Relay DHCP to server across IPSec VPN tunnel



  • Have a IPSec tunnel established between two pfSense firewalls at two different sites. Trying to get the firewall at one site to relay DHCP requests to the DHCP server at the other site.

    Packet traces show the DHCP request being seen by the firewall but they are not being forwarded through the IPSec tunnel to the other site.

    I know on the Cisco PIX I have to define a tunnel policy between the DHCP server and the outside interface of the relaying PIX. do I have to do something similar here? If so what is teh correct config for it?

    Thanks,

    Shahid





  • I have verified that DNS relay to a server on the other side of the VPN starts working after setting up static route discussed in that article. But DHCP relay still doesn't work. Packet captures show no DHCP relay packets reaching the other side or hitting the DHCP server.



  • Ok, I got it to work. I didn't read the article mentioned above carefully enough.

    From the article:

    … You can fake it out by adding a bogus static route :to the remote end of the tunnel...

    In my scenario "the remote end" is really the firewall with the DHCP server behind it (i.e. the main site firewall.)

    So I added a static route on the main site pfSense and machines in the remote site started picking up IPs right away. The static route says:

    Interface: LAN | Network: <lan ip="" of="" far="" pfsense="">/32 | Gateway: LAN IP of this pfSense | Desc: Dummy statix route to fix DHCP Relay

    What clued me in that I was creating the static route on the wrong firewall was these messages in the main site firewall:

    Jan 5 22:49:50 last message repeated 2 times 
    Jan 5 22:49:50 dhcrelay: packet to bogus giaddr <lan ip="" of="" far="" pfsense="">.</lan> 
    ```</lan>


  • I am trying to setup DHCP-relay over IPSec.
    A simple sketch of my situation can be found here

    I have configured two subnets on the main-pfsense (PfSense1), one for LAN (172.16.2.0/24) and one for DMZ (172.16.1.0/24).
    PfSense1 and PfSense2 are linked together with an IPSec-tunnel over internet which is working properly. Clients from PfSense2 can connect to clients/servers in LAN/DMZ of PfSense1 and vice versa.

    My DHCP-server runs on DMZ and relays requests to clients in LAN (PfSense1).
    Now I want my DHCP-server to relay requests over the IPSec-tunnel to clients of PfSense2.

    My questions:
    1. I am not sure how to config a static route from PfSense1 to PfSense2 while running two different subnets. Which of the subnets have to be configured in the static route?
    2. My DHCP-server runs in DMZ but the TS wants me to configure the LAN-interface in the static route…which of the interfaces do I have to use?
    3. Do I have to use the DHCP-relay option under "Services->DHCP relay" and if so, on which PfSense-box do I have to configure this?

    At this moment I have configured the following static route (which isn't working) on PfSense1:
    Interface: DMZ
    Network: 172.16.3.100/32 (ip of remote PfSense2)
    Gateway: 172.16.1.100 (ip of PfSense1)


Log in to reply