[j-nsp] DHCP server recommendation for subscribers management

Tue Aug 10 16:44:18 EDT 2021

Nathan Ward via juniper-nsp писал 2021-08-10 08:00:
>> On 10/08/2021, at 10:40 PM, Bjørn Mork via juniper-nsp 
>> <juniper-nsp at puck.nether.net> wrote:

Thank you Nathan and Bjorn for your explanations, they are very helpful!
I'll definitely look at ip pool management in RADIUS. I'm struggling to 
find a good freeradius documentation source, could you give some links?

So far, I started to play with KEA dhcp server and stumbled on "shared 
subnet" with multiple pools topic. I have two clients connected. The 
first pool has only one IP available to force the client who comes last 
to use the second pool. The first client successfully gets .226 IP from 
the first pool, but the second client fails.

My config has this:

     "subnet4": [
         {
             "subnet": "X.X.X.224/28",
             "pools": [ { "pool": "X.X.X.226 - X.X.X.226" } ],
             "relay": {
                 "ip-addresses": [ "X.X.X.225" ]
             },
             "option-data": [
                 {
                     // For each IPv4 subnet you most likely need to 
specify at
                     // least one router.
                     "name": "routers",
                     "data": "X.X.X.225"
                 }
             ]
         },
         {
             "subnet": "X.X.X.240/28",
             "pools": [ { "pool": "X.X.X.242 - X.X.X.245" } ],
             "relay": {
                 "ip-addresses": [ "X.X.X.225" ]
             },
             "option-data": [
                 {
                     // For each IPv4 subnet you most likely need to 
specify at
                     // least one router.
                     "name": "routers",
                     "data": "X.X.X.241"
                 }
             ],

In the log I get this:
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN  
ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 d0:76:8f:a7:43:ca], cid=[no 
info], tid=0x485c2228: failed to allocate an IPv4 address in the subnet 
X.X.X.224/28, subnet-id 1, shared network
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN  
ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 d0:76:8f:a7:43:ca], cid=[no info], 
tid=0x485c2228: failed to allocate an IPv4 address after 1 attempt(s)
Aug 10 15:51:17 testradius kea-dhcp4[44325]: WARN  
ALLOC_ENGINE_V4_ALLOC_FAIL_CLASSES [hwtype=1 d0:76:8f:a7:43:ca], cid=[no 
info], tid=0x485c2228: Failed to allocate an IPv4 address for client 
with classes: ALL, VENDOR_CLASS_xxxxxxxx.dslforum.org, UNKNOWN

Looks like KEA doesn't consider the second subnet as belonging to the 
same shared network despite the matching giaddr. I followed example in 
Kea documentation and expect that relay address matching giaddr should 
do the trick, but I feel maybe subnets have to be in the same bracket, 
however don't know how to put it there. At one moment I saw addresses 
leased from both pools but later it returned back to this. Maybe it was 
a transient state when previous lease didn't expire yet, I'm not sure.

> Note that you also must have a unique address as the primary address
> on the interface as the giaddr - which the the centralised dhcp server
> talks to. If that giaddr is shared across BNGs, your replies will go
> to the wrong place a large % of the time, and not get to the
> subscriber.
> The giaddr does not need to be an address in any of the subnets you
> want to hand out addresses in - in isc dhcpd, you can configure the
> giaddr in a subnet as part of the “shared network” you want to hand
> out addresses from, which if you have a lot of BNGs saves you a
> handful of addresses you can give to customers.

Good point, thanks. I find Juniper documentation on primary and 
preferred IP very confusing, for me it's always try and fail method to 
find a working combination. Even more confusing, few years ago I had a 
TAC case opened regarding the meaning of preferred address for IPv6 
assignment to pppoe subscriber and I was told by TAC that it's not 
supported for IPv6 at all. I think it changed in recent releases.
For example, there is unique IP on lo0 that is used as router-id etc., 
and also there should be one or more IPs that match subnets in address 
pools. In dynamic profile address is specified this way:
unnumbered-address "$junos-loopback-interface" preferred-source-address 
"$junos-preferred-source-address"
Currently I don't have neither primary or preferred specified on lo0 and 
.225 is somehow selected.
In my understanding preferred-source-address has to match subnet in 
address pool, otherwise it will fail to assign an address. And it also 
will be used as giaddr in this case. Which address should be primary and 
which preferred in this case?

Kind regards,
Andrey