DHCP issues after VPN setup



  • I have quite a noobish question.  I inherited 4 networks that were already setup.  Each is at a different physical location with a pfsense device acting as the firewall and DHCP server.  The problem is I also have to administer the systems at each site.  Instead of having 4 sets of server hardware I would like to setup 1 domain and use IPSec to connect each site.

    They do not have overlapping subnets and I was able to establish a tunnel between Site A and B with no issue.  I set a firewall rule that allowed all traffic between the sites.  I think this was my issue.

    For a minute or two everything was working fine, then I lost connectivity at Site A.  The strange thing was I could still access Site B from Site A but not the internet etc.  I quickly disabled IPSec and everything came back up.  I believe the issue came from the pfsense boxes at each site hosting DHCP.  I would like to keep that functionality for redundancy and limiting traffic between the sites.  Has anyone done this?  I was thinking of using a firewall rule to block UDP ports 67 and 68 but haven't had a chance to test that yet.  Has this method worked for anyone else?

    Any tips would be appreciated as I am a networking novice.  Thanks!


  • LAYER 8 Global Moderator

    how would dhcp go across your tunnel?  Dhcp would be limited to the layer2 its on, unless your doing a dhcp relay.

    Please draw up how you have these sites connected..



  • That is where I am confused.  Basically each site currently is switch –- pfsense --- modem --- ISP.  The pfsense box runs a dchcp server and firewall.

    I connected 2 via a IPSec tunnel following a walk through and couple tutorials.

    Site A                                                                                                          Site B
    client --- switch --- pfsense --- modem --- IPSec tunnel accross internet --- modem --- pfsense --- switch --- client

    Once the tunnel established everything at Site A lost internet connectivity.  I couldn't even ping the gateway which was the pfsense box.  I could however access Site B's gateway which was the pfsense box.  As soon as I disabled the tunnel new addresses at Site A repopulated and everything was working again.  Maybe I am wrong and it wasnt a dhcp issue but thats what it looked like to me.  I did add a rule to allow all traffic across the tunnel like the walk through I used stated.

    I hope this is what you were looking for.  Again, I am a networking novice so I appreciate any help you can offer.


  • LAYER 8 Global Moderator

    So what is the network you have at each site?  What did you put in for your route to the remote side?  You didn't put in 0.0.0.0/0 did you?

    Where is this walkthru, there is some really bad info on the net on how to setup pfsense in different ways, some of it just plain WRONG… And others are dated as all hell... There have been lots of changes in how pfsense does stuff from version say 2.0 and 2.1 to the current 2.2.6

    What version of pfsense are these sites running??  Since you say you took it over, is it current or is it like version 1.2.3??

    This is the guide you should be looking at..  But its routing all traffic to site B which prob not what you want..
    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

    did you read through this?
    https://doc.pfsense.org/index.php/VPN_Capability_IPsec#Configuring_the_VPN_Tunnel



  • Site A is 192.168.1.0/24.  Site B is 192.168.3.0/24.  pfSense Version 2.2.5.

    Ok I think I am finally getting things and am feeling pretty stupid here. :)

    I used that guide you linked and http://meandmymac.net/2014/08/pfsense-ipsec-site-to-site-with-dns-resolving/.  I didn't setup anything but the IPSec tunnel.  Apparently while trying to wrap my head around this stuff I did use 0.0.0.0/0.  That would explain why Site A was no longer accessible and I could access Site B assets.  I am feeling pretty foolish here.

    I am assuming if I removed the 0.0.0.0/0 and changed the remote network to 192.168.3.0/24 in phase 2 on Site A and setup Site B the same way but using 192.168.1.0/24 things would then work properly?  Would the rules still be needed in the guide I linked or should I just not trust that.

    I appreciate all your assistance with this.  Unfortunately this is one of the first things I need to get going before countless other projects and I was hoping for a simple set it and not touch it again until I have time to learn it solution.  Rushing it definitely bit me in the rear.


  • LAYER 8 Global Moderator

    Well 0.0.0.0/0 would route everything through the tunnel ;)

    Yes setting the remote networks to what they are and you should be good to go.


Log in to reply