DHCP Relay Configuration Issue
-
My pfSense 2.0 configuration includes 5 interfaces (WAN, LAN, DMZ, SAN, WFN). At present I am running a DNS and DHCP server on the DMZ. Firewall rules allow access to the DNS server from all interfaces. I would like to use pfSense's DHCP Relay service to connect the LAN, SAN, and WFN to the DHCP server in the DMZ. I cannot get it to work. I have tried opening port 67 from the DMZ to all interface addresses on the pfSense machine to no effect.
As a stopgap, I placed a DHCP Relay box on my LAN and connected it to the DHCP server on the DMZ (opened port 67 so that the DHCP server on the DMZ could reply to the DHCP Relay on the LAN). This works fine, but requires a separate machine on the LAN – I would very much prefer to use the DHCP Relay services in pfSense.
What am I missing? Perhaps a rule in the DMZ or in the net to be connected (LAN, SAN, or WFN) to allow the DHCP server on the DMZ to service requests from one or more of the other networks?
Thanks for your help.
I tried entering some firewall rules:
pass UDP 0.0.0.0:68 to 255.255.255.255:67 on the network to be served by pfSense's DHCP Relay
and
pass UDP <dhcp server="">to <network being="" served="" by="" pfsense's="" dhcp="" relay=""> (all ports)This did not help. So, I need more info on the DHCP transaction OR there is a bug in pfSense.
On the bug issue, I doubt that it hasn't been discovered by others (I had the same trouble when using pfSense ver 1.2.3). But, I am using the i386, that is the 32-bit version rather than the 64-bit version. Perhaps my problem is unique to the 32-bit version?
Has anyone successfully used the pfSense DHCP Relay on the 32-bit version?</network></dhcp>
-
I don't have experience with DHCP relay on pfSense. Here's how I would attempt to address the problem. I assume you have DHCP relay correctly configured.
I would start with a system on LAN requesting DHCP. Does the firewall log these requests blocked? (See Status -> System Logs and click on _Firewal_l tab). Does the DHCP server on the DMZ network log any requests? Does the firewall log as blocked any responses from the DHCP server?
The DHCP conversation is a little unusual because it begins with a request from 0.0.0.0 to 255.255.255.255 and a reply from the server's IP address. The firewall probably doesn't see the DHCP reply as a reply to an already established conversation so you will probably need a firewall rule to allow that reply.
You might need to engage in some cunning to configure your DHCP server to allocate IP addresses from different subnets to the requests relayed from different pfSense interfaces.
-
I modified my initial question slightly. Does anyone have experience using DHCP Relay using the 32-bit version of pfSense?
-
I modified my initial question slightly. Does anyone have experience using DHCP Relay using the 32-bit version of pfSense?
Yes. Extensively. And 64 bit. It works. Not really much you can do wrong, the rules to permit traffic to it are automatically added, just a matter of putting the correct IP in and having your DHCP server configured appropriately. Time for packet captures, and possibly a bit of dhcrelay hacking to increase its verbosity if that isn't helpful.
-
Thank you for your reply. I am using the 32-bit version, but it should work on either version. You mention rules that are automatically added: Would you please tell me the rule set for the interface being served by dhcp relay and the ruleset needed by the interface where the actual dhcp server is located. My system doesn't seem to be generating any rules for me.
Thanks.