Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Relay DHCP to server across IPSec VPN tunnel

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 17.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssheikh
      last edited by

      Have a IPSec tunnel established between two pfSense firewalls at two different sites. Trying to get the firewall at one site to relay DHCP requests to the DHCP server at the other site.

      Packet traces show the DHCP request being seen by the firewall but they are not being forwarded through the IPSec tunnel to the other site.

      I know on the Cisco PIX I have to define a tunnel policy between the DHCP server and the outside interface of the relaying PIX. do I have to do something similar here? If so what is teh correct config for it?

      Thanks,

      Shahid

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        I haven't tried it, but I think with a static route for the VPN subnet it will work. See http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

        1 Reply Last reply Reply Quote 0
        • S
          ssheikh
          last edited by

          I have verified that DNS relay to a server on the other side of the VPN starts working after setting up static route discussed in that article. But DHCP relay still doesn't work. Packet captures show no DHCP relay packets reaching the other side or hitting the DHCP server.

          1 Reply Last reply Reply Quote 0
          • S
            ssheikh
            last edited by

            Ok, I got it to work. I didn't read the article mentioned above carefully enough.

            From the article:

            … You can fake it out by adding a bogus static route :to the remote end of the tunnel...

            In my scenario "the remote end" is really the firewall with the DHCP server behind it (i.e. the main site firewall.)

            So I added a static route on the main site pfSense and machines in the remote site started picking up IPs right away. The static route says:

            Interface: LAN | Network: <lan ip="" of="" far="" pfsense="">/32 | Gateway: LAN IP of this pfSense | Desc: Dummy statix route to fix DHCP Relay

            What clued me in that I was creating the static route on the wrong firewall was these messages in the main site firewall:

            Jan 5 22:49:50 last message repeated 2 times 
            Jan 5 22:49:50 dhcrelay: packet to bogus giaddr <lan ip="" of="" far="" pfsense="">.</lan> 
            ```</lan>
            1 Reply Last reply Reply Quote 0
            • P
              pingelmonster
              last edited by

              I am trying to setup DHCP-relay over IPSec.
              A simple sketch of my situation can be found here

              I have configured two subnets on the main-pfsense (PfSense1), one for LAN (172.16.2.0/24) and one for DMZ (172.16.1.0/24).
              PfSense1 and PfSense2 are linked together with an IPSec-tunnel over internet which is working properly. Clients from PfSense2 can connect to clients/servers in LAN/DMZ of PfSense1 and vice versa.

              My DHCP-server runs on DMZ and relays requests to clients in LAN (PfSense1).
              Now I want my DHCP-server to relay requests over the IPSec-tunnel to clients of PfSense2.

              My questions:
              1. I am not sure how to config a static route from PfSense1 to PfSense2 while running two different subnets. Which of the subnets have to be configured in the static route?
              2. My DHCP-server runs in DMZ but the TS wants me to configure the LAN-interface in the static route…which of the interfaces do I have to use?
              3. Do I have to use the DHCP-relay option under "Services->DHCP relay" and if so, on which PfSense-box do I have to configure this?

              At this moment I have configured the following static route (which isn't working) on PfSense1:
              Interface: DMZ
              Network: 172.16.3.100/32 (ip of remote PfSense2)
              Gateway: 172.16.1.100 (ip of PfSense1)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.