Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP Relay allowed to traverse into Wireguard site to site

    WireGuard
    2
    3
    477
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adelaide_guy
      last edited by

      Hi, Everyone.

      I have a setup a lab where I configure 2 pfsense to be connected via WireGuard Site to Site. In Site A I have setup a Windows DC to be DHCP server and set both Site A and B to relay to this DHCP server. I have checked Site B pfsense DHCP logs and found the following entries:

      Aug 18 20:20:51	dhcrelay	52105	process and the information we find helpful for debugging.
Aug 18 20:20:51	dhcrelay	52105	before submitting a bug. These pages explain the proper
Aug 18 20:20:51	dhcrelay	52105	bugs on either our web page at www.isc.org or in the README file
Aug 18 20:20:51	dhcrelay	52105	than a configuration issue please read the section on submitting
Aug 18 20:20:51	dhcrelay	52105	If you think you have received this message due to a bug rather
Aug 18 20:20:51	dhcrelay	52105	**Unsupported device type 248 for "tun_wg0"**
Aug 18 20:20:51	dhcrelay	52105	Sending on BPF/xn1/4e:4b:b1:08:e4:6f
Aug 18 20:20:51	dhcrelay	52105	Listening on BPF/xn1/4e:4b:b1:08:e4:6f
Aug 18 20:20:51	dhcrelay	52105	For info, please visit https://www.isc.org/software/dhcp/
Aug 18 20:20:51	dhcrelay	52105	All rights reserved.
Aug 18 20:20:51	dhcrelay	52105	Copyright 2004-2022 Internet Systems Consortium.
Aug 18 20:20:51	dhcrelay	52105	Internet Systems Consortium DHCP Relay Agent 4.4.3-P1

      Just confirming with you guys if this is a bug or limitation on WireGuard?

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @adelaide_guy
        last edited by keyser

        @adelaide_guy I don’t know about a Wireguard tunnel, but it has always been a constraint of pfSense that you cannot have the firewall running as DHCPrelay using a DHCP server on the other side of a firewall established IPSEC tunnel.

        In fact, the DHCP relay agent in pfSense is really i pain in the beh****. It cannot be used if you also have the DHCP server running (regardless of you making sure not to have service interface overlaps). It cannot forward on IPsec tunnels, and it also changes the DHCP server identity in relayed frames so you need to whitelist the relay server instead of the DHCP server when running DHCP snooping on switches. (PITA if you have a lot of VLANs - because you have to whitelist every pfSense interface IP instead of the DHCP server on the switches).

        Love the no fuss of using the official appliances :-)

        A 1 Reply Last reply Reply Quote 0
        • A
          adelaide_guy @keyser
          last edited by

          @keyser

          Thanks for the info, if that is the case I wouldn't bother trying to make this work then.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post