IPSEC DHCP Relay = Brick Wall
-
Over the years there have been several posts on IPSEC and passing DHCP Relay traffic. Specifically you must following these instructions:
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
However, after doing this, the dhcp reply will not exit the ipsec tunnel. For instance:
Site A -> Site B connected via ipsec. Site A requires dhcp address, Site B hosts dhcp server. dhcp relay enabled at Site A. Routing added and pings working perfectly from the pfsense box at Site A.
Packets clearly show dhcp requests being accepted at Site A, then being pushed through the ipsec tunnel to Site B. Site B then answers the request and sends a packet back to Site A. The packet hits the ipsec tunnel and simply never goes anywhere else. The DHCP reply is never pushed back out on the Site A subnet.
Can anyone offer some suggestions here as to what else I may be able to try to get this to function? This has come up multiple times in several threads but has never been answered that I can see. Thank you.
-
I wanted to come back and share what I have found. I have been looking at this issue for the last few days and I have easily come across 20 posts sharing the link I provided above. Each of these posts discusses getting the DHCP Relay to work with PFsense while using an IPSec tunnel. One thread referenced here:
https://forum.pfsense.org/index.php?topic=6932.0
States that ssheikh back in 2008 actually got this to work by providing a dummy route back toward the DHCP relay machine from the other end of the IPSec link, but I have not been able to reproduce this.
Finally, in an effort to solve this, I submitted a support ticket. In which I received the reply:
I have discussed your case whit our engineers and what you are trying to do here simply dose not work within pfSense alone, to achive this you need to use the IP Helper and DHCP Relay on the switches not on pfSense as it do not manage to send the reply back to the client, however you can still use the IPSec tunnel on pfSense
So unless someone has something to add here, this simply won't work at all. HOWEVER….
I also found this thread:
https://forum.pfsense.org/index.php?topic=57769.0
That apparently allows you to pull in another DHCP relay package. This package will allow you to bind to an IP address on the local pfsense box. I found another thread referencing this and saying it functions well. So this might deserve some follow up if you are really interested in making this work.