diff --git a/smoketest/scripts/cli/test_service_dhcp-server.py b/smoketest/scripts/cli/test_service_dhcp-server.py
index 46c4e25a1..f891bf295 100755
--- a/smoketest/scripts/cli/test_service_dhcp-server.py
+++ b/smoketest/scripts/cli/test_service_dhcp-server.py
@@ -1,830 +1,847 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2020-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 import unittest
 
 from json import loads
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
 from vyos.utils.process import process_named_running
 from vyos.utils.file import read_file
 from vyos.template import inc_ip
 from vyos.template import dec_ip
 
 PROCESS_NAME = 'kea-dhcp4'
 CTRL_PROCESS_NAME = 'kea-ctrl-agent'
 KEA4_CONF = '/run/kea/kea-dhcp4.conf'
 KEA4_CTRL = '/run/kea/dhcp4-ctrl-socket'
 base_path = ['service', 'dhcp-server']
 interface = 'dum8765'
 subnet = '192.0.2.0/25'
 router = inc_ip(subnet, 1)
 dns_1 = inc_ip(subnet, 2)
 dns_2 = inc_ip(subnet, 3)
 domain_name = 'vyos.net'
 
 class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestServiceDHCPServer, cls).setUpClass()
        # Clear out current configuration to allow running this test on a live system
         cls.cli_delete(cls, base_path)
 
         cidr_mask = subnet.split('/')[-1]
         cls.cli_set(cls, ['interfaces', 'dummy', interface, 'address', f'{router}/{cidr_mask}'])
 
     @classmethod
     def tearDownClass(cls):
         cls.cli_delete(cls, ['interfaces', 'dummy', interface])
         super(TestServiceDHCPServer, cls).tearDownClass()
 
     def tearDown(self):
         self.cli_delete(base_path)
         self.cli_commit()
 
     def walk_path(self, obj, path):
         current = obj
 
         for i, key in enumerate(path):
             if isinstance(key, str):
                 self.assertTrue(isinstance(current, dict), msg=f'Failed path: {path}')
                 self.assertTrue(key in current, msg=f'Failed path: {path}')
             elif isinstance(key, int):
                 self.assertTrue(isinstance(current, list), msg=f'Failed path: {path}')
                 self.assertTrue(0 <= key < len(current), msg=f'Failed path: {path}')
             else:
                 assert False, "Invalid type"
 
             current = current[key]
 
         return current
 
     def verify_config_object(self, obj, path, value):
         base_obj = self.walk_path(obj, path)
         self.assertTrue(isinstance(base_obj, list))
         self.assertTrue(any(True for v in base_obj if v == value))
 
     def verify_config_value(self, obj, path, key, value):
         base_obj = self.walk_path(obj, path)
         if isinstance(base_obj, list):
             self.assertTrue(any(True for v in base_obj if key in v and v[key] == value))
         elif isinstance(base_obj, dict):
             self.assertTrue(key in base_obj)
             self.assertEqual(base_obj[key], value)
 
     def test_dhcp_single_pool_range(self):
         shared_net_name = 'SMOKE-1'
 
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 20)
         range_1_start = inc_ip(subnet, 40)
         range_1_stop  = inc_ip(subnet, 50)
 
         self.cli_set(base_path + ['listen-interface', interface])
 
         pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         self.cli_set(pool + ['ignore-client-id'])
         # we use the first subnet IP address as default gateway
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['option', 'name-server', dns_1])
         self.cli_set(pool + ['option', 'name-server', dns_2])
         self.cli_set(pool + ['option', 'domain-name', domain_name])
 
         # check validate() - No DHCP address range or active static-mapping set
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
         self.cli_set(pool + ['range', '1', 'start', range_1_start])
         self.cli_set(pool + ['range', '1', 'stop', range_1_stop])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'interfaces-config'], 'interfaces', [interface])
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'id', 1)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'match-client-id', False)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'valid-lifetime', 86400)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'max-valid-lifetime', 86400)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name', 'data': domain_name})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name-servers', 'data': f'{dns_1}, {dns_2}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_0_start} - {range_0_stop}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_1_start} - {range_1_stop}'})
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_single_pool_options(self):
         shared_net_name = 'SMOKE-0815'
 
         range_0_start       = inc_ip(subnet, 10)
         range_0_stop        = inc_ip(subnet, 20)
         smtp_server         = '1.2.3.4'
         time_server         = '4.3.2.1'
         tftp_server         = 'tftp.vyos.io'
         search_domains      = ['foo.vyos.net', 'bar.vyos.net']
         bootfile_name       = 'vyos'
         bootfile_server     = '192.0.2.1'
         wpad                = 'http://wpad.vyos.io/foo/bar'
         server_identifier   = bootfile_server
         ipv6_only_preferred = '300'
 
         pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         # we use the first subnet IP address as default gateway
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['option', 'name-server', dns_1])
         self.cli_set(pool + ['option', 'name-server', dns_2])
         self.cli_set(pool + ['option', 'domain-name', domain_name])
         self.cli_set(pool + ['option', 'ip-forwarding'])
         self.cli_set(pool + ['option', 'smtp-server', smtp_server])
         self.cli_set(pool + ['option', 'pop-server', smtp_server])
         self.cli_set(pool + ['option', 'time-server', time_server])
         self.cli_set(pool + ['option', 'tftp-server-name', tftp_server])
         for search in search_domains:
             self.cli_set(pool + ['option', 'domain-search', search])
         self.cli_set(pool + ['option', 'bootfile-name', bootfile_name])
         self.cli_set(pool + ['option', 'bootfile-server', bootfile_server])
         self.cli_set(pool + ['option', 'wpad-url', wpad])
         self.cli_set(pool + ['option', 'server-identifier', server_identifier])
 
         self.cli_set(pool + ['option', 'static-route', '10.0.0.0/24', 'next-hop', '192.0.2.1'])
         self.cli_set(pool + ['option', 'ipv6-only-preferred', ipv6_only_preferred])
         self.cli_set(pool + ['option', 'time-zone', 'Europe/London'])
 
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'boot-file-name', bootfile_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'next-server', bootfile_server)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'valid-lifetime', 86400)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'max-valid-lifetime', 86400)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name', 'data': domain_name})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name-servers', 'data': f'{dns_1}, {dns_2}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-search', 'data': ', '.join(search_domains)})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'pop-server', 'data': smtp_server})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'smtp-server', 'data': smtp_server})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'time-servers', 'data': time_server})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'dhcp-server-identifier', 'data': server_identifier})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'tftp-server-name', 'data': tftp_server})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'wpad-url', 'data': wpad})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'rfc3442-static-route', 'data': '24,10,0,0,192,0,2,1, 0,192,0,2,1'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'windows-static-route', 'data': '24,10,0,0,192,0,2,1'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'v6-only-preferred', 'data': ipv6_only_preferred})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'ip-forwarding', 'data': "true"})
 
         # Time zone
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'pcode', 'data': 'GMT0BST,M3.5.0/1,M10.5.0'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'tcode', 'data': 'Europe/London'})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_0_start} - {range_0_stop}'})
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_single_pool_options_scoped(self):
         shared_net_name = 'SMOKE-2'
 
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 20)
 
         range_router = inc_ip(subnet, 5)
         range_dns_1 = inc_ip(subnet, 6)
         range_dns_2 = inc_ip(subnet, 7)
 
         shared_network = base_path + ['shared-network-name', shared_net_name]
         pool = shared_network + ['subnet', subnet]
 
         self.cli_set(pool + ['subnet-id', '1'])
 
         # we use the first subnet IP address as default gateway
         self.cli_set(shared_network + ['option', 'default-router', router])
         self.cli_set(shared_network + ['option', 'name-server', dns_1])
         self.cli_set(shared_network + ['option', 'name-server', dns_2])
         self.cli_set(shared_network + ['option', 'domain-name', domain_name])
 
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
         self.cli_set(pool + ['range', '0', 'option', 'default-router', range_router])
         self.cli_set(pool + ['range', '0', 'option', 'name-server', range_dns_1])
         self.cli_set(pool + ['range', '0', 'option', 'name-server', range_dns_2])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'valid-lifetime', 86400)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'max-valid-lifetime', 86400)
 
         # Verify shared-network options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'option-data'],
                 {'name': 'domain-name', 'data': domain_name})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'option-data'],
                 {'name': 'domain-name-servers', 'data': f'{dns_1}, {dns_2}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         # Verify range options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools', 0, 'option-data'],
                 {'name': 'domain-name-servers', 'data': f'{range_dns_1}, {range_dns_2}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools', 0, 'option-data'],
                 {'name': 'routers', 'data': range_router})
 
         # Verify pool
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'], 'pool', f'{range_0_start} - {range_0_stop}')
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_single_pool_static_mapping(self):
         shared_net_name = 'SMOKE-2'
         domain_name = 'private'
 
         pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         # we use the first subnet IP address as default gateway
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['option', 'name-server', dns_1])
         self.cli_set(pool + ['option', 'name-server', dns_2])
         self.cli_set(pool + ['option', 'domain-name', domain_name])
 
         # check validate() - No DHCP address range or active static-mapping set
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
 
         client_base = 10
         for client in ['client1', 'client2', 'client3']:
             mac = '00:50:00:00:00:{}'.format(client_base)
             self.cli_set(pool + ['static-mapping', client, 'mac', mac])
             self.cli_set(pool + ['static-mapping', client, 'ip-address', inc_ip(subnet, client_base)])
             client_base += 1
 
         # cannot have both mac-address and duid set
         with self.assertRaises(ConfigSessionError):
             self.cli_set(pool + ['static-mapping', 'client1', 'duid', '00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:11'])
             self.cli_commit()
         self.cli_delete(pool + ['static-mapping', 'client1', 'duid'])
 
         # cannot have mappings with duplicate IP addresses
         self.cli_set(pool + ['static-mapping', 'dupe1', 'mac', '00:50:00:00:fe:ff'])
         self.cli_set(pool + ['static-mapping', 'dupe1', 'ip-address', inc_ip(subnet, 10)])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         # Should allow disabled duplicate
         self.cli_set(pool + ['static-mapping', 'dupe1', 'disable'])
         self.cli_commit()
         self.cli_delete(pool + ['static-mapping', 'dupe1'])
 
         # cannot have mappings with duplicate MAC addresses
         self.cli_set(pool + ['static-mapping', 'dupe2', 'mac', '00:50:00:00:00:10'])
         self.cli_set(pool + ['static-mapping', 'dupe2', 'ip-address', inc_ip(subnet, 120)])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_delete(pool + ['static-mapping', 'dupe2'])
 
 
         # cannot have mappings with duplicate MAC addresses
         self.cli_set(pool + ['static-mapping', 'dupe3', 'duid', '00:01:02:03:04:05:06:07:aa:aa:aa:aa:aa:01'])
         self.cli_set(pool + ['static-mapping', 'dupe3', 'ip-address', inc_ip(subnet, 121)])
         self.cli_set(pool + ['static-mapping', 'dupe4', 'duid', '00:01:02:03:04:05:06:07:aa:aa:aa:aa:aa:01'])
         self.cli_set(pool + ['static-mapping', 'dupe4', 'ip-address', inc_ip(subnet, 121)])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_delete(pool + ['static-mapping', 'dupe3'])
         self.cli_delete(pool + ['static-mapping', 'dupe4'])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'id', 1)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'valid-lifetime', 86400)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'max-valid-lifetime', 86400)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name', 'data': domain_name})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'domain-name-servers', 'data': f'{dns_1}, {dns_2}'})
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         client_base = 10
         for client in ['client1', 'client2', 'client3']:
             mac = '00:50:00:00:00:{}'.format(client_base)
             ip = inc_ip(subnet, client_base)
 
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'reservations'],
                     {'hostname': client, 'hw-address': mac, 'ip-address': ip})
 
             client_base += 1
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_multiple_pools(self):
         lease_time = '14400'
 
         for network in ['0', '1', '2', '3']:
             shared_net_name = f'VyOS-SMOKETEST-{network}'
             subnet = f'192.0.{network}.0/24'
             router = inc_ip(subnet, 1)
             dns_1 = inc_ip(subnet, 2)
 
             range_0_start = inc_ip(subnet, 10)
             range_0_stop  = inc_ip(subnet, 20)
             range_1_start = inc_ip(subnet, 30)
             range_1_stop  = inc_ip(subnet, 40)
 
             pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
             self.cli_set(pool + ['subnet-id', str(int(network) + 1)])
             # we use the first subnet IP address as default gateway
             self.cli_set(pool + ['option', 'default-router', router])
             self.cli_set(pool + ['option', 'name-server', dns_1])
             self.cli_set(pool + ['option', 'domain-name', domain_name])
             self.cli_set(pool + ['lease', lease_time])
 
             self.cli_set(pool + ['range', '0', 'start', range_0_start])
             self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
             self.cli_set(pool + ['range', '1', 'start', range_1_start])
             self.cli_set(pool + ['range', '1', 'stop', range_1_stop])
 
             client_base = 60
             for client in ['client1', 'client2', 'client3', 'client4']:
                 mac = '02:50:00:00:00:{}'.format(client_base)
                 self.cli_set(pool + ['static-mapping', client, 'mac', mac])
                 self.cli_set(pool + ['static-mapping', client, 'ip-address', inc_ip(subnet, client_base)])
                 client_base += 1
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         for network in ['0', '1', '2', '3']:
             shared_net_name = f'VyOS-SMOKETEST-{network}'
             subnet = f'192.0.{network}.0/24'
             router = inc_ip(subnet, 1)
             dns_1 = inc_ip(subnet, 2)
 
             range_0_start = inc_ip(subnet, 10)
             range_0_stop  = inc_ip(subnet, 20)
             range_1_start = inc_ip(subnet, 30)
             range_1_stop  = inc_ip(subnet, 40)
 
             self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
             self.verify_config_value(obj, ['Dhcp4', 'shared-networks', int(network), 'subnet4'], 'subnet', subnet)
             self.verify_config_value(obj, ['Dhcp4', 'shared-networks', int(network), 'subnet4'], 'id', int(network) + 1)
             self.verify_config_value(obj, ['Dhcp4', 'shared-networks', int(network), 'subnet4'], 'valid-lifetime', int(lease_time))
             self.verify_config_value(obj, ['Dhcp4', 'shared-networks', int(network), 'subnet4'], 'max-valid-lifetime', int(lease_time))
 
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'option-data'],
                     {'name': 'domain-name', 'data': domain_name})
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'option-data'],
                     {'name': 'domain-name-servers', 'data': dns_1})
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'option-data'],
                     {'name': 'routers', 'data': router})
 
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'pools'],
                     {'pool': f'{range_0_start} - {range_0_stop}'})
             self.verify_config_object(
                     obj,
                     ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'pools'],
                     {'pool': f'{range_1_start} - {range_1_stop}'})
 
             client_base = 60
             for client in ['client1', 'client2', 'client3', 'client4']:
                 mac = '02:50:00:00:00:{}'.format(client_base)
                 ip = inc_ip(subnet, client_base)
 
                 self.verify_config_object(
                         obj,
                         ['Dhcp4', 'shared-networks', int(network), 'subnet4', 0, 'reservations'],
                         {'hostname': client, 'hw-address': mac, 'ip-address': ip})
 
                 client_base += 1
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_exclude_not_in_range(self):
         # T3180: verify else path when slicing DHCP ranges and exclude address
         # is not part of the DHCP range
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 20)
 
         pool = base_path + ['shared-network-name', 'EXCLUDE-TEST', 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['exclude', router])
+        self.cli_set(pool + ['range', '0', 'option', 'default-router', router])
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', 'EXCLUDE-TEST')
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
 
+        pool_obj = {
+            'pool': f'{range_0_start} - {range_0_stop}',
+            'option-data': [{'name': 'routers', 'data': router}]
+        }
+
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
-                {'pool': f'{range_0_start} - {range_0_stop}'})
+                pool_obj)
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_exclude_in_range(self):
         # T3180: verify else path when slicing DHCP ranges and exclude address
         # is not part of the DHCP range
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 100)
 
         # the DHCP exclude addresse is blanked out of the range which is done
         # by slicing one range into two ranges
         exclude_addr  = inc_ip(range_0_start, 20)
         range_0_stop_excl = dec_ip(exclude_addr, 1)
         range_0_start_excl = inc_ip(exclude_addr, 1)
 
         pool = base_path + ['shared-network-name', 'EXCLUDE-TEST-2', 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['exclude', exclude_addr])
+        self.cli_set(pool + ['range', '0', 'option', 'default-router', router])
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', 'EXCLUDE-TEST-2')
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
 
+        pool_obj = {
+            'pool': f'{range_0_start} - {range_0_stop_excl}',
+            'option-data': [{'name': 'routers', 'data': router}]
+        }
+
+        pool_exclude_obj = {
+            'pool': f'{range_0_start_excl} - {range_0_stop}',
+            'option-data': [{'name': 'routers', 'data': router}]
+        }
+
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
-                {'pool': f'{range_0_start} - {range_0_stop_excl}'})
+                pool_obj)
 
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
-                {'pool': f'{range_0_start_excl} - {range_0_stop}'})
+                pool_exclude_obj)
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_relay_server(self):
         # Listen on specific address and return DHCP leases from a non
         # directly connected pool
         self.cli_set(base_path + ['listen-address', router])
 
         relay_subnet = '10.0.0.0/16'
         relay_router = inc_ip(relay_subnet, 1)
 
         range_0_start = '10.0.1.0'
         range_0_stop  = '10.0.250.255'
 
         pool = base_path + ['shared-network-name', 'RELAY', 'subnet', relay_subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         self.cli_set(pool + ['option', 'default-router', relay_router])
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'interfaces-config'], 'interfaces', [f'{interface}/{router}'])
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', 'RELAY')
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', relay_subnet)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': relay_router})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_0_start} - {range_0_stop}'})
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
     def test_dhcp_high_availability(self):
         shared_net_name = 'FAILOVER'
         failover_name = 'VyOS-Failover'
 
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 20)
 
         pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         # we use the first subnet IP address as default gateway
         self.cli_set(pool + ['option', 'default-router', router])
 
         # check validate() - No DHCP address range or active static-mapping set
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # failover
         failover_local = router
         failover_remote = inc_ip(router, 1)
 
         self.cli_set(base_path + ['high-availability', 'source-address', failover_local])
         self.cli_set(base_path + ['high-availability', 'name', failover_name])
         self.cli_set(base_path + ['high-availability', 'remote', failover_remote])
         self.cli_set(base_path + ['high-availability', 'status', 'primary'])
         ## No mode defined -> its active-active mode by default
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         # Verify failover
         self.verify_config_value(obj, ['Dhcp4', 'control-socket'], 'socket-name', KEA4_CTRL)
 
         self.verify_config_object(
             obj,
             ['Dhcp4', 'hooks-libraries', 0, 'parameters', 'high-availability', 0, 'peers'],
             {'name': os.uname()[1], 'url': f'http://{failover_local}:647/', 'role': 'primary', 'auto-failover': True})
 
         self.verify_config_object(
             obj,
             ['Dhcp4', 'hooks-libraries', 0, 'parameters', 'high-availability', 0, 'peers'],
             {'name': failover_name, 'url': f'http://{failover_remote}:647/', 'role': 'secondary', 'auto-failover': True})
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_0_start} - {range_0_stop}'})
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
         self.assertTrue(process_named_running(CTRL_PROCESS_NAME))
 
     def test_dhcp_high_availability_standby(self):
         shared_net_name = 'FAILOVER'
         failover_name = 'VyOS-Failover'
 
         range_0_start = inc_ip(subnet, 10)
         range_0_stop  = inc_ip(subnet, 20)
 
         pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
         self.cli_set(pool + ['subnet-id', '1'])
         # we use the first subnet IP address as default gateway
         self.cli_set(pool + ['option', 'default-router', router])
         self.cli_set(pool + ['range', '0', 'start', range_0_start])
         self.cli_set(pool + ['range', '0', 'stop', range_0_stop])
 
         # failover
         failover_local = router
         failover_remote = inc_ip(router, 1)
 
         self.cli_set(base_path + ['high-availability', 'source-address', failover_local])
         self.cli_set(base_path + ['high-availability', 'name', failover_name])
         self.cli_set(base_path + ['high-availability', 'remote', failover_remote])
         self.cli_set(base_path + ['high-availability', 'status', 'secondary'])
         self.cli_set(base_path + ['high-availability', 'mode', 'active-passive'])
 
         # commit changes
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         # Verify failover
         self.verify_config_value(obj, ['Dhcp4', 'control-socket'], 'socket-name', KEA4_CTRL)
 
         self.verify_config_object(
             obj,
             ['Dhcp4', 'hooks-libraries', 0, 'parameters', 'high-availability', 0, 'peers'],
             {'name': os.uname()[1], 'url': f'http://{failover_local}:647/', 'role': 'standby', 'auto-failover': True})
 
         self.verify_config_object(
             obj,
             ['Dhcp4', 'hooks-libraries', 0, 'parameters', 'high-availability', 0, 'peers'],
             {'name': failover_name, 'url': f'http://{failover_remote}:647/', 'role': 'primary', 'auto-failover': True})
 
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks'], 'name', shared_net_name)
         self.verify_config_value(obj, ['Dhcp4', 'shared-networks', 0, 'subnet4'], 'subnet', subnet)
 
         # Verify options
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'option-data'],
                 {'name': 'routers', 'data': router})
 
         # Verify pools
         self.verify_config_object(
                 obj,
                 ['Dhcp4', 'shared-networks', 0, 'subnet4', 0, 'pools'],
                 {'pool': f'{range_0_start} - {range_0_stop}'})
 
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
         self.assertTrue(process_named_running(CTRL_PROCESS_NAME))
 
     def test_dhcp_on_interface_with_vrf(self):
         self.cli_set(['interfaces', 'ethernet', 'eth1', 'address', '10.1.1.1/30'])
         self.cli_set(['interfaces', 'ethernet', 'eth1', 'vrf', 'SMOKE-DHCP'])
         self.cli_set(['protocols', 'static', 'route', '10.1.10.0/24', 'interface', 'eth1', 'vrf', 'SMOKE-DHCP'])
         self.cli_set(['vrf', 'name', 'SMOKE-DHCP', 'protocols', 'static', 'route', '10.1.10.0/24', 'next-hop', '10.1.1.2'])
         self.cli_set(['vrf', 'name', 'SMOKE-DHCP', 'table', '1000'])
         self.cli_set(base_path + ['shared-network-name', 'SMOKE-DHCP-NETWORK', 'subnet', '10.1.10.0/24', 'subnet-id', '1'])
         self.cli_set(base_path + ['shared-network-name', 'SMOKE-DHCP-NETWORK', 'subnet', '10.1.10.0/24', 'option', 'default-router', '10.1.10.1'])
         self.cli_set(base_path + ['shared-network-name', 'SMOKE-DHCP-NETWORK', 'subnet', '10.1.10.0/24', 'option', 'name-server', '1.1.1.1'])
         self.cli_set(base_path + ['shared-network-name', 'SMOKE-DHCP-NETWORK', 'subnet', '10.1.10.0/24', 'range', '1', 'start', '10.1.10.10'])
         self.cli_set(base_path + ['shared-network-name', 'SMOKE-DHCP-NETWORK', 'subnet', '10.1.10.0/24', 'range', '1', 'stop', '10.1.10.20'])
         self.cli_set(base_path + ['listen-address', '10.1.1.1'])
         self.cli_commit()
 
         config = read_file(KEA4_CONF)
         obj = loads(config)
 
         self.verify_config_value(obj, ['Dhcp4', 'interfaces-config'], 'interfaces', ['eth1/10.1.1.1'])
 
         self.cli_delete(['interfaces', 'ethernet', 'eth1', 'vrf', 'SMOKE-DHCP'])
         self.cli_delete(['protocols', 'static', 'route', '10.1.10.0/24', 'interface', 'eth1', 'vrf'])
         self.cli_delete(['vrf', 'name', 'SMOKE-DHCP'])
         self.cli_commit()
 
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py
index e89448e2d..9c59aa63d 100755
--- a/src/conf_mode/service_dhcp-server.py
+++ b/src/conf_mode/service_dhcp-server.py
@@ -1,430 +1,438 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
 
 from glob import glob
 from ipaddress import ip_address
 from ipaddress import ip_network
 from netaddr import IPRange
 from sys import exit
 
 from vyos.config import Config
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
 from vyos.template import render
 from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_search_args
 from vyos.utils.file import chmod_775
 from vyos.utils.file import chown
 from vyos.utils.file import makedir
 from vyos.utils.file import write_file
 from vyos.utils.process import call
 from vyos.utils.network import interface_exists
 from vyos.utils.network import is_subnet_connected
 from vyos.utils.network import is_addr_assigned
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
 ctrl_config_file = '/run/kea/kea-ctrl-agent.conf'
 ctrl_socket = '/run/kea/dhcp4-ctrl-socket'
 config_file = '/run/kea/kea-dhcp4.conf'
 lease_file = '/config/dhcp/dhcp4-leases.csv'
 lease_file_glob = '/config/dhcp/dhcp4-leases*'
 systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf'
 user_group = '_kea'
 
 ca_cert_file = '/run/kea/kea-failover-ca.pem'
 cert_file = '/run/kea/kea-failover.pem'
 cert_key_file = '/run/kea/kea-failover-key.pem'
 
 def dhcp_slice_range(exclude_list, range_dict):
     """
     This function is intended to slice a DHCP range. What does it mean?
 
     Lets assume we have a DHCP range from '192.0.2.1' to '192.0.2.100'
     but want to exclude address '192.0.2.74' and '192.0.2.75'. We will
     pass an input 'range_dict' in the format:
       {'start' : '192.0.2.1', 'stop' : '192.0.2.100' }
     and we will receive an output list of:
       [{'start' : '192.0.2.1' , 'stop' : '192.0.2.73'  },
        {'start' : '192.0.2.76', 'stop' : '192.0.2.100' }]
     The resulting list can then be used in turn to build the proper dhcpd
     configuration file.
     """
     output = []
     # exclude list must be sorted for this to work
     exclude_list = sorted(exclude_list)
     range_start = range_dict['start']
     range_stop = range_dict['stop']
     range_last_exclude = ''
 
     for e in exclude_list:
         if (ip_address(e) >= ip_address(range_start)) and \
            (ip_address(e) <= ip_address(range_stop)):
             range_last_exclude = e
 
     for e in exclude_list:
         if (ip_address(e) >= ip_address(range_start)) and \
            (ip_address(e) <= ip_address(range_stop)):
 
             # Build new address range ending one address before exclude address
             r = {
                 'start' : range_start,
                 'stop' : str(ip_address(e) -1)
             }
+
+            if 'option' in range_dict:
+                r['option'] = range_dict['option']
+
             # On the next run our address range will start one address after
             # the exclude address
             range_start = str(ip_address(e) + 1)
 
             # on subsequent exclude addresses we can not
             # append them to our output
             if not (ip_address(r['start']) > ip_address(r['stop'])):
                 # Everything is fine, add range to result
                 output.append(r)
 
             # Take care of last IP address range spanning from the last exclude
             # address (+1) to the end of the initial configured range
             if ip_address(e) == ip_address(range_last_exclude):
                 r = {
                   'start': str(ip_address(e) + 1),
                   'stop': str(range_stop)
                 }
+
+                if 'option' in range_dict:
+                    r['option'] = range_dict['option']
+
                 if not (ip_address(r['start']) > ip_address(r['stop'])):
                     output.append(r)
         else:
           # if the excluded address was not part of the range, we simply return
           # the entire ranga again
           if not range_last_exclude:
               if range_dict not in output:
                   output.append(range_dict)
 
     return output
 
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
     base = ['service', 'dhcp-server']
     if not conf.exists(base):
         return None
 
     dhcp = conf.get_config_dict(base, key_mangling=('-', '_'),
                                 no_tag_node_value_mangle=True,
                                 get_first_key=True,
                                 with_recursive_defaults=True)
 
     if 'shared_network_name' in dhcp:
         for network, network_config in dhcp['shared_network_name'].items():
             if 'subnet' in network_config:
                 for subnet, subnet_config in network_config['subnet'].items():
                     # If exclude IP addresses are defined we need to slice them out of
                     # the defined ranges
                     if {'exclude', 'range'} <= set(subnet_config):
                         new_range_id = 0
                         new_range_dict = {}
                         for r, r_config in subnet_config['range'].items():
                             for slice in dhcp_slice_range(subnet_config['exclude'], r_config):
                                 new_range_dict.update({new_range_id : slice})
                                 new_range_id +=1
 
                         dhcp['shared_network_name'][network]['subnet'][subnet].update(
                                 {'range' : new_range_dict})
 
     if len(dhcp['high_availability']) == 1:
         ## only default value for mode is set, need to remove ha node
         del dhcp['high_availability']
     else:
         if dict_search('high_availability.certificate', dhcp):
             dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True)
 
     return dhcp
 
 def verify(dhcp):
     # bail out early - looks like removal from running config
     if not dhcp or 'disable' in dhcp:
         return None
 
     # If DHCP is enabled we need one share-network
     if 'shared_network_name' not in dhcp:
         raise ConfigError('No DHCP shared networks configured.\n' \
                           'At least one DHCP shared network must be configured.')
 
     # Inspect shared-network/subnet
     listen_ok = False
     subnets = []
     shared_networks =  len(dhcp['shared_network_name'])
     disabled_shared_networks = 0
 
     subnet_ids = []
 
     # A shared-network requires a subnet definition
     for network, network_config in dhcp['shared_network_name'].items():
         if 'disable' in network_config:
             disabled_shared_networks += 1
 
         if 'subnet' not in network_config:
             raise ConfigError(f'No subnets defined for {network}. At least one\n' \
                               'lease subnet must be configured.')
 
         for subnet, subnet_config in network_config['subnet'].items():
             if 'subnet_id' not in subnet_config:
                 raise ConfigError(f'Unique subnet ID not specified for subnet "{subnet}"')
 
             if subnet_config['subnet_id'] in subnet_ids:
                 raise ConfigError(f'Subnet ID for subnet "{subnet}" is not unique')
 
             subnet_ids.append(subnet_config['subnet_id'])
 
             # All delivered static routes require a next-hop to be set
             if 'static_route' in subnet_config:
                 for route, route_option in subnet_config['static_route'].items():
                     if 'next_hop' not in route_option:
                         raise ConfigError(f'DHCP static-route "{route}" requires router to be defined!')
 
             # Check if DHCP address range is inside configured subnet declaration
             if 'range' in subnet_config:
                 networks = []
                 for range, range_config in subnet_config['range'].items():
                     if not {'start', 'stop'} <= set(range_config):
                         raise ConfigError(f'DHCP range "{range}" start and stop address must be defined!')
 
                     # Start/Stop address must be inside network
                     for key in ['start', 'stop']:
                         if ip_address(range_config[key]) not in ip_network(subnet):
                             raise ConfigError(f'DHCP range "{range}" {key} address not within shared-network "{network}, {subnet}"!')
 
                     # Stop address must be greater or equal to start address
                     if ip_address(range_config['stop']) < ip_address(range_config['start']):
                         raise ConfigError(f'DHCP range "{range}" stop address must be greater or equal\n' \
                                           'to the ranges start address!')
 
                     for network in networks:
                         start = range_config['start']
                         stop = range_config['stop']
                         if start in network:
                             raise ConfigError(f'Range "{range}" start address "{start}" already part of another range!')
                         if stop in network:
                             raise ConfigError(f'Range "{range}" stop address "{stop}" already part of another range!')
 
                     tmp = IPRange(range_config['start'], range_config['stop'])
                     networks.append(tmp)
 
             # Exclude addresses must be in bound
             if 'exclude' in subnet_config:
                 for exclude in subnet_config['exclude']:
                     if ip_address(exclude) not in ip_network(subnet):
                         raise ConfigError(f'Excluded IP address "{exclude}" not within shared-network "{network}, {subnet}"!')
 
             # At least one DHCP address range or static-mapping required
             if 'range' not in subnet_config and 'static_mapping' not in subnet_config:
                 raise ConfigError(f'No DHCP address range or active static-mapping configured\n' \
                                   f'within shared-network "{network}, {subnet}"!')
 
             if 'static_mapping' in subnet_config:
                 # Static mappings require just a MAC address (will use an IP from the dynamic pool if IP is not set)
                 used_ips = []
                 used_mac = []
                 used_duid = []
                 for mapping, mapping_config in subnet_config['static_mapping'].items():
                     if 'ip_address' in mapping_config:
                         if ip_address(mapping_config['ip_address']) not in ip_network(subnet):
                             raise ConfigError(f'Configured static lease address for mapping "{mapping}" is\n' \
                                               f'not within shared-network "{network}, {subnet}"!')
 
                         if ('mac' not in mapping_config and 'duid' not in mapping_config) or \
                             ('mac' in mapping_config and 'duid' in mapping_config):
                             raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for '
                                               f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!')
 
                         if 'disable' not in mapping_config:
                             if mapping_config['ip_address'] in used_ips:
                                 raise ConfigError(f'Configured IP address for static mapping "{mapping}" already exists on another static mapping')
                             used_ips.append(mapping_config['ip_address'])
 
                     if 'disable' not in mapping_config:
                         if 'mac' in mapping_config:
                             if mapping_config['mac'] in used_mac:
                                 raise ConfigError(f'Configured MAC address for static mapping "{mapping}" already exists on another static mapping')
                             used_mac.append(mapping_config['mac'])
 
                         if 'duid' in mapping_config:
                             if mapping_config['duid'] in used_duid:
                                 raise ConfigError(f'Configured DUID for static mapping "{mapping}" already exists on another static mapping')
                             used_duid.append(mapping_config['duid'])
 
             # There must be one subnet connected to a listen interface.
             # This only counts if the network itself is not disabled!
             if 'disable' not in network_config:
                 if is_subnet_connected(subnet, primary=False):
                     listen_ok = True
 
             # Subnets must be non overlapping
             if subnet in subnets:
                 raise ConfigError(f'Configured subnets must be unique! Subnet "{subnet}"\n'
                                    'defined multiple times!')
             subnets.append(subnet)
 
             # Check for overlapping subnets
             net = ip_network(subnet)
             for n in subnets:
                 net2 = ip_network(n)
                 if (net != net2):
                     if net.overlaps(net2):
                         raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!')
 
     # Prevent 'disable' for shared-network if only one network is configured
     if (shared_networks - disabled_shared_networks) < 1:
         raise ConfigError(f'At least one shared network must be active!')
 
     if 'high_availability' in dhcp:
         for key in ['name', 'remote', 'source_address', 'status']:
             if key not in dhcp['high_availability']:
                 tmp = key.replace('_', '-')
                 raise ConfigError(f'DHCP high-availability requires "{tmp}" to be specified!')
 
         if len({'certificate', 'ca_certificate'} & set(dhcp['high_availability'])) == 1:
             raise ConfigError(f'DHCP secured high-availability requires both certificate and CA certificate')
 
         if 'certificate' in dhcp['high_availability']:
             cert_name = dhcp['high_availability']['certificate']
 
             if cert_name not in dhcp['pki']['certificate']:
                 raise ConfigError(f'Invalid certificate specified for DHCP high-availability')
 
             if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'certificate'):
                 raise ConfigError(f'Invalid certificate specified for DHCP high-availability')
 
             if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'private', 'key'):
                 raise ConfigError(f'Missing private key on certificate specified for DHCP high-availability')
 
         if 'ca_certificate' in dhcp['high_availability']:
             ca_cert_name = dhcp['high_availability']['ca_certificate']
             if ca_cert_name not in dhcp['pki']['ca']:
                 raise ConfigError(f'Invalid CA certificate specified for DHCP high-availability')
 
             if not dict_search_args(dhcp['pki']['ca'], ca_cert_name, 'certificate'):
                 raise ConfigError(f'Invalid CA certificate specified for DHCP high-availability')
 
     for address in (dict_search('listen_address', dhcp) or []):
         if is_addr_assigned(address, include_vrf=True):
             listen_ok = True
             # no need to probe further networks, we have one that is valid
             continue
         else:
             raise ConfigError(f'listen-address "{address}" not configured on any interface')
 
     if not listen_ok:
         raise ConfigError('None of the configured subnets have an appropriate primary IP address on any\n'
                           'broadcast interface configured, nor was there an explicit listen-address\n'
                           'configured for serving DHCP relay packets!')
 
     if 'listen_address' in dhcp and 'listen_interface' in dhcp:
         raise ConfigError(f'Cannot define listen-address and listen-interface at the same time')
 
     for interface in (dict_search('listen_interface', dhcp) or []):
         if not interface_exists(interface):
             raise ConfigError(f'listen-interface "{interface}" does not exist')
 
     return None
 
 def generate(dhcp):
     # bail out early - looks like removal from running config
     if not dhcp or 'disable' in dhcp:
         return None
 
     dhcp['lease_file'] = lease_file
     dhcp['machine'] = os.uname().machine
 
     # Create directory for lease file if necessary
     lease_dir = os.path.dirname(lease_file)
     if not os.path.isdir(lease_dir):
         makedir(lease_dir, group='vyattacfg')
         chmod_775(lease_dir)
 
     # Ensure correct permissions on lease files + backups
     for file in glob(lease_file_glob):
         chown(file, user=user_group, group='vyattacfg')
 
     # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way
     if not os.path.exists(lease_file):
         write_file(lease_file, '', user=user_group, group=user_group, mode=0o644)
 
     for f in [cert_file, cert_key_file, ca_cert_file]:
         if os.path.exists(f):
             os.unlink(f)
 
     if 'high_availability' in dhcp:
         if 'certificate' in dhcp['high_availability']:
             cert_name = dhcp['high_availability']['certificate']
             cert_data = dhcp['pki']['certificate'][cert_name]['certificate']
             key_data = dhcp['pki']['certificate'][cert_name]['private']['key']
             write_file(cert_file, wrap_certificate(cert_data), user=user_group, mode=0o600)
             write_file(cert_key_file, wrap_private_key(key_data), user=user_group, mode=0o600)
 
             dhcp['high_availability']['cert_file'] = cert_file
             dhcp['high_availability']['cert_key_file'] = cert_key_file
 
         if 'ca_certificate' in dhcp['high_availability']:
             ca_cert_name = dhcp['high_availability']['ca_certificate']
             ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate']
             write_file(ca_cert_file, wrap_certificate(ca_cert_data), user=user_group, mode=0o600)
 
             dhcp['high_availability']['ca_cert_file'] = ca_cert_file
 
         render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp)
 
     render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp, user=user_group, group=user_group)
     render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp, user=user_group, group=user_group)
 
     return None
 
 def apply(dhcp):
     services = ['kea-ctrl-agent', 'kea-dhcp4-server', 'kea-dhcp-ddns-server']
 
     if not dhcp or 'disable' in dhcp:
         for service in services:
             call(f'systemctl stop {service}.service')
 
         if os.path.exists(config_file):
             os.unlink(config_file)
 
         return None
 
     for service in services:
         action = 'restart'
 
         if service == 'kea-dhcp-ddns-server' and 'dynamic_dns_update' not in dhcp:
             action = 'stop'
 
         if service == 'kea-ctrl-agent' and 'high_availability' not in dhcp:
             action = 'stop'
 
         call(f'systemctl {action} {service}.service')
 
     return None
 
 if __name__ == '__main__':
     try:
         c = get_config()
         verify(c)
         generate(c)
         apply(c)
     except ConfigError as e:
         print(e)
         exit(1)