dhcprelay not forwarding on local interfaces if IPSec is connected

  • Hi folks. I'm having the following problem: Whenever IPSec tunnel is up, dhcprelay stops forwarding through local vlan interfaces on a remote pfSense vm.

    My scenario:

    • vlan117 and vlan110 are configured with Remote Networks on IPSec. Tunnel is working great and forwarding all traffic to my main site
    • A Pair of AD servers are configured inside vlan117 (10.Y.117.11 and 10.Y.117.12)
    • Desktops, Notebooks and Thinclients are connected on vlan110
    • DHCP Relay is configured to listen on both interfaces
    • Firewall rules are permissive between those interfaces (all protocols, all sources/destinations)
    • Any host inside vlan110 will get link-local addresses( instead of 10.Y.110.0/24

    Additional troubleshooting:

    • If I shutdown IPSec, nearly instantly stations inside vlan110 will get IPs from the ranges/scopes/oools configured on AD servers as soon as i type "ipconfig /renew".
    • If i create a simple DHCP scope on pfSense's DHCP server to vlan110 with the IPSec ON, it works.

    My guess is that, as soon as pfSense tries to forward it's unicast version of this request to AD servers, it gets routed through IPSec.

    Any clues here what i can do to make dhcp relay work? Maybe this is a known bug?

  • Just to add more details: "Enable bypass for LAN interface IP" would not work since, vlan110 was not the first interface i had created, and this other interface is the "Hardcoded" LAN now(first LAN was an administrative IP, just to deploy the VM).

    Another issue here is that I have technically more than one LAN, and all of them will need to use dhcp-relay(desktops vlan, voip vlan, guest vlan, wifi vlan, wifi-collectors vlan...)

    If i could create a bypasslan rule inside ipsec.conf with 10.x.0.0/16(a broader scope) maybe this would do the trick, but i'm afraid ipsec.conf will be overwritten by config.xml, and that one uses the lan xml tag to define this behavior.

    Any tips how can i achieve this here?

Log in to reply