DHCP Dual Proxy (hereinafter — Dual DHCP) — in this mode, fastDPI operates as a single authorization point, requesting all parameters from the RADIUS server via fastPCRF in a single request. The mode is optimized for Dual Stack (IPv4/IPv6) subscribers, but also fully supports IPv4-only and IPv6-only subscribers.

Activation:

bras_dhcp_mode=3

Dual DHCP is intended for networks where authorization and session management need to be simplified. Unlike the DHCP proxy mode (bras_dhcp_mode=2), a single accounting session is created for Dual Stack subscribers, and the RADIUS server returns addresses and settings for both protocols in one Access-Accept. If the authorization response contains only one type of address (IPv4 or IPv6 only), it means that only this protocol is available for the subscriber, and the subscriber will receive DHCP NAK for any DHCPv4 or DHCPv6 request attempts.

This mode uses existing configuration options from bras_dhcp_mode=2, such as bras_dhcp_check_secondary_keys, bras_dhcp_ratelimit, bras_dhcp_ratelimit_ban and bras_dhcp_qinq_only.

In Dual DHCP mode, session lifetime (session-timeout) and address lease time (lease-time) are strictly separated. Session-timeout, defined via the RADIUS attribute Session-Timeout, determines the period during which authorization parameters are valid and cannot be less than 600 seconds (default is 1 day). Lease-time defines how long an IP address is leased to the subscriber — i.e., after what time the subscriber must send a DHCP Renew to extend the lease. Lease-time is calculated automatically, cannot be set in the RADIUS reply, and normally equals 300 seconds (5 minutes), but not less than 60 seconds.

The subscriber regularly sends lease renewal requests (DHCP Renew). During the session-timeout period, SSG automatically acknowledges them without contacting the RADIUS server. CoA Disconnect is used for forced re-authorization: after it is received, the next DHCP Renew triggers a new RADIUS authorization request. If the subscriber receives a new IP address during this process, SSG replies with DHCP NAK to the Renew, which triggers the standard DHCP address acquisition process without additional authorization: subscriber sends DHCP-Discover → SSG replies with DHCP-Offer → subscriber sends DHCP-Request → SSG replies with DHCP-ACK. No additional authorization will occur — SSG already received the subscriber properties and continues to serve DHCP requests during the session-timeout.

In the authorization reply, RADIUS returns IPv6 addresses in the Framed-IPv6-Address, Framed-IPv6-Prefix, and Delegated-IPv6-Prefix attributes. Delegated-IPv6-Prefix is passed to the subscriber, while Framed-IPv6-Address and Framed-IPv6-Prefix are mutually exclusive — either a single address (Framed-IPv6-Address) or an entire prefix (Framed-IPv6-Prefix) is returned. Subnet addresses are allocated by SSG as follows:

• If Framed-IPv6-Address is present, the subscriber receives exactly this IPv6 address. If Framed-IPv6-Prefix is also present, it is ignored. Any further requests for additional IPv6 addresses will be rejected.
• If Framed-IPv6-Prefix is present and Framed-IPv6-Address is absent, SSG will allocate multiple IPv6 addresses from this prefix upon subscriber requests.

SSG supports pools defined by Framed-Pool (IPv4) and Framed-IPv6-Pool (IPv6). A mixed configuration is possible — for example, a static IPv4 address via Framed-Address and an IPv6 address from a pool. If both a specific address and a pool are present in the RADIUS reply, the address has priority and the pool is ignored.

When using pools, fastPCRF requests addresses from internal or external DHCP servers and must follow the lease protocol. For this reason, SSG differentiates two lease times: lease-time for the subscriber (fixed 300 seconds) and lease-time for the pool, which is provided by the DHCP server and should correspond to session-timeout. This helps reduce load by avoiding excessive pool renewals.