Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC DHCP Relay = Brick Wall

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FrostByghte
      last edited by

      Over the years there have been several posts on IPSEC and passing DHCP Relay traffic.  Specifically you must following these instructions:

      https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

      However, after doing this, the dhcp reply will not exit the ipsec tunnel.  For instance:

      Site A -> Site B connected via ipsec.  Site A requires dhcp address, Site B hosts dhcp server.  dhcp relay enabled at Site A.  Routing added and pings working perfectly from the pfsense box at Site A.

      Packets clearly show dhcp requests being accepted at Site A, then being pushed through the ipsec tunnel to Site B.  Site B then answers the request and sends a packet back to Site A.  The packet hits the ipsec tunnel and simply never goes anywhere else.  The DHCP reply is never pushed back out on the Site A subnet.

      Can anyone offer some suggestions here as to what else I may be able to try to get this to function?  This has come up multiple times in several threads but has never been answered that I can see.  Thank you.

      1 Reply Last reply Reply Quote 0
      • F
        FrostByghte
        last edited by

        I wanted to come back and share what I have found.  I have been looking at this issue for the last few days and I have easily come across 20 posts sharing the link I provided above.  Each of these posts discusses getting the DHCP Relay to work with PFsense while using an IPSec tunnel.  One thread referenced here:

        https://forum.pfsense.org/index.php?topic=6932.0

        States that ssheikh back in 2008 actually got this to work by providing a dummy route back toward the DHCP relay machine from the other end of the IPSec link, but I have not been able to reproduce this.

        Finally, in an effort to solve this, I submitted a support ticket.  In which I received the reply:

        I have discussed your case whit our engineers and what you are trying to do here simply dose not work within pfSense alone, to achive this you need to use the IP Helper and DHCP Relay on the switches not on pfSense as it do not manage to send the reply back to the client, however you can still use the IPSec tunnel on pfSense

        So unless someone has something to add here, this simply won't work at all.  HOWEVER….

        I also found this thread:

        https://forum.pfsense.org/index.php?topic=57769.0

        That apparently allows you to pull in another DHCP relay package.  This package will allow you to bind to an IP address on the local pfsense box.  I found another thread referencing this and saying it functions well.  So this might deserve some follow up if you are really interested in making this work.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.