Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP Relay over IPSEC?

    IPsec
    1
    1
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slyboots
      last edited by

      So rather stumped trying to get DHCP relay to work over a IPSec Tunnel.

      We are running Microsoft DHCP servers that use various scopes to deal with many of our branch offices, and right now we are expanding a new office and trialing PFsense as the router.

      To give a rough idea, the current setup we are trying is this:

      "Branch Office" -> PFsense 2.1.3-Release (Running IPSec Tunnel) -> Internet -> Pfsense 2.1.2-Release (Running IPSec tunnel -> "Main Office" -> MS DHCP server

      From our testing, we have found that the IPSEC Tunnel is up, and functional.  Devices on both sides of the tunnel can see each other and some services work (We can ping devices on both sides, serve pages over HTTP, DNS forwarding works (we run DNSservers on the main office side)

      The next step is to get DHCP forwarding working,  I've enabled "DHCP Relay" on the LAN interface of the remote PFsense box and set the destination server as the MS DHCP box.  But it doesnt appear to work.
      I've setup packet captures on both pfsense boxes, but the only DHCP traffic I can see is on the LAN interface of the remote pfsense box, it never seems to move beyond that.

      I've tired the following guide: https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN?  But that seems to be more related to if you are running the DHCP server on the pfsense box itself (Which Im not doing in this case)  But we've tried it anyway and it doesnt seem to have made any difference.

      However, just to ensure that Im not doing something silly,  in order to achieve the "fix" above I've added the following gateway/route to the "Main Office" pfsense box only

      Gateway
      Interface : LAN
      GatewayIP : Pfsense LAN IP address (e.g. 192.168.1.254)
      Monitor IP : blank

      Route
      Destination Network: Remote Pfsense LAN Subnet (e.g. 192.168.2.0 /32)
      Gateway: PFsense LAN IP address (e.g. 192.168.1.254)

      Anyone any idea?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.