DHCPv6 failover peer broken due to 'deny dynamic bootp clients' in dhcpdv6.conf

  • Having tried to enable failover for ipv6 dns I added the backup firewall's ipv6 address to the dhcpdv6 config page and the subsequent restart of dhcpd failed:

    fw1 php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid vr1_vlan69' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 15: expecting allow/deny key deny dynamic ^ /etc/dhcpdv6.conf line 15: expecting a parameter or declaration deny dynamic bootp clients; ^ Configuration file errors encountered – exiting If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the

    Having looked at the /var/dhcpd/etc/dhcpdv6.conf file I see it has not actually added teh config for a failover peer, however has inserted the following:

    subnet6 2001:40a0:1011:69::/64 {
    deny dynamic bootp clients;

    I can see mention of this in dhcpd.conf man page that suggests this should be used when a failover peer is configured, althought the example config puts this command within the pool { } config section that seems not to be present here?

    Does anyone else have a working ipv6 dhcp failover config?


  • still broken, this may be something to look at before progressing to RC2 as it doesnt seem like you can have a resilient pair of firewalls if you want to use DHCP for ipv6 address assignment :(

  • Rebel Alliance Developer Netgate

    DHCPv6 does not support failover, not sure why the options were in the GUI, but aside from the one that broken the backup config, they were not in the backend.

    Current recommendation is to run them independently with separate pools.

    We're considering maybe having the DHCPv6 daemon shut down in a failover config if the interface is in a CARP backup status, but that isn't quite so easy.

Log in to reply