Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dhcprelay not forwarding on local interfaces if IPSec is connected

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 158 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nwildner
      last edited by

      Hi folks. I'm having the following problem: Whenever IPSec tunnel is up, dhcprelay stops forwarding through local vlan interfaces on a remote pfSense vm.

      My scenario:

      • vlan117 and vlan110 are configured with Remote Networks 0.0.0.0/0 on IPSec. Tunnel is working great and forwarding all traffic to my main site
      • A Pair of AD servers are configured inside vlan117 (10.Y.117.11 and 10.Y.117.12)
      • Desktops, Notebooks and Thinclients are connected on vlan110
      • DHCP Relay is configured to listen on both interfaces
      • Firewall rules are permissive between those interfaces (all protocols, all sources/destinations)
      • Any host inside vlan110 will get link-local addresses(169.254.0.0/16) instead of 10.Y.110.0/24

      Additional troubleshooting:

      • If I shutdown IPSec, nearly instantly stations inside vlan110 will get IPs from the ranges/scopes/oools configured on AD servers as soon as i type "ipconfig /renew".
      • If i create a simple DHCP scope on pfSense's DHCP server to vlan110 with the IPSec ON, it works.

      My guess is that, as soon as pfSense tries to forward it's unicast version of this request to AD servers, it gets routed through IPSec.

      Any clues here what i can do to make dhcp relay work? Maybe this is a known bug?

      1 Reply Last reply Reply Quote 0
      • N
        nwildner
        last edited by

        Just to add more details: "Enable bypass for LAN interface IP" would not work since, vlan110 was not the first interface i had created, and this other interface is the "Hardcoded" LAN now(first LAN was an administrative IP, just to deploy the VM).

        Another issue here is that I have technically more than one LAN, and all of them will need to use dhcp-relay(desktops vlan, voip vlan, guest vlan, wifi vlan, wifi-collectors vlan...)

        If i could create a bypasslan rule inside ipsec.conf with 10.x.0.0/16(a broader scope) maybe this would do the trick, but i'm afraid ipsec.conf will be overwritten by config.xml, and that one uses the lan xml tag to define this behavior.

        Any tips how can i achieve this here?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.