DHCP relay over IPSEC VPN?
-
@jlw52761 Thanks for your note. Our switches have L2 license only and the ones with L3 does not work with our usecase (PXE install) anyway. So we need to have it done on the FW level.
-
@maestrx I don't understand your comment about L3 and PXEINSTALL. the ip-helper/DHCP Relay is all the switch has to do, which is essentially reflect the packets. The PXE is still handled by your DHCP server and the TFTP server.
-
@jlw52761 Well, reality is showing that the ip-helper implementation in the switches is not perfect and the PXE boot usecase is not working for us. L2 switch means that the switch sees only up to the MAC address and does not see the content of the packets ( not able to distinguish if the packet is DHCP or any other type of traffic)
-
@maestrx I do know what the difference between an L2 and L3 switch are. The L3 switch would perform the relay function, which depending on the manufacturer may or may not work well. I know on the Cisco Catalyst switches, it worked without any issues.
-
@jlw52761 IP helper would work only on the SVI / Layer 3 Interface for the network.
DHCP is L2. The IP helper must be configured on the Layer 3 interface/SVI which would also be the gateway/router for that network. That SVI must be able to "talk" / reach the DHCP server. -
@Ethereal Yes, absolutely correct. Are you magically wanting pfSense to do this without any L2 connectivity?
-
@jlw52761 i clicked on the wrong user. I was replying to one reply above.
-
@Ethereal understandable, sorry for the snarky response.
-
Just another hand up here for this to be a feature in pfSense - our usecase is also iPXE bootstaping. I was assuming in my original planning that this was work, and now I find it doesn't. Having to rethink
-
Hello together.
Seems almost 2 years later still an issue.
I tried out the fix with the route, only change is, that I can now ping the remote-side from the diagnostic menu.
DHCP Relay still not working.
On the remote side the is no switch, it a virtualized network without any further setting possible.
The issue might also be:
You can have only one setting for DHCP-Relay.
So if you have VLANs on the remote-side that need to communicate with the same DHCP-Server on the central side, the packets won't come from the respective VLAN-interface, and will be routed into the wrong scope of the DHCP.
What also is weird, the local DHCP in the PFSense also isn't working, or so to speak only serving the LAN-Interface, not the VLAN-interfaces althoug activated on every interface.