Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP v. DHCP Relay: given different interfaces (for each), why not?

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 265 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      justme2
      last edited by

      All,

      Trying to understand what [technical] reason is behind not allowing both DHCP and DHCP relay to operate at the same time. Suspect it was to "avoid" someone mistakenly trying to run both on the same interface, but.....

      As it's simply that a given interface can only be used for one (or the other) - not both. Plenty of examples where there might be a localized site network (or two provided by the firewall) vs. all other networks going to the data center (cloud/on-prem) for this service. This would seem to align more correctly with modern mantras.

      eg:
      DHCP Server:
      - LAN1
      - LAN2
      DHCP Relay:
      - LAN3-6
      - LAN7/VPN interface
      Thus a given interface is either DHCP relay or DHCP Server.

      keyserK GertjanG 2 Replies Last reply Reply Quote 1
      • keyserK Offline
        keyser Rebel Alliance @justme2
        last edited by

        @justme2 I STRONGLY agree. This is one of the really limiting features of pfSense in corporate VPN based location networks. It’s a real pain in the *** every time you have to bring a L3 switch just to get a DHCP relay for the corporate controlled VLANs

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @justme2
          last edited by Gertjan

          @justme2

          Get your SFTP browser, open /usr/local/www/services_dhcp_relay.php
          Or use the console or SSH, and edit /usr/local/www/services_dhcp_relay.php

          Locate :

          if ($dhcpd_enabled) {
	print_info_box(gettext('DHCP Relay cannot be enabled while DHCP Server is enabled on any interface.'), 'danger', false);
}

          Chance for :

          if ($dhcpd_enabled) {
	print_info_box(gettext('DHCP Relay cannot be enabled while DHCP Server is enabled on any interface. !! OVERRIDDEN !!'), 'danger', false);
	$dhcpd_enabled = false;
}

          Note : the "!! OVERRIDEN !!" is my personal choice, and not needed.

          Save.

          Now, for example : I disabled the DHCP server (kea) for this interface :

          1208eea8-273b-4632-aa28-447a19ca7d92-image.png

          Save and Apply.

          Back to DHCP relay, select IDRAC - add a DHCP Relay server :

          4a1df8ab-bc3b-41ce-9da3-edd2d04bfacc-image.png

          and Save.

          Check :

          [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep 'dhc'
root    26880  10.2  0.6  43768  23968  -  S    11:18       0:00.10 /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf
root    27281   9.9  0.6  43728  23532  -  S    11:18       0:00.09 /usr/local/sbin/kea-dhcp6 -c /usr/local/etc/kea/kea-dhcp6.conf
root    24435   0.0  0.1  14404   2980  -  Is   20Aug25     0:00.02 dhclient: system.syslog (dhclient)
root    41257   0.0  0.1  14404   3100  -  Is   20Aug25     0:00.05 dhclient: ix3 [priv] (dhclient)
root    51257   0.0  0.1  14308   3460  -  SCs  20Aug25     0:39.41 /usr/sbin/syslogd -O rfc5424 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 192.168.1.1
_dhcp   51487   0.0  0.1  14408   3268  -  SCs  20Aug25     0:05.22 dhclient: ix3 (dhclient)
root    52757   0.0  0.1  14128   2900  -  Is   20Aug25     0:06.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid ix3
root    56422   0.0  0.1  16812   4776  -  Is   11:10       0:00.00 /usr/local/sbin/dhcrelay -id igc2 -iu ix3 192.168.10.1

          The kea DHCPv4 is still running. If all goes well, it doesn't touch/use the igc2 - my "IDRAC" - interface.
          As you can see, dhcrelay is running also - using 'igc2' - my IDRAC interface.

          You'll notice that on the DHCPv4 (kea, as that's what I'm using) there are also red messages showing.

          c8d71175-a0b8-4fd6-b081-18138c5027b5-image.png

          Also for the LAN, and other interfaces.
          I guess you know now how to make these GUI pages more "smart", and don't show messages if they are not needed.

          On the DHCP Relay GUI page you could even modify the list with shown network, by excluding the networks that have the DHCPv4 active on them.
          In my case : this list should only shown "IDRAC" instead of :

          fe81bc41-f103-4a54-be83-890688b52a39-image.png

          Btw : I did not test this dhcrelay service. I don't have a network where this is needed / don't know how to use it.
          Also : I presume you cant' save DHCOPv4 ((kea) settings and network pages anymore, as on this pages the test 'is dhcp relay' running also exist (Generaol settings page : just the test, on the interface(s) page - the same PHP file is used for all interfaces the test also exist, and name some love).
          I'll leave it up to you a make something nice, safe and fool proof out of it.
          Like : If you select an interface, like my IDRAC, that has a dhcp relay activated on it, show the red message and don't allow the user to Enable it with an active DHCP server. This is now already the case. Make the code a bit smarter by testing the (this) interface is used by dhcp relay, and only allow the DHCP server (kea) to be activated on that interface if it is not used by dhcp relay.

          See /usr/local/www/services_dhcp.php- here :

          4812bf5d-0bca-4afb-a4f0-8e0173cd984f-image.png

          how to make these decisions.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.