 4
      192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

      Which settings and how work ?
      How impact orders of settings?
      (Shortly to say “how KEA implementation in 2.7.2-RELEASE deal with ntpd NTP server inside pfSense)
      How to ensure what exactly receive the DHCP client on their request?
      (pcap+WireShark, logs,…?)

      THANK YOU SO MUCH for DETAILED explanation!

      P.S. I hope this helps much of pfSense’s users.

      —
      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
      Help Ukraine to resist, save civilians people’s lives !
      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Sergei_Shablovsky
        last edited by

        @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

        How to ensure what exactly receive the DHCP client on their request?

        What the clients gets is what the server sends.

        Diagnostics > Packet Capture
        Select your interface, typically, LAN,
        Protocol : UDP
        Ports : 67 and 68
        Go for full details : View option : Full.
        And hit Start.

        Now, on a client, - a windows device :

        ipconfig /renew
        

        and you will see a full packet for the request, and what the DHCP server send.

        Btw : this doesn't mean the client actually uses the NTP (if any) received by DHCP.
        If the device permits me to do so, I normally set manually the NTP address to 192.168.1.1. No great, I know.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        Sergei_ShablovskyS 1 Reply Last reply Reply Quote 1
        • Sergei_ShablovskyS
          Sergei_Shablovsky @Gertjan
          last edited by Sergei_Shablovsky

          @Gertjan said in KEA DHCP NTP server option behavior:

          @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

          How to ensure what exactly receive the DHCP client on their request?

          What the clients gets is what the server sends.

          Diagnostics > Packet Capture
          Select your interface, typically, LAN,
          Protocol : UDP
          Ports : 67 and 68
          Go for full details : View option : Full.
          And hit Start.

          Now, on a client, - a windows device :

          ipconfig /renew
          

          and you will see a full packet for the request, and what the DHCP server send.

          Thank You so much for explanation!

          And how to see what’s happened between ntpd and KEA ?
          (I mean which NTP server take KEA from ntpd by default, etc…)

          Btw : this doesn't mean the client actually uses the NTP (if any) received by DHCP.

          Most of modern (even 5-7 years old) devices (PDU/SDU, Environment monitoring, Security systems, etc) - able to use.
          And most OSS. Especially, if this is Windows.

          If the device permits me to do so, I normally set manually the NTP address to 192.168.1.1. No great, I know.

          No-no-no! I couldn’t make this MANUALLY for 200~500 devices in a building….! ;) Only may be for extra $7M payment w/o taxes :)

          —
          CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
          Help Ukraine to resist, save civilians people’s lives !
          (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Sergei_Shablovsky
            last edited by

            @Sergei_Shablovsky

            Maybe a WTF situation.
            I'm using ISC right now, as I need DCHP options for some internal testing.
            I've checked, the ntp server option (42 - right ?!) is present :

            ....
            subnet 192.168.1.0 netmask 255.255.255.0 {
            	pool {
            
            		range 192.168.1.70 192.168.1.200;
            	}
            
            	option routers 192.168.1.1;
            	option domain-name "bhf.tld";
            	option domain-name-servers 192.168.1.1;
            	default-lease-time 86400;
            	max-lease-time 345600;
            	ping-check true;
            	option ntp-servers 1.2.3.4;
            
            }
            .....
            

            I've set the ntp server address to "1.2.3.4" to make it stand out.

            I typical DHCP request from my NAS :

            07:12:33.348883 00:11:32:a7:d5:88 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
                0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:32:a7:d5:88, length 300, xid 0x8ec28118, Flags [none] (0x0000)
            	  Client-Ethernet-Address 00:11:32:a7:d5:88
            	  Vendor-rfc1048 Extensions
            	    Magic Cookie 0x63825363
            	    DHCP-Message (53), length 1: Request
            	    Requested-IP (50), length 4: 192.168.1.33
            	    Hostname (12), length 13: "DiskStation2^@"
            	    Parameter-Request (55), length 7: 
            	      Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
            	      Domain-Name (15), Domain-Name-Server (6), Hostname (12)
            	    Client-ID (61), length 7: ether 00:11:32:a7:d5:88
            07:12:33.349221 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv4 (0x0800), length 354: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 340)
                192.168.1.1.67 > 192.168.1.33.68: [udp sum ok] BOOTP/DHCP, Reply, length 312, xid 0x8ec28118, Flags [none] (0x0000)
            	  Your-IP 192.168.1.33
            	  Client-Ethernet-Address 00:11:32:a7:d5:88
            	  Vendor-rfc1048 Extensions
            	    Magic Cookie 0x63825363
            	    DHCP-Message (53), length 1: ACK
            	    Server-ID (54), length 4: 192.168.1.1
            	    Lease-Time (51), length 4: 86400
            	    Subnet-Mask (1), length 4: 255.255.255.0
            	    Default-Gateway (3), length 4: 192.168.1.1
            	    Domain-Name (15), length 21: "bhf.tld^@"
            	    Domain-Name-Server (6), length 4: 192.168.1.1
            	    Hostname (12), length 13: "diskstation2^@"
            

            The ISC server never mentioned an ntp server in the reply section ...

            Because .... is this the answer : the dhcp client didn't ask for one ??? ?

            Things get better : https://superuser.com/questions/147248/windows-clients-not-using-ntp-server-provided-via-dhcp which actually answered what I already knew for years ...

            I've looked at kea : the config of a set NTP server(s) is present ...
            But again : if the client isn't asking for them ..... 😵

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
            • Sergei_ShablovskyS
              Sergei_Shablovsky @Gertjan
              last edited by Sergei_Shablovsky

              @Gertjan said in KEA DHCP NTP server option behavior:

              @Sergei_Shablovsky

              Maybe a WTF situation.
              I'm using ISC right now, as I need DCHP options for some internal testing.
              I've checked, the ntp server option (42 - right ?!) is present :

              ....
              subnet 192.168.1.0 netmask 255.255.255.0 {
              	pool {
              
              		range 192.168.1.70 192.168.1.200;
              	}
              
              	option routers 192.168.1.1;
              	option domain-name "bhf.tld";
              	option domain-name-servers 192.168.1.1;
              	default-lease-time 86400;
              	max-lease-time 345600;
              	ping-check true;
              	option ntp-servers 1.2.3.4;
              
              }
              .....
              

              I've set the ntp server address to "1.2.3.4" to make it stand out.

              I typical DHCP request from my NAS :

              07:12:33.348883 00:11:32:a7:d5:88 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
                  0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:32:a7:d5:88, length 300, xid 0x8ec28118, Flags [none] (0x0000)
              	  Client-Ethernet-Address 00:11:32:a7:d5:88
              	  Vendor-rfc1048 Extensions
              	    Magic Cookie 0x63825363
              	    DHCP-Message (53), length 1: Request
              	    Requested-IP (50), length 4: 192.168.1.33
              	    Hostname (12), length 13: "DiskStation2^@"
              	    Parameter-Request (55), length 7: 
              	      Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
              	      Domain-Name (15), Domain-Name-Server (6), Hostname (12)
              	    Client-ID (61), length 7: ether 00:11:32:a7:d5:88
              07:12:33.349221 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv4 (0x0800), length 354: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 340)
                  192.168.1.1.67 > 192.168.1.33.68: [udp sum ok] BOOTP/DHCP, Reply, length 312, xid 0x8ec28118, Flags [none] (0x0000)
              	  Your-IP 192.168.1.33
              	  Client-Ethernet-Address 00:11:32:a7:d5:88
              	  Vendor-rfc1048 Extensions
              	    Magic Cookie 0x63825363
              	    DHCP-Message (53), length 1: ACK
              	    Server-ID (54), length 4: 192.168.1.1
              	    Lease-Time (51), length 4: 86400
              	    Subnet-Mask (1), length 4: 255.255.255.0
              	    Default-Gateway (3), length 4: 192.168.1.1
              	    Domain-Name (15), length 21: "bhf.tld^@"
              	    Domain-Name-Server (6), length 4: 192.168.1.1
              	    Hostname (12), length 13: "diskstation2^@"
              

              BTW, is this from WireShark?

              The ISC server never mentioned an ntp server in the reply section ...

              Since I start to learn about *nix NTP servers more, I read A LOT NEGATIVE feedbacks about bugs and security breaches in ISC server that not resolved FOR YEARS!

              Because .... is this the answer : the dhcp client didn't ask for one ??? ?

              Anyway one good news:

              subnet 192.168.112.0 netmask 255.255.255.0 {
                      max-lease-time 604800;
                      default-lease-time 86400;
                      authoritative;
                      ignore client-updates;
              
                      option ntp-servers 192.168.112.112; #self
              
                      ... (many other options)
              }
              

              From this code understanding that NTP server allow to set self address as “NTP server address”.

              Things get better : https://superuser.com/questions/147248/windows-clients-not-using-ntp-server-provided-via-dhcp which actually answered what I already knew for years ...

              I've looked at kea : the config of a set NTP server(s) is present ...
              But again : if the client isn't asking for them ..... 😵

              Not agree with You :) :

              • the question are very old (Asked 13 years, 8 months ago) an 0,005% for that something changed in modern versions of Win;

              • as one of the leaderships in firewalling, pfSense may care about a lot of *nix systems. In *nix systems users put more attentIon to time sync because a lot of *nix servers used in military, government, health care, energy, finance and critical infrastructure.
                (Let’s to note the numbers of *nix systems would be grow because we just at the start of decades of wars, and Win are TOTALLY VULNERABLE system.).

              So, as one of the leaders in firewalling in enterprise, pfSense DevTeam need to care about correct KEA working. ;)

              —
              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
              Help Ukraine to resist, save civilians people’s lives !
              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @Sergei_Shablovsky
                last edited by

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                BTW, is this from WireShark?

                Noop. Packet capturing using pfSense. With full details :

                a904798b-4e24-4d44-a966-ba94deaf11e3-image.png

                DHCP request from Syno NAS (derived from Linux)

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                  Parameter-Request (55), length 7: 
                    Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
                    Domain-Name (15), Domain-Name-Server (6), Hostname (12)
                

                Note ; it doesn't ask for option '42' : NTP server.
                So the DHCP server, ISC or KEA, doesn't give one.
                Windows : I saw the same thing : doesn't ask for a NTP server IP(s).
                So the DHCP server doesn't give one.

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                I read A LOT NEGATIVE feedbacks about bugs and security breaches in ISC server that not resolved FOR YEARS!

                Probably a reason why they, themselves, wiped the board, and restarted all over with what they've learned : they wrote KEA ?

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                Anyway one good news:

                subnet 192.168.112.0 netmask 255.255.255.0 {
                max-lease-time 604800;
                default-lease-time 86400;
                authoritative;
                ignore client-updates;

                    option ntp-servers 192.168.112.112; #self
                

                That's not the issue, ISC and KEA have the "NTP-server" parameter present, if you set one (an IP, not a host name, as other discovered).

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                Not agree with You :) :

                Neither myself, I hope to be wrong. But that's not what I'm seeing right now.

                For example, my Synology NAS again :

                dc853efe-faa5-4b48-b98d-2e15ae461d06-image.png

                I entered that IP "192.168.1.1" address manually. My NAS uses "DHCPv4" and "DCPv6" to obtain the IPv4 network info, and IPv6 network info. That works just fine, it sync time now.

                @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                So, as one of the leaders in firewalling in enterprise, pfSense DevTeam need to care about correct KEA working. ;)

                as the "ntp-server" option is present in the KEA config, on the server, pfSEnse, side, everything is set up.
                Nothing more pfSEnse can do - if the DHCP client isn't asking for it ...

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 1
                • Sergei_ShablovskyS
                  Sergei_Shablovsky
                  last edited by Sergei_Shablovsky

                  Ok!

                  So just waiting the bug with not understanding pfSense WebGUI the FQDN in NTP Server settings would be fixed.

                  —
                  CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                  Help Ukraine to resist, save civilians people’s lives !
                  (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @Sergei_Shablovsky
                    last edited by Gertjan

                    @Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

                    pfSense WebGUI the FQDN in NTP Server settings.

                    The popup does say " ... or a host name like myhost.example.com"

                    1c221c59-a1b5-4247-8eb7-c73eca67aebb-image.png

                    but, from what I make of the ISC DHCP server doc : IPv4 (not even IPv6) only !!)

                    https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-options

                    035b217e-caff-44a4-b895-f7de4eae0a41-image.png

                    KEA : same thing :

                    https://kea.readthedocs.io/en/kea-2.0.0/arm/dhcp4-srv.html

                    ded5f403-b7f0-4b59-b03b-21f471ad76c0-image.png

                    Again : I would like to be wrong, but as I see it, IPv4 is mandatory.
                    If a host name was possible, the pfSense GUI should resolve the host name first. It doesn't.
                    It checks if a given host name has the correct format, that's it.

                    I solved the issue by changing the pop text ^^ "IPv4 only !".

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    Sergei_ShablovskyS 1 Reply Last reply Reply Quote 1
                    • Sergei_ShablovskyS
                      Sergei_Shablovsky @Gertjan
                      last edited by

                      @Gertjan Thank You so much for efforts!

                      BTW, ISC Stork for BIND 9 and KEA services state monitoring looks like great tool!

                      —
                      CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                      Help Ukraine to resist, save civilians people’s lives !
                      (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                      1 Reply Last reply Reply Quote 0
                      • GertjanG Gertjan referenced this topic on
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.