{{indexmenu_n>3}}
======DHCP Dual Proxy======

**DHCP Dual Proxy** (hereinafter — Dual DHCP) — in this mode, fastDPI operates as a single authorization point, requesting all parameters from the RADIUS server via fastPCRF in a single request. The mode is optimized for Dual Stack (IPv4/IPv6) subscribers, but also fully supports IPv4-only and IPv6-only subscribers.

Activation:
<code>bras_dhcp_mode=3</code>

Dual DHCP is intended for networks where authorization and session management need to be simplified. Unlike the DHCP proxy mode (''[[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy|bras_dhcp_mode=2]]''), a single accounting session is created for Dual Stack subscribers, and the RADIUS server returns addresses and settings for both protocols in one Access-Accept. If the authorization response contains only one type of address (IPv4 or IPv6 only), it means that only this protocol is available for the subscriber, and the subscriber will receive DHCP NAK for any DHCPv4 or DHCPv6 request attempts.

This mode uses existing configuration options from ''[[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_dhcp:bras_l2_vlan_dhcp_proxy|bras_dhcp_mode=2]]'', such as ''bras_dhcp_check_secondary_keys'', ''bras_dhcp_ratelimit'', ''bras_dhcp_ratelimit_ban'' and ''bras_dhcp_qinq_only''.

In Dual DHCP mode, session lifetime (''session-timeout'') and address lease time (''lease-time'') are strictly separated. ''Session-timeout'', defined via the RADIUS attribute Session-Timeout, determines the period during which authorization parameters are valid and cannot be less than 600 seconds (default is 1 day). ''Lease-time'' defines how long an IP address is leased to the subscriber — i.e., after what time the subscriber must send a DHCP Renew to extend the lease. ''Lease-time'' is calculated automatically, cannot be set in the RADIUS reply, and normally equals 300 seconds (5 minutes), but not less than 60 seconds.

The subscriber regularly sends lease renewal requests (DHCP Renew). During the ''session-timeout'' period, SSG automatically acknowledges them without contacting the RADIUS server. CoA Disconnect is used for forced re-authorization: after it is received, the next DHCP Renew triggers a new RADIUS authorization request. If the subscriber receives a new IP address during this process, SSG replies with DHCP NAK to the Renew, which triggers the standard DHCP address acquisition process without additional authorization: subscriber sends DHCP-Discover → SSG replies with DHCP-Offer → subscriber sends DHCP-Request → SSG replies with DHCP-ACK. No additional authorization will occur — SSG already received the subscriber properties and continues to serve DHCP requests during the ''session-timeout''.

In the authorization reply, RADIUS returns IPv6 addresses in the ''Framed-IPv6-Address'', ''Framed-IPv6-Prefix'', and ''Delegated-IPv6-Prefix'' attributes. ''Delegated-IPv6-Prefix'' is passed to the subscriber, while ''Framed-IPv6-Address'' and ''Framed-IPv6-Prefix'' are mutually exclusive — either a single address (''Framed-IPv6-Address'') or an entire prefix (''Framed-IPv6-Prefix'') is returned. Subnet addresses are allocated by SSG as follows:
  * If ''Framed-IPv6-Address'' is present, the subscriber receives exactly this IPv6 address. If ''Framed-IPv6-Prefix'' is also present, it is ignored. Any further requests for additional IPv6 addresses will be rejected.
  * If ''Framed-IPv6-Prefix'' is present and ''Framed-IPv6-Address'' is absent, SSG will allocate multiple IPv6 addresses from this prefix upon subscriber requests.

SSG supports pools defined by ''Framed-Pool'' (IPv4) and ''Framed-IPv6-Pool'' (IPv6). A mixed configuration is possible — for example, a static IPv4 address via ''Framed-Address'' and an IPv6 address from a pool. If both a specific address and a pool are present in the RADIUS reply, the address has priority and the pool is ignored.

When using pools, fastPCRF requests addresses from internal or external DHCP servers and must follow the lease protocol. For this reason, SSG differentiates two lease times: ''lease-time'' for the **subscriber** (fixed 300 seconds) and ''lease-time'' for the **pool**, which is provided by the DHCP server and should correspond to ''session-timeout''. This helps reduce load by avoiding excessive pool renewals.