Dhcprelay: Why are DHCP requests on WAN also relayed?
-
Hello all. Did a quick search in the forums but I did not find any answer so here it is.
I've got a FreeBSD as a firewall and DHCP server for my 192.168.0.0/24 lan. Recently I wanted to install another LAN. pfSense version 1.2.2 was installed with two interfaces:
-
pfsense LAN 192.168.2.0/24 (interface rl0). This is the new lan, 192.168.2.0/24 and
-
pfsense WAN address 192.168.0.40 (interface xl0)
The pfsense is basically installed as a simple, non-filtering router between the two networks, 192.168.2.0/24 and 192.168.0.0/24
Since I did not want to setup a new DHCP server, I've enabled the DHCP relay on the pfsense box, with the following settings:
-
Enable DHCP relay on LAN interface : enabled
-
Append circuit ID and agent ID to requests : disabled
-
Proxy requests to DHCP server on WAN subnet : unchecked and
-
I've entered the ip address of my FreeBSD-based DHCP server.
Of course, I modified the DHCP server dhcpd.conf file to work for the new network.
Everything seemes to work fine, BUT in the FreeBSD log I can see that DHCP requests from clients on the 192.168.0.0/24 subnet (ie, in the WAN side of pfsense) are also relayed by pfsense! From my FreeBSD-based DHCP server log, where the bold lines indicate the problem:
Oct 21 08:49:22 gw dhcpd: DHCPREQUEST for 192.168.0.128 from 00:19:db:a7:dc:be via fxp2 (<- normal request on 192.168.0 which is answered directly by the DHCP server)
Oct 21 08:49:22 gw dhcpd: DHCPACK on 192.168.0.128 to 00:19:db:a7:dc:be via fxp2 (<- normal reply on 192.168.0 which is answered directly to the client)
Oct 21 08:49:22 gw dhcpd: DHCPREQUEST for 192.168.0.128 from 00:19:db:a7:dc:be via pfSenseWANipAddress (<- problem here! pf sense box listens on the WAN interface the DHCPREQUEST and forwards it to the DHCP server)
Oct 21 08:49:22 gw dhcpd: DHCPACK on 192.168.0.128 to 00:19:db:a7:dc:be via pfSenseWANipAddress (same story as above)I expected that pfsense would relay only requests coming from the LAN interface towards the server. This does not seem to be the case. Indeed, SSH'ing to pfsense shows dhcprelay listening to all interfaces:
root 1466 0.0 1.0 3132 1164 ?? Is 8:27AM 0:00.05 /usr/local/sbin/dhcrelay -i rl0 -i xl0 192.168.0.1
Is this a feature or a bug? Any help will be appreciated
SSH'ing to the pfsense box it
-