Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Quickstart guide for DHCP Relay

    DHCP and DNS
    dhcp-relay
    2
    8
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ODY-GB
      last edited by ODY-GB

      I'm new to pfSense Firewalls, I'm exploring it as replacement for a Sophos UTM firewall, as they aren't getting any further development. I'm running both firewalls side by side at the moment, each having an interface into the subnets with different IP Addresses.

      I'm coming unstuck trying to get DHCP Relaying set up in what I thought would be a pretty simple configuration.

      I have a DHCP Server cluster already on my LAN, which is working as expected, I want to use it to configure IP Addresses for clients on my Guest WiFi network. I have DHCP Relay enabled under Services/DHCP Relay, with the two IP Addresses of my DHCP Servers entered.

      I've set up the following rules on the LAN interface (the same subnet as the DHCP Servers)
      4b7861dc-9b0c-4f8a-ba0d-ccaae2aac755-image.png
      (where "DHCP Servers" is an alias containing the two IP Addresses of the DHCP Servers)

      and these ones on the Guest WiFi interface
      c9c5adf0-2e59-4092-b0ed-044169d59898-image.png

      but I don't seem to be getting any traffic hitting any of the rules, and clients aren't getting IP Addresses. When I turn on DHCP relay on my old firewall, clients are able to connect again.

      I'm also not seeing any blocked traffic on UDP ports 67 or 68 on Status/System Logs/Firewall/Dynamic View. Is that the best place to look for blocked traffic? Have I missed something obvious, or is this a case of me not quite being used to how this firewall works compared to others I've used?

      Any help would be greatly appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ODY-GB
        last edited by

        @ODY-GB
        There is no need to add rules for this. pfSense allows the DHCP traffic automatically on the respective interfaces if the DHCP relay is enabled.

        But don't enable the DHCP relay on the interface, where the DHCP servers resides! DHCP requests are broadcasted. So any host within the subnet receives the request anyway.

        For the Guest Wifi, did you assign a proper IP to pfSense?

        You can sniff the DHCP traffic on all involved interfaces using Diagnostic > Packet Capture. Enter port 67 and 68, so you can see the whole related traffic.

        O 1 Reply Last reply Reply Quote 0
        • O
          ODY-GB @viragomann
          last edited by

          @viragomann Thanks for getting back to me.

          I'd have expected it to make the rules automatically, even if it doesn't show them in the interface. However, it doesn't seem to be doing anything. I have DHCP relay configured under Services/DHCP Relay. It's only enabled for my Guest WiFi interface so far though.

          DHCP Relay is only active on the Guest WiFi Interface for now (although I'll probably want to add more later), it's not active on the WAN or LAN interfaces. I'm not sure what you mean by 'proper IP', but I have a static IP set on the Guest WiFi interface.

          I can see broadcast traffic hitting the Guest WiFi interface, but nothing beyond that:

          38335227-1e81-42b5-88a6-b0fe292f314f-image.png

          I can see that the dhcrelay service is running?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ODY-GB
            last edited by

            @ODY-GB said in Quickstart guide for DHCP Relay:

            I can see broadcast traffic hitting the Guest WiFi interface, but nothing beyond that:

            If you sniff the traffic on the LAN, where the DHCP servers are connected to, you don't see any DHCP related traffic?

            I would expect, that the DHCP requests are forwarded to the stated servers.

            O 1 Reply Last reply Reply Quote 0
            • O
              ODY-GB @viragomann
              last edited by

              @viragomann Quite right, that would be the obvious next step (that's what you get for troubleshooting at 1am!)

              So, I can see that the DHCP request is leaving the LAN interface for the two configured DHCP Servers. I can also see from the logs on one of the DHCP servers that it's receiving the request, but doesn't respond to it, instead logging "Packet dropped because of Client ID hash mismatch or standby server." which indicates that it is ignoring the request because the other DHCP server is responding. I get the same thing logged when the same client requests an IP Address from the LAN subnet (same subnet as the DHCP Server, so no relaying required), except that in this case the other server does respond with a lease offer.

              If I turn off the DHCP Server Service on the other server, I get a renew request logged, but still no IP Address received by the client on Guest WiFi. Yet, when I turn on DHCP relay on my old firewall, the request goes through straight away, and I see what I expect to in both DHCP Server logs.

              I don't think there any too many settings to configure for DHCP Relay in the pfSense, is there anything (either there or somewhere like firewall settings) that could cause incompatibility with Load Balanced DHCP Servers?

              I know that's a bit of a long shot(!), but I'm struggling to think of what else the issue could be. Does it make a difference which DHCP backend I'm using on the pfSense? I see a lot of people on this forum reporting issues with Kea DHCP.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @ODY-GB
                last edited by

                @ODY-GB
                Did enable "Append circuit ID and agent ID to requests"?

                To find out if there are issues with the DHCP cluster, just configure the relay for only one server.

                I don't know if this works with KEA, but it should at least work with ISC.

                O 1 Reply Last reply Reply Quote 0
                • O
                  ODY-GB @viragomann
                  last edited by

                  @viragomann Aha - I've got to the bottom of the issue. It's due to the fact that I'm testing the new firewall and have two firewalls, each one having an interface in LAN and Guest WiFi subnets.

                  I'm testing a client on my LAN and a Guest WiFi device by setting their Default Gateway to the pfSense IP address on that subnet, allowing other devices to continue using the old firewall without disruption.

                  The traffic flow for DHCP from Guest WiFi is:

                  • Client broadcasts for DHCP Server
                  • pfSense picks up and forwards request to both LAN DHCP Servers
                  • DHCP1 processes the renewal and offers and IP Address. The response goes to the pfSense's IP Address on the GuestWiFi Interface, but via the DHCP Server's Default Gateway, which is still the old firewall. The old firewall was blocking the traffic at this point, but I've put a rule in place to allow it through.
                  • DHCP2 doesn't offer an address, as it knows DHCP1 is handling it.

                  The traffic seems to stop dead at this point. I'm not sure if it's because the pfSense isn't able to match up the DHCP OFFER with the original request it received as it isn't on the expected interface, or if I do need to put a firewall rule in place here.

                  However, when I change the Default Gateway of DHCP1 to the LAN interface of pfSense, the DHCP relay works exactly as expected.

                  As it stands, I'm happy to leave DHCP Relay enabled on both Firewalls for now, because I know that when I decommission the old one, it will work correctly on pfSense.

                  Many thanks for your help with this troubleshooting.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @ODY-GB
                    last edited by

                    @ODY-GB
                    Yeah, both, server and client should use the same default gateway to communicate properly.

                    The traffic seems to stop dead at this point. I'm not sure if it's because the pfSense isn't able to match up the DHCP OFFER with the original request it received as it isn't on the expected interface, or if I do need to put a firewall rule in place here.

                    The respond from the DHCP server never reaches the client. So the client continuous sending requests as the packet capture on the guest wifi shows.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post