DHCP relay over IPSEC VPN?
I'm a long-time user of pfSense (mostly on a virtual machine host), and have the following question:
I need to replace a hardware router (Netgear ProSafe) that's missing a feature required for its purpose: Sending DHCP relay packets through an IPSEC VPN tunnel while using VLANs.
The router is operating directly behind a DSL modem as primary router of two VLAN networks. One VLAN is a "classical on-site" network, router plays DHCP server, as Internet gateway for a number of PCs.
The router also establishes an IPSEC VPN to a remote site. A number of thin clients is connected to a second VLAN. That VLAN needs to operate in DHCP Relay mode. The DHCP server to forward requests to is reachable over the VPN (has a VPN IP).
The Netgear router does not support the latter: DHCP relay always gets forwarded through the public interface, and not through the VPN.
Can pfSense do better here? Does it forward DHCP relay packets through an IPSEC VPN tunnel if the relay target IP has an IP from the tunnel range?
No, it won't be able to properly relay DHCP across IPsec at this time.
The correct solution in either case is to configure DHCP relay on your switch instead. If it's a managed switch, it should support that either by the name DHCP Relay or perhaps "ip helper". If the switch performs the relay, the traffic can properly traverse the tunnel in either direction.
I'm currently use a pfsense to establish an IPSEC tunnel between A and B. The tunnel is established and all traffic from A go through this tunnel (the remote network B is declared as 0.0.0.0/0). My DHCP Server is at B site but when I try to use DHCP relay on the A site, the DHCP request isn't send inside the tunnel. How can I do that ?
Read my last reply just above yours.
So without another device it's impossible to do that ? Because before used pfSense I used a Cisco ASA and it worked fine.
Why the DHCP Discover isn't push inside the tunnel by pfSense ?
Because of the way the relay daemon works and how the packets are formed by the OS, it does not match the IPsec SA. It's probably trying to send it out a different interface.
You can try nudging it with a route but it's not likely to help for relay.
I tryed to add a fake route to the LAN interface as written here : https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN but it doesn't work…
That's about all you can do at the OS level to nudge it the right way. IPsec, as it is at the moment, just can't deal well with that kind of traffic at the OS level. OpenVPN should work better, or move the relay job to an external device.
Eventually when IPsec virtual tunnel interfaces come around that might help, but it's still possible that something in the relay daemon might hold it back.
I don't understand why some firewalls can do that and it's not possible on FreeBSD, it's the only thing which doesn't work, everything else works perfectly…
In this case I can't use OpenVPN.
Different operating systems, different IP stacks, different relay implementations, different IPsec implementations. You're comparing apples and oranges and wondering why the apple doesn't taste like an orange.
It doesn't work, so find an alternate solution (non-IPsec VPN, move the relay to a managed switch where it belongs, don't use relay, don't use pfSense for that specific VPN/relay, etc)
I came across this while trying to setup a DHCP relay across my VTI IPSec tunnel, and I don't agree with jimp's answer. The reason is that basically what you are saying is that pfSense cannot pass a unicast packet across the IPSec tunnel. It does this regularly, so why wouldn't the DHCP Relay work since all it does is intercept the multicast broadcast from the client and convert it to a unicast packet.
I've been struggling with this and had some thought sessions with some network engineers who agree, there's no good reason pfSense cannot forward the unicast packet over the IPSec tunnel, just like any unicast packet that traverses all the time.
One thing that jimp says is to move the DHCP relay to a managed switch, which is what I will do once I have the final config for that done, but that's the same broadcast to unicast conversion, so why would one think that works from the managed switch unless the problem came from the way pfSense forms the packet and tries to route into the IPSec itself.
I'm really curious to understand this limitation more as just about every major firewall vendor out there, Cisco, Palo Alto, even VMware is able to do this, but pfSense can't? I mean how can I approach my management and tell them we should switch from Palo Alto to Netgate when we can't even perform this simple task that Palo Alto today does for us very well.
The limitation before was mostly due to IPsec in tunnel mode. In theory, VTI mode should handle it better, since you'd have proper OS routes to the destination. I haven't tried it, though. It might work, it might not, but if it doesn't work then it may be an issue in the DHCP relay daemon not wanting to latch onto the VTI interface itself. It's also possible that it's hitting an issue like https://redmine.pfsense.org/issues/9466 which may be solved on 2.4.5 which will be out soon.
Beyond that, it isn't necessarily about the type of packet but how it gets treated. Coming from the operating system on the firewall, it has different rules to follow vs a packet coming from the LAN. The OS has to follow its routing table when choosing not only where to deliver the packet but which source address to use. Because of that, the packets generated by the relay daemon may not match tunnel policies (in tunnel mode) thus would never be delivered to the far side.
@jimp That makes much more sense, thank you for the expanded answer. I'm going to keep my eyes open for 2.4.5 and try the setup again, maybe they have it licked.
@jimp : DHCP Relay doesn't like VTIs as Upstream Interfaces:
Unsupported device type 131 for "ipsec1000"
Edit: Tested on 2.4.4-RELEASE-p3