DHCP relay problem



  • Hi!
    I'm having trouble with DHCP relay on my VLANed network. The setup is like this:

    
                +- vlan0 (LAN) -> 192.168.1.0/24
    WAN -> em0 -|
                +- vlan1 (OPT1) -> 172.16.5.0/24
    
    

    The vlan-interfaces are on pfSense's em1 interface. The DHCP server (Windows SBS 2011) is situated at 192.168.1.15. It has scopes set up for 192.168.1.0/24 and 172.16.5.0/24. The switch is a HP ProCurve 1810G-24.

    I've tried both with and without "Circuit append"-mode.
    With circuit append enabled, and even added a pass-all rule between the networks, clients on vlan1 aren't getting addresses. I can ping hosts across vlans (because of the pass all), and access internet.  Running tcpdump on the pfsense box on vlan0 and vlan1, The vlan1 interface sees them, but not vlan0. I also tried adding an explicit, logged, DHCP firewall rule on vlan0 and vlan1. Looking in the logs, the only entry is "OPT1 0.0.0.0:68 255.255.255.255:67 UDP".

    Disabling circuit append, I can see the packets arriving at vlan0, but a laptop running tcpdump on the 192.168.1.0 net can't see them. The server doesn't seem to recieve them either.

    Any ideas?



  • @carlpett:

    With circuit append enabled, and even added a pass-all rule between the networks,

    On which interface did you add the rule?

    @carlpett:

    Running tcpdump on the pfsense box on vlan0 and vlan1, The vlan1 interface sees them, but not vlan0.

    "them" means pings? DHCP requests?

    @carlpett:

    Looking in the logs, the only entry is "OPT1 0.0.0.0:68 255.255.255.255:67 UDP".

    Which log?
    If the firewall log, then you need a firewall rule on OPT1 to allow these through. "pass all rule between the networks" is not a very helpful description because it leaves too many rule parameters unspecified.



  • Sorry about being unclear. Clarifications:

    • LAN is vlan0, OPT1 is vlan1
    • I added pass all rules, meaning pass on any proto, any destination, on both LAN and OPT1 interfaces.
    • The tcpdump was looking for DHCP protocol packets, I used this command: tcpdump -i <if>port 67 or port 68
    • The log excerpt was from the firewall log, forgot to say there was a green pass icon too. Sorry.

    The DHCP-specific rules that I added (on both LAN and OPT1) was "PASS UDP from anywhere, to anywhere, port 67-68".

    Again, excuse me for being vague, and thanks for your time.</if>


Log in to reply