What is DHCP?

DHCP Reservation

Since FreshTomato version 2020.8, what was previously called Static DHCP is now called DHCP Reservation. Please see “Inconsistent Terminology” in this section for further clarification and differentiation of terminology.

DHCP Reservation is a simple way to ensure that FreshTomato offers certain client devices the same IP address each time they request a lease. Simply enter the MAC address for a client device (which you can find on the Device List), into the MAC Address field, enter the IP Address (and optionally, Hostname) you want to assign to this device into those respective fields and click Save. NOTE that you don't need to check the Bound to button. Only check the Bound to button if you want to enable Static ARP binding. FreshTomato then offers that IP address (and hostname) to the MAC address you specified every time it offers a lease. This means that, in general, the client device will always get that IP address whenever it requests one. That last part, “whenever it requests one” is the key part here. See the explanation of the term Hostname later on this page.

Configuring Static DHCP

When assigning Static DHCP leases, you should use an IP address within FreshTomato's main subnet, but outside the normal DHCP pool scope (assignment range). This avoids potential IP address conflicts. For example, if you have the DHCP server set to assign addresses in the range of 10.0.1.1 – 10.0.1.100, then choosing Static DHCP assignments of 10.0.1.101 – 10.0.1.254 might work well.

If you want to assign multiple hostnames to the same IP address (for example, you want the the server 10.0.1.3 to be known as both “galaxy” and “mail”, you must separate them in the hostname field with a space. A space isn't a valid DHCP Hostname character, so you must use a hyphen for a single, multi-word hostname like “My-PC”. If a client device has multiple network interfaces (for example, Ethernet and Wi-Fi) with different MAC addresses, it might not have the hostname properly assigned to both devices. You could get a “Duplicate name” error.1)

If FreshTomato can't find a match for the device's Hostname (first priority) or MAC address (second priority), the server may fall back to either Dynamic or Automatic allocation. For an explanation of the term Hostname, see later on this page.

Security Limitations

As mentioned earlier, Static DHCP offers the mapped IP address (and Hostname) to the MAC address you specified every time it offers a lease. Static DHCP does not prevent a different client from being configured with the same IP address. This is because Static DHCP only offers a static mapping to client devices which request a lease. If another device were to use Static IP, or the router or DHCP were disabled, the other device could take the IP address for itself. Similarly, if the first client for which Static DHCP were then configured for Static IP, it could claim a different IP address than the one in FreshTomato's Static DHCP mapping.

Even if everything else were working properly, only DHCP lease offers are made static. The router's IP→MAC neighbour cache (aka ARP cache) is still filled in dynamically using ARP broadcasts. That means that unless we add something else, FreshTomato is relying on client devices to be honest about their MAC addresses. The source of ARP mapping information is assumed to be “honest” and accurate, even though that source is often the network clients themselves. In these circumstances, there's not much stopping unathorized or malicious clients from pretending to be a different MAC address (ARP spoofing). ARP spoofing could even include spoofing the router or gateway's MAC address. All this could have serious consequences. This is where Static ARP becomes useful.

Inconsistent Terminology

Technically, FreshTomato's Static DHCP function is a form of DHCP Reservation or DHCP Manual Allocation. Confusion sometimes occurs because of imprecise or inconsistent terminology. First, it is sometimes confused with Static IP. It is not that. Static IP is the setting of an IP address manually from the client device itself. By contrast, Static DHCP involves configuring an assigned IP address for the client device within (FreshTomato's) DHCP server (for when client devices request a DHCP lease).

Second, Static DHCP is also given different names by different hardware vendors. To make things more confusing, this feature is called static DHCP assignment in DD-WRT, fixed-address in the Linux dhcp daemon (dhcpd) documentation, Address Reservation by Netgear, DHCP Reservation or Static DHCP by Cisco and Linksys and IP address reservation or MAC/IP address binding by other router vendors. Hence, one should be precise here, to reduce confusion.

FreshTomato will use input for 2 MAC addresses per IP/hostname, if the advice here is followed:

Video

Managing DHCP failover with IPAM

DHCP failover is fully integrated with IPAM in Windows Server 2012 R2. Failover-enabled DHCP scopes are also compatible with IPAM in Windows Server 2012, but these scopes appear as duplicates and no failover relationship data is available in the IPAM console. You cannot display or modify DHCP failover related settings using IPAM in Windows Server 2012.

On an IPAM server running Windows Server 2012 R2, the following enhancements are available for managed DHCP servers that are configured with DHCP failover-enabled scopes:

  1. Changes made to failover-enabled scopes using the IPAM console are automatically replicated to the failover partner. This is a significant difference in the way that DHCP failover works compared to when you configure settings using the DHCP console or Windows PowerShell. For a step-by-step example of DHCP failover replication with and without using the IPAM console, see Failover replication example.

  2. A Failover Relationships view is available when the Server Type selected is DHCP.

    • DHCP failover relationships can be edited, deleted, and replicated using the Failover Relationships view.

    • The Failover Relationships view displays the DHCP failover Relationship Name, Mode, Primary Server, Secondary Server, Primary Server Status, and Secondary Server Status. The

    • The DHCP failover relationship can be set to Partner Down state using the Failover Relationships view.

  3. The Scope Properties view enables several DHCP failover related actions.

    • DHCP scopes can be added to existing DHCP failover relationships or new DHCP failover relationships can be created using the Scope Properties view.

    • The Failover Config Sync Status and Failover Relationship Name are displayed in the Scope Properties view.

      Note: The Failover Config Sync Status column will be blank if no problems occurred during an IPAM automatic failover replication process. Otherwise, an error is displayed.

    • If replication is run outside of IPAM to resolve a failover configuration synchronization error, you can manually clear the error in IPAM by right-clicking the scope in Scope Properties view and clicking Clear Config Sync Error.

  4. If changes are made to failover-enabled scopes using the DHCP console or Windows PowerShell, you can still replicate these changes from one DHCP server to its failover partner using IPAM. Because these changes are not made using the IPAM console, they are not automatically detected and replicated.

    • Server-level replication is available using the Server Properties view.

    • Relationship-level replication is available using the Failover Relationships view.

    • Scope-level replication is available using the Scope Properties view.

  5. DHCP failover can be configured or removed from a scope by right-clicking the scope in DHCP Scopes view. Removing the DHCP failover configuration from a scope does not delete the DHCP failover relationship. When configuring DHCP failover on a scope, you can add the scope to an existing failover relationship on that DHCP server, or you can choose to create a new DHCP failover relationship.

How Does DHCP Work?

Now that all the terminology is out of the way, let’s get into how DHCP works. This protocol gives you full control over the usable amount of IP addresses in your network. The way this works is by assigning IP ranges. Think of this like a block of rooms reserved at a hotel for an event. You’re just reserving a block of IPs for devices (guests) that connect to your network (hotel). The number of IPs available will depend on your network’s router.

Each time a device connects to a DHCP-enabled network, it sends a DHCPDiscover packet to the server. This is the device’s way into a network. After receiving the signal, the server returns a DHCPOffer. Once the client receives the offer, it sends back an official request to connect to the IP. The DHCP server then sends an ACK or “signs off” on the request, and the client is now connected to the network. If the requesting device doesn’t meet the criteria for the network, the DHCP server will return a NACK. 

Devices That Can Be on a DHCP Network

Here are some common devices that connect to DHCP networks.

Defining host reservations

Kea supports defining host reservations (HRs) in the main Kea configuration file, as described above, or in a separate database. If you are establishing only a few host reservations, the overhead of setting up an external database is probably not worth the effort; if you have hundreds of host reservations, they can be easier to maintain in a database.

Using BOTH file and database configurations

It is possible to specify HRs in BOTH the configuration file and an external database. In this case, HRs in the configuration file always have precedence over database HRs, regardless of where in the config file they are specified.

Host Reservations in the Configuration file

Host reservation in the Kea configuration file are read at server start and kept in memory. There are three places (specified here in jq filter notation) in the configuration file where reservations can be defined:

  • Global: .Dhcp[46].reservations
  • Subnet-level: .Dhcp[46].subnet[46][].reservations
  • Shared-network subnet-level: .Dhcp[46]["shared-networks"][].subnet[46][].reservations

Where in the file to put the host reservation configuration is an important decision. The location determines what portion of the network topology is served.

A global reservation can be used to assign certain parameters, such as a hostname or other dedicated, host-specific options, to any client, regardless of that client’s location in the network. This is specifically useful for mobile or roaming clients.

It is also possible to assign addresses in a global reservation. This is enabled for corner cases, but it is generally a bad idea, because the address assigned may be unsuitable for the place in the network that the client has roamed to. (For example, the default gateway may be unreachable for that client.) Be aware that the global setting is a server-level configuration setting that excludes in-subnet reservations. You must choose either global or non-global reservations. This is the purpose of the reservation-mode setting.

Reservation mode

Just as reservations can be defined in different places, the reservation-mode setting can be specified in multiple locations in the configuration:

  • Global: .Dhcp[46][reservation-mode]
  • Shared-network-level: .Dhcp[46][shared-networks][][reservation-mode]
  • Subnet-level: .Dhcp[46].subnet[46][][reservation-mode]
  • Shared-network subnet-level: .Dhcp[46][shared-networks][].subnet[46][][reservation-mode]

The effect is local to the specific configuration portion, so a subnet-level reservation-mode only affects the subnet. When there are multiple reservation-modes specified, the one most specific to the matched subnet is taken into account. Thus, the global reservation-mode has the least precedence.

Here are the possible values for reservation-mode:

  • disabled – this is a simple, straightforward switch to disable host reservations altogether. As Kea skips checking for reservations, the server may operate faster in this mode.
  • all – this enables both in-pool and out-of-pool host reservation types. This setting is the default value, and is the safest and most flexible. However, since Kea does the maximum number of checks for reservations, it is also the slowest. It does not check against global reservations.
  • out-of-pool – this allows only out-of-pool host reservations. With this setting in place, the server assumes that all host reservations are for addresses that do not belong to the dynamic pool. Therefore, it can skip the reservation checks when dealing with in-pool addresses, thus improving performance. Do not use this mode if any reservations use in-pool addresses. Caution is advised when using this setting; Kea does not sanity-check the reservations against reservation-mode and misconfiguration may cause problems.
  • global – this allows only global host reservations. With this setting in place, the server searches for reservations for a client only among the defined global reservations. If an address is specified, the server skips additional reservation checks, thus improving performance. Caution is advised when using this setting; Kea does not sanity-check global reservations and it is possible to specify an address in a global reservation that is unreachable or unsuitable for the client.

If not specified in the configuration file, reservation-mode defaults to all.

When set to out-of-pool or all, global reservations are ignored. all causes the allocation engine to search for subnet reservations while verifying that the reserved address or prefix is not leased by another client. out-of-pool optimizes performance by leaving out the verification and should only be used if you are certain that reserved addresses/prefixes don’t overlap with defined pools.

Why does pre-1.9 Kea not allow both global and in-subnet reservations?

Kea doesn’t allow both global and in-subnet reservations in order to simplify the logic for parsing the configuration file which reduces the processing required. Kea warns you at configure time if you have overlapping subnets or shared-networks, to prevent conflicts, and reservations are also checked for overlap with pools in their subnet. But there could theoretically be two reservations for the same host between global reservations and shared-network/subnet-level reservations. To check this would require evaluating the entire configuration twice for every client request, which would be very inefficient. Since Kea versions 1.9.1 and 2.0.0, the new flags named “reservations-global”, “reservations-in-subnet” and “reservations-out-of-pool” can be configured independently, allowing both global and in-subnet reservations to coexist.

Notice that for global, the client does not need to match a pool.

The following diagram may assist you in determining which reservation-mode setting is right for you: Configuring databases

Configuring databases

When configuring database credentials in the hosts-database or hosts-databases fields in the file configuration, reservations are dynamically searched at allocation time in the databases. The tables that administrators need to populate are hosts, ipv6_reservations, dhcp4_options, and dhcp6_options.

An easy way to populate them consistently is by using the host_cmds hook. Refer to the Kea ARM for instructions.

IPT

IPT stands for IP Traffic Monitoring. Every client device not marked as 'Disconnected' on the Status/Device List menu will be on the IP Traffic Monitoring list. Enabling this checkbox puts client devices on the IP Traffic Monitoring list even if they are inactive or disconnected.

Tags