DHCP Relay over IPSEC?



  • So rather stumped trying to get DHCP relay to work over a IPSec Tunnel.

    We are running Microsoft DHCP servers that use various scopes to deal with many of our branch offices, and right now we are expanding a new office and trialing PFsense as the router.

    To give a rough idea, the current setup we are trying is this:

    "Branch Office" -> PFsense 2.1.3-Release (Running IPSec Tunnel) -> Internet -> Pfsense 2.1.2-Release (Running IPSec tunnel -> "Main Office" -> MS DHCP server

    From our testing, we have found that the IPSEC Tunnel is up, and functional.  Devices on both sides of the tunnel can see each other and some services work (We can ping devices on both sides, serve pages over HTTP, DNS forwarding works (we run DNSservers on the main office side)

    The next step is to get DHCP forwarding working,  I've enabled "DHCP Relay" on the LAN interface of the remote PFsense box and set the destination server as the MS DHCP box.  But it doesnt appear to work.
    I've setup packet captures on both pfsense boxes, but the only DHCP traffic I can see is on the LAN interface of the remote pfsense box, it never seems to move beyond that.

    I've tired the following guide: https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN?  But that seems to be more related to if you are running the DHCP server on the pfsense box itself (Which Im not doing in this case)  But we've tried it anyway and it doesnt seem to have made any difference.

    However, just to ensure that Im not doing something silly,  in order to achieve the "fix" above I've added the following gateway/route to the "Main Office" pfsense box only

    Gateway
    Interface : LAN
    GatewayIP : Pfsense LAN IP address (e.g. 192.168.1.254)
    Monitor IP : blank

    Route
    Destination Network: Remote Pfsense LAN Subnet (e.g. 192.168.2.0 /32)
    Gateway: PFsense LAN IP address (e.g. 192.168.1.254)

    Anyone any idea?