{{indexmenu_n>3}} ======DHCP Dual Proxy====== ===== General information ===== **DHCP Dual Proxy** (hereinafter referred to as Dual DHCP) is a mode in which fastDPI acts as a single authorization point, requesting all parameters from the RADIUS server through fastPCRF in a single request. The mode is optimized for Dual Stack (IPv4/IPv6) subscribers, while also fully supporting IPv4-only and IPv6-only subscribers. Activation: bras_dhcp_mode=3 Dual DHCP is designed for networks where authorization and session management need to be simplified. Unlike DHCP proxy mode (''[[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy|bras_dhcp_mode=2]]''), a single accounting session is created for Dual Stack subscribers, and the RADIUS server returns addresses and settings for both protocols in a single Access-Accept response. If only one address type (IPv4 only or IPv6 only) is received in the authorization response, it means that only that protocol is available to the subscriber, and a DHCP NAK will be returned in response to DHCPv4 or DHCPv6 requests for the unavailable protocol. The mode uses the existing configuration options from ''[[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy|bras_dhcp_mode=2]]'', such as ''bras_dhcp_check_secondary_keys'', ''bras_dhcp_ratelimit'', ''bras_dhcp_ratelimit_ban'', and ''bras_dhcp_qinq_only''. ===== Session-Timeout and Lease-Time ===== In Dual DHCP mode, the session lifetime (''session-timeout'') and the address lease time (''lease-time'') are clearly separated. ''Session-timeout'', specified by the RADIUS Session-Timeout attribute, defines the validity period of the authorization parameters and cannot be less than 600 seconds (1 day by default). ''Lease-time'' defines how long the subscriber is allowed to use the assigned IP address, that is, how long before the subscriber must send a DHCP request to renew the lease. In Dual DHCP mode, it is critical that ''Session-timeout'' is at least four times greater than ''Lease-time''. If this condition is not met, ''Lease-time'' is automatically set to 1/4 of ''Session-timeout''. ''Lease-time'' is determined using the following priority order: * ''DHCP-IP-Address-Lease-Time'' attribute; * ''VasExperts-DHCP-Option-Num'' attribute specifying DHCP option 51; * DHCP option 51 if the address is allocated from a ''Framed-Pool''. If ''Lease-time'' is not specified by any of the methods above, it is assumed to be equal to 1/16 of ''Session-timeout''. Minimum values: * ''Session-timeout'' — 600 seconds; * ''Lease-time'' — 60 seconds. ===== Reauthorization ===== The subscriber periodically sends lease renewal requests (DHCP Renew). During the ''session-timeout'' period, SSG automatically confirms these requests without contacting the RADIUS server. CoA Disconnect is used for forced reauthorization: after it is received, the next DHCP Renew triggers a new authorization request to the RADIUS server. If a new IP address is assigned to the subscriber, SSG responds to the Renew request with a NAK packet, triggering the standard address acquisition procedure without additional authorization: the subscriber sends DHCP Discover → SSG responds with DHCP Offer (offering a new address) → the subscriber sends DHCP Request → SSG responds with DHCP ACK. No additional authorization request is performed during this process because SSG has already received all subscriber properties and responds to DHCP requests on its own throughout the ''session-timeout'' period. ===== IPv6 address assignment ===== In the authorization response, the RADIUS server provides IPv6 addresses using the ''Framed-IPv6-Address'', ''Framed-IPv6-Prefix'', and ''Delegated-IPv6-Prefix'' attributes. ''Delegated-IPv6-Prefix'' is communicated to the subscriber, while ''Framed-IPv6-Address'' and ''Framed-IPv6-Prefix'' are mutually exclusive: either a single address (''Framed-IPv6-Address'') or an entire subnet (''Framed-IPv6-Prefix'') is assigned. SSG allocates subnet addresses independently in response to subscriber requests as follows: * If the ''Framed-IPv6-Address'' attribute is present in the response, only the specified IPv6 address is assigned to the subscriber. If the ''Framed-IPv6-Prefix'' attribute is also present, it is ignored. All subsequent subscriber requests for additional IPv6 addresses will be rejected. * If the ''Framed-IPv6-Prefix'' attribute is present and ''Framed-IPv6-Address'' is absent, SSG will satisfy subscriber requests for multiple addresses from that pool. ===== Address pool operation ===== To obtain addresses, SSG supports pools specified by the ''Framed-Pool'' (IPv4) and ''Framed-IPv6-Pool'' (IPv6) attributes. Mixed configurations are supported; for example, an explicit IPv4 address can be assigned using ''Framed-Address'' while an IPv6 address is obtained from a pool. If both a specific address and a pool are specified in the RADIUS response, the address takes precedence and the pool is ignored. When working with pools, fastPCRF requests addresses from local or external DHCP servers and must comply with the lease protocol. For this purpose, SSG distinguishes between two lease times: ''lease-time'' for the **subscriber** and ''lease-time'' for the **pool**, which is defined by the DHCP server and should be comparable to ''session-timeout''. This makes it possible to renew pool leases less frequently and avoid unnecessary load.