DHCP Relay Issue
I'm trying to setup a DHCP relay and seem to be running into some issues. Here's my config:
pfSense box with 4 nics -WAN IP obtained by DHCP from ISP
-LAN IP 192.168.0.254/24 Using DCHP reservation
-OPT1 IP 192.168.23.254/24
-OPT2 IP 192.168.94.254/24
I'm running Windows 2003 DHCP and have all 3 scopes configured correctly. The server IP is 192.168.0.20. Clients on 192.168.0/24 subnet can get DHCP addresses.
Firewall is configured to pass all traffic running between LAN and OPT1. A client on the OPT1 192.168.23/24 subnet configured with a static IP address is able to ping my DHCP server, connect to file shares on the LAN subnet, and to the internet.
I configure DHCP relay to forward all requests from the OPT1 subnet to 192.168.0.20. I've tried with and without appending circuit and agent IDs. I connect a client to my 192.168.23/24 OPT1 subnet and attempt to get a DHCP address. The client fails to contact the server and doesn't receive an IP address.
I then decided to add a firewall rule to pass traffic from source 0.0.0.0 on UDP 68 to destination 255.255.255.255 on UDP 67 attached to both OPT1 and LAN interfaces.
I've checked the firewall logs and it appears as though nothing was blocked. I put a packet capture on the LAN side looking for packets going to my DHCP IP port 67. Nothing is picked up. I run packet capture on my OPT1 interface and it picks up each DHCP discover request sent from the client.
Is there any special config I have to setup in pfSense to make this work? I'd really like to use this firewall for my routing but don't want to have to manage DHCP on multiple machines. I'm also running Active Directory.
Nothing to it, just check "enable DHCP relay" and plug in the IP. I've been doing this to a Windows DHCP server for years with no issues.
Check your system logs for anything related to dhcrelay.
Go to Diagnostics -> Command and run 'ps ax|grep dhcrelay', does it show anything?
That was the first thing I did, to configure the agent. But should it be setup for just my OPT1 interface or do I have to enable it on my LAN interface too?
5489 ?? Is 0:00.08 /usr/local/sbin/dhcrelay -i le2 -i le1 -i le3 192.168.0.20
8430 p0 R+ 0:00.00 grep dhcrelay
It seems that no matter how I try configuring this it still won't work.
I'm thinking it might be something small I'm over looking.
Can the firewall ping 192.168.0.20? It's possible there is some sort of communication issue between the firewall and the server, if ARP didn't respond for example, it would never attempt to send DHCP requests.
dhcrelay is running fine. Is it logging anything?
You don't enable it on the interface containing the DHCP server.
pfSense can ping the DHCP server. It is also able to route traffic, as a client on my 192.168.23.x subnet with a static IP can also ping my DHCP, and a machine on my 192.168.0.x subnet can ping the client.
anything in logs for dhcrelay?
Feb 15 23:31:50 dhcrelay: Internet Systems Consortium DHCP Relay Agent V3.0.5
Feb 15 23:31:50 dhcrelay: Copyright 2004-2006 Internet Systems Consortium.
Feb 15 23:31:50 dhcrelay: All rights reserved.
Feb 15 23:31:50 dhcrelay: For info, please visit http://www.isc.org/sw/dhcp/
Feb 15 23:31:50 dhcrelay: Listening on BPF/le0/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Sending on BPF/le0/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Listening on BPF/le2/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Sending on BPF/le2/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Listening on BPF/le1/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Sending on BPF/le1/xx:xx:xx:xx:xx:xx
Feb 15 23:31:50 dhcrelay: Sending on Socket/fallback
Looks like the relay's responding. Packet capture picked up the DHCP requests on the LAN port.
00:12:44.748057 xx:xx:xx:xx:xx:x > xx:xx:xx:xx:xx:x, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 53232, offset 0, flags [none], proto UDP (17), length 328) 192.168.0.254.67 > 192.168.0.20.67: [udp sum ok] BOOTP/DHCP, Request from xx:xx:xx:xx:xx:x, length 300, hops 1, xid 0xb57ecd9a, secs 1024, Flags [none] (0x0000)
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
NOAUTO Option 116, length 1: Y
Client-ID Option 61, length 7: ether xx:xx:xx:xx:xx:x
Requested-IP Option 50, length 4: 169.254.112.20
Hostname Option 12, length 7: "hostname"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 11:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Vendor-Option Option 43, length 2: 220.0
No requests logged and rejected in DHCP server logs for OPT1 subnet. Firewall logs show no dropped packets.
Yeah that looks good.
Next I'd get a capture from the DHCP server to ensure the relayed requests are getting there, and if they are then enable audit logging on the Windows server and see what it's showing.