DHCP relay not starting via GUI & not working properly when started manually via CLI. (2.7.2-RELEASE amd64)
-
TLDR: dhcrelay is not starting when configured via GUI. I can manually start it on the CLI. It then relays requests and gets offers back, but pfSense does not forward these offers from the interface where they are arriving to the interface where dhcp-clients are residing. All UDP traffic is allowed for testing.
Full version:
DHCP Relay (dhcrelay) ist not starting when configured from the GUI. Error message in the system log:
No suitable upstream interfaces found for running dhcrelay!
I can start the process manually and it does relay dhcp-requests then:
# dhcrelay –i vmx1 –iu ipsec3 10.149.69.10 –i: host unknown vmx1: host unknown –iu: host unknown ipsec3: host unknown Internet Systems Consortium DHCP Relay Agent 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on BPF/vmx1/00:50:56:a4:5d:25 Sending on BPF/vmx1/00:50:56:a4:5d:25 Listening on BPF/vmx0/00:50:56:a4:ab:37 Sending on BPF/vmx0/00:50:56:a4:ab:37 Sending on Socket/fallback
The DHCP server address is behind a routed (VTI) IPSEC tunnel and reachable.
Capturing on the tunnel interface of the pfSense where my dhcp clients are, I can see that traffic between the relaying pfSense and the dhcp-server is exchanged bi-directionally. Offers from the dhcp server are arriving on the tunnel interface from the dhcp-relay-pfSense. But these offers do not appear on the LAN interface (where my dhcp-clients are) on that same pfSense.
Looking at the captues, I can see that the requests are relayed with SRC address from the tunnel interface (10.149.72.2). The dhcp-server however sends them back to the LAN address (10.106.36.254) as DST. I guess the server just uses the address from the field "Relay Agent IP Address" from the dhcp-request packet as DST.
I allowed all UDP traffic on the LAN and ipsec interface via floating rules to rule out there's a problem with stateful filtering and the changing SRC/DST combination.
Capture on the ipsec interface of the pfSense with the dhcprelay configured:
13:29:17.330078 IP 10.149.72.2.67 > 10.149.69.10.67: UDP, length 300 13:29:17.331563 IP 10.149.69.10.67 > 10.106.36.254.67: UDP, length 307
The relayed request en detail:
Internet Protocol Version 4, Src: 10.149.72.2, Dst: 10.149.69.10 User Datagram Protocol, Src Port: 67, Dst Port: 67 Dynamic Host Configuration Protocol (Discover) Message type: Boot Request (1) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 1 Transaction ID: 0x64e15f41 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: 0.0.0.0 Your (client) IP address: 0.0.0.0 Next server IP address: 0.0.0.0 Relay agent IP address: 10.106.36.254 Client MAC address: VMware_a4:6a:63 (00:50:56:a4:6a:63)
The relayed offer en detail:
Internet Protocol Version 4, Src: 10.149.69.10, Dst: 10.106.36.254 User Datagram Protocol, Src Port: 67, Dst Port: 67 Dynamic Host Configuration Protocol (Offer) Message type: Boot Reply (2) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 0 Transaction ID: 0x64e15f41 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) Client IP address: 0.0.0.0 Your (client) IP address: 10.106.36.100 Next server IP address: 10.149.69.10 Relay agent IP address: 10.106.36.254 Client MAC address: VMware_a4:6a:63 (00:50:56:a4:6a:63)
Topology:
Branch [PFS3-BRANCH]--.254@vmx1---(10.106.36.0/24) CLIENTS | |.2@ipsec3 | Internet (10.149.72.0/30) VTI-TRSF | |.1@ipsec3 | ________________[PFS2-EXT]________________________________________ | HQ |.9@vmx1 | (10.149.68.0/28) TRSF | |.6@vmx0 | [PFS1-INT]--.126@vmx1---(10.149.69.0/25) SERVER
CE 2.7.2-RELEASE amd64