• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DHCP relay over IPSEC VPN?

DHCP and DNS
10
27
8.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    Quent-Un
    last edited by Apr 18, 2018, 1:41 PM

    I tryed to add a fake route to the LAN interface as written here : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN but it doesn't work…

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Apr 18, 2018, 1:43 PM

      That's about all you can do at the OS level to nudge it the right way. IPsec, as it is at the moment, just can't deal well with that kind of traffic at the OS level. OpenVPN should work better, or move the relay job to an external device.

      Eventually when IPsec virtual tunnel interfaces come around that might help, but it's still possible that something in the relay daemon might hold it back.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • Q
        Quent-Un
        last edited by Apr 18, 2018, 1:48 PM

        I don't understand why some firewalls can do that and it's not possible on FreeBSD, it's the only thing which doesn't work, everything else works perfectly…
        In this case I can't use OpenVPN.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Apr 18, 2018, 3:03 PM

          Different operating systems, different IP stacks, different relay implementations, different IPsec implementations. You're comparing apples and oranges and wondering why the apple doesn't taste like an orange.

          It doesn't work, so find an alternate solution (non-IPsec VPN, move the relay to a managed switch where it belongs, don't use relay, don't use pfSense for that specific VPN/relay, etc)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            jlw52761
            last edited by Jan 17, 2020, 3:45 AM

            I came across this while trying to setup a DHCP relay across my VTI IPSec tunnel, and I don't agree with jimp's answer. The reason is that basically what you are saying is that pfSense cannot pass a unicast packet across the IPSec tunnel. It does this regularly, so why wouldn't the DHCP Relay work since all it does is intercept the multicast broadcast from the client and convert it to a unicast packet.

            I've been struggling with this and had some thought sessions with some network engineers who agree, there's no good reason pfSense cannot forward the unicast packet over the IPSec tunnel, just like any unicast packet that traverses all the time.

            One thing that jimp says is to move the DHCP relay to a managed switch, which is what I will do once I have the final config for that done, but that's the same broadcast to unicast conversion, so why would one think that works from the managed switch unless the problem came from the way pfSense forms the packet and tries to route into the IPSec itself.

            I'm really curious to understand this limitation more as just about every major firewall vendor out there, Cisco, Palo Alto, even VMware is able to do this, but pfSense can't? I mean how can I approach my management and tell them we should switch from Palo Alto to Netgate when we can't even perform this simple task that Palo Alto today does for us very well.

            1 Reply Last reply Reply Quote 1
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jan 20, 2020, 2:55 PM

              The limitation before was mostly due to IPsec in tunnel mode. In theory, VTI mode should handle it better, since you'd have proper OS routes to the destination. I haven't tried it, though. It might work, it might not, but if it doesn't work then it may be an issue in the DHCP relay daemon not wanting to latch onto the VTI interface itself. It's also possible that it's hitting an issue like https://redmine.pfsense.org/issues/9466 which may be solved on 2.4.5 which will be out soon.

              Beyond that, it isn't necessarily about the type of packet but how it gets treated. Coming from the operating system on the firewall, it has different rules to follow vs a packet coming from the LAN. The OS has to follow its routing table when choosing not only where to deliver the packet but which source address to use. Because of that, the packets generated by the relay daemon may not match tunnel policies (in tunnel mode) thus would never be delivered to the far side.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              J ? 2 Replies Last reply Jan 23, 2020, 3:31 AM Reply Quote 0
              • J
                jlw52761 @jimp
                last edited by Jan 23, 2020, 3:31 AM

                @jimp That makes much more sense, thank you for the expanded answer. I'm going to keep my eyes open for 2.4.5 and try the setup again, maybe they have it licked.

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @jimp
                  last edited by A Former User Mar 21, 2020, 8:52 AM Mar 21, 2020, 7:43 AM

                  @jimp : DHCP Relay doesn't like VTIs as Upstream Interfaces:

                  Unsupported device type 131 for "ipsec1000"
                  

                  Edit: Tested on 2.4.4-RELEASE-p3

                  1 Reply Last reply Reply Quote 0
                  • R
                    rvoosterhout
                    last edited by Sep 14, 2022, 3:08 PM

                    We are 2 years further, is there any progress on relaying dhcp requests through an ipsec vpn tunnel?

                    1 Reply Last reply Reply Quote 1
                    • M
                      maestrx
                      last edited by May 15, 2023, 8:25 PM

                      One year later and still hitting the same wall... any ideas with the 2.6.0 release ?

                      J 1 Reply Last reply May 23, 2023, 8:47 PM Reply Quote 0
                      • M maestrx referenced this topic on May 15, 2023, 8:39 PM
                      • J
                        jlw52761 @maestrx
                        last edited by May 23, 2023, 8:47 PM

                        @maestrx I get the feeling you will need to use your switch to do the DHCP relay functionality. I haven't done this on the pfSense platform, but I do this on my work's Palo Alto platform that uses IPSeC tunnels from remote sites to the main datacenter and DHCP is located centrally for the smaller sites. This is done using the Cisco ip-helper configuration of the SVI, but I bet other switches have this as well.

                        M 1 Reply Last reply May 23, 2023, 8:50 PM Reply Quote 1
                        • M
                          maestrx @jlw52761
                          last edited by May 23, 2023, 8:50 PM

                          @jlw52761 Thanks for your note. Our switches have L2 license only and the ones with L3 does not work with our usecase (PXE install) anyway. So we need to have it done on the FW level.

                          J 1 Reply Last reply May 23, 2023, 8:55 PM Reply Quote 0
                          • J
                            jlw52761 @maestrx
                            last edited by May 23, 2023, 8:55 PM

                            @maestrx I don't understand your comment about L3 and PXEINSTALL. the ip-helper/DHCP Relay is all the switch has to do, which is essentially reflect the packets. The PXE is still handled by your DHCP server and the TFTP server.

                            M 1 Reply Last reply May 23, 2023, 8:59 PM Reply Quote 0
                            • M
                              maestrx @jlw52761
                              last edited by May 23, 2023, 8:59 PM

                              @jlw52761 Well, reality is showing that the ip-helper implementation in the switches is not perfect and the PXE boot usecase is not working for us. L2 switch means that the switch sees only up to the MAC address and does not see the content of the packets ( not able to distinguish if the packet is DHCP or any other type of traffic)

                              J 1 Reply Last reply May 23, 2023, 9:02 PM Reply Quote 1
                              • J
                                jlw52761 @maestrx
                                last edited by May 23, 2023, 9:02 PM

                                @maestrx I do know what the difference between an L2 and L3 switch are. The L3 switch would perform the relay function, which depending on the manufacturer may or may not work well. I know on the Cisco Catalyst switches, it worked without any issues.

                                E 1 Reply Last reply Jun 29, 2023, 11:37 AM Reply Quote 0
                                • E
                                  Ethereal @jlw52761
                                  last edited by Jun 29, 2023, 11:37 AM

                                  @jlw52761 IP helper would work only on the SVI / Layer 3 Interface for the network.
                                  DHCP is L2. The IP helper must be configured on the Layer 3 interface/SVI which would also be the gateway/router for that network. That SVI must be able to "talk" / reach the DHCP server.

                                  J 1 Reply Last reply Jul 6, 2023, 1:56 PM Reply Quote 0
                                  • J
                                    jlw52761 @Ethereal
                                    last edited by Jul 6, 2023, 1:56 PM

                                    @Ethereal Yes, absolutely correct. Are you magically wanting pfSense to do this without any L2 connectivity?

                                    E 1 Reply Last reply Jul 6, 2023, 2:04 PM Reply Quote 0
                                    • E
                                      Ethereal @jlw52761
                                      last edited by Jul 6, 2023, 2:04 PM

                                      @jlw52761 i clicked on the wrong user. I was replying to one reply above.

                                      J 1 Reply Last reply Jul 6, 2023, 2:51 PM Reply Quote 0
                                      • J
                                        jlw52761 @Ethereal
                                        last edited by Jul 6, 2023, 2:51 PM

                                        @Ethereal understandable, sorry for the snarky response.

                                        O 1 Reply Last reply Oct 26, 2023, 2:23 PM Reply Quote 0
                                        • O
                                          othomas @jlw52761
                                          last edited by Oct 26, 2023, 2:23 PM

                                          Just another hand up here for this to be a feature in pfSense - our usecase is also iPXE bootstaping. I was assuming in my original planning that this was work, and now I find it doesn't. Having to rethink 😠

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.