Page MenuHomeVyOS Platform
Create Task
Maniphest T7371

VyOS DHCP Server shared-network concept and behaviour is not properly documented
Open, WishlistPublic
Actions

Description

Because the docs do not give any explanation about the concept behind "shared-networks", a user might be tempted to create the following config:

(let's say untagged = normal network, vlan 100 = guest, vyos has separate interfaces in both, say one interface 10.1.1.1 and the one in vlan 100 is 10.100.1.1)

service {
    dhcp-server {
        shared-network-name my-dhcp-shared-network {
            authoritative
            subnet 10.1.0.0/16 {
                description "normal"
                option {
                    default-router 10.1.1.1
                }
                range 1 {
                    start 10.1.2.1
                    stop 10.1.255.254
                }
                subnet-id 1
            }
            subnet 10.100.0.0/16 {
                description "guest"
                option {
                    default-router 10.100.1.1
                }
                range 1 {
                    start 10.100.2.1
                    stop 10.100.255.254
                }
                subnet-id 100
            }
        }
    }

Which will work fine for most situations.

Things get tricky when someone switches between the "normal" and "guest" network - kea will happily hand out a lease from the other subnet, leading to no connectivity.
This is also nasty to debug, because there is no obvious reason why the wrong ip is handed out.

If a user starts in the guest network, gets the IP 10.100.2.2, then switches to the internal network, VyOS / kea will give out the same IP 10.100.2.2 again, even though the user is in a different VLAN now. Because the default gateway is not reachable in the other VLAN, the user will not have connectivity.

VyOS seem to translate the 1:1 to kea-dhcp's "shared-networks", so the config above will look like this

"shared-networks": [
        {
            "name": "my-dhcp-shared-network",
            "authoritative": true,
            "subnet4": [
                {
                    "id": 1,
                    "subnet": "10.1.0.0/16",
                    "pools": [ { "pool": "10.1.2.1 - 10.1.255.254" } ]
                },
                {
                    "id": 2,
                    "subnet": "10.100.0.0/16",
                    "pools": [ { "pool": "10.200.2.1 - 10.200.255.254" } ]
                }
            ]
        }
    ],

in my experience, shared-networks are a rather uncommon config in kea, reserved for special cases. Is it really the best approach for VyOS?

In any case, this behaviour should be clearly documented.

kea itself has a nice doc page:
https://kb.isc.org/docs/do-i-need-to-use-shared-networks-or-not-with-kea-dhcp

The most important bit that should be added to the docs, bold and red, in case the behaviour is not changes:
unless classification is added, it's OK for a client to get an address from any subnet within the shared-network.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

rchrist created this task.Apr 18 2025, 12:55 AM
rchrist triaged this task as Normal priority.
rchrist created this object in space S1 VyOS Public.
pasik subscribed.Apr 18 2025, 8:54 AM
Thunderstorm subscribed.Apr 18 2025, 5:02 PM
rchrist updated the task description. (Show Details)Apr 18 2025, 7:06 PM
yzguy subscribed.EditedApr 18 2025, 7:09 PM

I have configured it this way and have seen this behavior, which now makes sense.
I was looking at https://kb.isc.org/docs/do-i-need-to-use-shared-networks-or-not-with-kea-dhcp and it seems to alude to a certain set up which wouldn't be common

What I suppose would be the solution is to introduce config option like

set service dhcp-server subnet
set service dhcpv6-server subnet

which would then go into subnet4 and subnet6 in the Kea config, which keeps the existing functionality as to not break anything, but then can have documentation to show that really people want the new functionality

As it stands now, a user would need a shared-network per subnet to avoid the described behavior

sarthurdev lowered the priority of this task from Normal to Wishlist.Apr 18 2025, 8:58 PM
sarthurdev subscribed.

This has been the same behaviour going back to vyatta and dhcpd. Documentation can indeed be improved here to mention how shared-networks work, please feel free to submit a PR for it.

I don't think introducing new CLI is the solution, it should be instead documented that subnets within shared networks are treated equally.