===================
Legacy DHCP server
===================

.. note::
    This document is kept for reference purposes and describes DHCP servers
    in versions prior to 2016.2. In 2016.2 `a new and improved way to
    configure DHCP servers <../bonds/services/dhcp.html>`__ was introduced.
    Legacy DHCP server setups will continue to work in SD-WAN
    2016.1, but this feature is deprecated in 2016.2.

Bonders can host a DHCP server. This eliminates the need for a
customer-supplied gateway at the customer premises.

Checking for manually installed DHCP servers
---------------------------------------------

To check which nodes have a DHCP server manually installed, SSH into
your management server and run the following command:

::

    salt -G 'type:bonder' cmd.run 'case "$(readlink /proc/$(netstat -lnup | grep :67 | awk '"'"'{ print $6 }'"'"' | cut -d '"'"'/'"'"' -f1)/exe)" in "/usr/lib/bonding/bin/dnsmasq" ) echo "Bonding DHCP" ;; "" ) echo "No DHCP" ;; * ) echo "Other DHCP - remove prior to enabling DHCP on any connected IPs" ;; esac'

The result should identify nodes as having "Bonding DHCP", "Other DHCP"
or "No DHCP". The nodes of interest are those which report "Other DHCP".
In this case, steps to remove this manually installed DHCP server should
be taken. Nodes that report "Bonding DHCP" are up-to-date and running
the correct version. For example,

::

    node-44:
        Bonding DHCP
    node-101:
        Other DHCP - remove prior to enabling DHCP on any connected IPs
    node-115:
        No DHCP
    node-740:
        Minion did not return. [Not connected]

This means that the bonder with ID 44 is running the `newest version of
Bonding DHCP <../bonds/services/dhcp.html>`__, bonder 101 is running a
manually installed DHCP server, bonder 115 isn't running DHCP at all,
and bonder 740 is not responding to the salt call.

Removal
--------

To remove the legacy DHCP server, run the following commands. If you
installed a DHCP server other than dnsmasq, please remove the service
according to their documentation and re-run the above salt command to
verify the removal succeeded.

::

    service dnsmasq stop
    apt-get remove dnsmasq
    rm /etc/dnsmasq.conf.orig
    service firewall stop
    rm /etc/firewall.d/40_dhcp
    service firewall start

Scenario
---------

The result of DHCP setup instructions will be:

#. CPE will have a private connected IP, 10.10.0.1/24 on eth0.
#. Outgoing customer traffic will be translated through a single IP set
   up using a CPE NAT IP. The IP in our examples will
   be 203.0.113.1. Incoming traffic from that IP will be sent to the
   bonder itself. See CPE NAT IP documentation for how to change this if
   incoming traffic should be sent to one of the the customer's hosts.
#. Customer hosts will be assigned IPs from 10.10.0.100 to
   10.10.100.199 by `dnsmasq <http://www.thekelleys.org.uk/dnsmasq/doc.html>`__, a
   popular, small DNS forwarder and DHCP server.
#. Customer hosts will use `Google public
   DNS <https://developers.google.com/speed/public-dns/>`__.

Configure bond
---------------

Configure the bond as follows:

#. Create a private connected IP 10.10.0.1, netmask 255.255.255.0,
   interface eth0, and automatic aggregator routing. Save the form
   before adding the CPE NAT IP.

#. Create a CPE NAT IP, address 203.0.113.1, destination NAT IP
   10.10.0.1. (Replace 203.0.113.1 with an IP from your own datacenter.)

Configure DHCP server
----------------------

Install dnsmasq.

::

    apt-get install dnsmasq

Move the original dnsmasq configuration file to a new location. You will
create a new configuration file.

::

    mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

Configure dnsmasq by editing the file ``/etc/dnsmasq.conf``:


**/etc/dnsmasq.conf**

::

    interface=eth0 # eth0 is the network DHCP will listen on
    dhcp-range=10.10.0.100,10.10.0.199,12h # DHCP start of range, end of range, and lease length in hours
    dhcp-option=3,10.10.0.1 # Network gateway (the bonder)
    dhcp-option=6,8.8.8.8,8.8.4.4 # DNS servers
    port=0 # Disable DNS forwarding

Restart dnsmasq:

::

    service dnsmasq restart

Add a firewall hook to allow DHCP requests from eth0. If the DHCP
network is not eth0, specify the interface in the file
``/etc/default/firewall.d/40_dhcp``:

**/etc/default/firewall.d/40_dhcp**

 ``INTERFACE="eth2" # This file is only necessary if the DHCP network is not eth0``

A default hook is distributed in the bonding package. Enable it with the
following commands:

::

    service firewall stop
    ln -s /etc/firewall.d/40_dhcp.disabled /etc/firewall.d/40_dhcp
    service firewall start

Test
-----

#. Connect a PC to eth0 of bonder, either directly or through a switch.
#. Configure the PC for DHCP.
#. Refresh the DHCP lease. On a Windows PC, open a command prompt and
   type:
   ipconfig /release
   ipconfig /renew
#. Wait for DHCP to complete. Verify the settings are correct:

   a. IP: some IP from 10.10.0.100 to 10.10.0.199
   #. Netmask: 255.255.255.0
   #. Gateway: 10.10.0.1
   #. DNS servers: 8.8.8.8 and 8.8.4.4

#. Verify the network address translation works properly: open a browser
   to icanhazip.com. The contents of the page should be the CPE NAT IP
   (i.e. 203.0.113.1).
