dhcp through openvpn (tap) stopped working, packets don't reach correct interface

jp.otto · Aug 5, 2020, 8:05 AM

Hi,
among others, I administer a school that has buildings in two locations. Those are connected via a vpn (tap). There are several vlans at each site that can communicate according to the firewall rules, mainly with a server on the main site. To faciliate dhcp we use dhcprelay on the pfSense boxes.
This worked fine until I had to power down the pfsense on the main site because of maintenance works.
After it was online again I verified the vpn and was able to reach the server from the remote site.
However, dhcp does not work anymore :-(
I can see that the clients send an DHCPDISCOVER which reaches the server. On the remote firewall I see the DHCPOFFER on interface ovpnc2, those packets however don't get routed to the correct interface and therefore never reach a client...
Here are two samples:

(tcpdump -i ovpnc2)

11:34:54.537249 IP (tos 0x0, ttl 64, id 60795, offset 0, flags [none], proto UDP (17), length 328)
    192.168.250.2.bootps > 10.175.0.10.bootps: BOOTP/DHCP, Request from 00:11:22:33:44:55 (oui Unknown), length 300, hops 1, xid 0xc821c667, secs 45339, Flags [none]
	  Gateway-IP 10.178.2.1
	  Client-Ethernet-Address 00:11:22:33:44:55 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether 00:11:22:33:44:55
	    Requested-IP Option 50, length 4: 10.178.2.44
	    MSZ Option 57, length 2: 576
	    Parameter-Request Option 55, length 8: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
	      Domain-Name, BR, NTP, Vendor-Option
	    Vendor-Class Option 60, length 4: "something"
	    Hostname Option 12, length 7: "name"
11:34:54.561524 IP (tos 0x0, ttl 63, id 52995, offset 0, flags [DF], proto UDP (17), length 328)
    10.175.0.10.bootps > 10.178.2.1.bootps: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xc821c667, secs 45339, Flags [none]
	  Your-IP 10.178.2.44
	  Server-IP 10.175.0.10
	  Gateway-IP 10.178.2.1
	  Client-Ethernet-Address 00:11:22:33:44:55 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Server-ID Option 54, length 4: 10.175.0.10
	    Lease-Time Option 51, length 4: 43200
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    Default-Gateway Option 3, length 4: 10.178.2.1
	    Domain-Name-Server Option 6, length 4: 10.175.0.10
	    Domain-Name Option 15, length 14: "something.de"

vs.

(tcpdump -i bxe0.1002)

11:34:54.537183 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:11:22:33:44:55 (oui Unknown), length 300, xid 0xc821c667, secs 45339, Flags [none]
	  Client-Ethernet-Address 00:11:22:33:44:55 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether 00:11:22:33:44:55
	    Requested-IP Option 50, length 4: 10.178.2.44
	    MSZ Option 57, length 2: 576
	    Parameter-Request Option 55, length 8: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
	      Domain-Name, BR, NTP, Vendor-Option
	    Vendor-Class Option 60, length 4: "something"
	    Hostname Option 12, length 7: "name"

You can see the reply reaching the firewall, addressed to 10.178.2.1, which is the ip of bxe0.1002, but it does not reach that interface.

Both boxes have the current pfsense version (2.4.5-p1) and the vpn interface has an "allow all" firewall rule.

Has anyone an idea where the error could be?