News: This forum is now permanently frozen.
Pages: [1]
Topic: DHCP Relay over IPSec VPN...  (Read 5680 times)
« on: September 03, 2009, 00:18:23 »
joespower *
Posts: 11

Hey all,

I've seen this question about dhcp relay come up before, but there hasn't ever been a clear yes or no answer.  Can this be done?

I have a remote office that I'm supporting which will only have a few client machines, and all services/applications will be routed back to the HQ.  The HQ has 2 Linux DHCP servers setup as failover peers, and they issue out dynamic IPs to all of our sites from a central location.  We have a 6 meg DSL business class pipe at the remote office, and we've established an IPSec VPN back to the HQ which is working beautifully.  The only exception is DHCP relay.  If I turn it on and point it to one of the servers at the HQ, I can't get the DHCP requests to go over the VPN connection.

I've seen the post about setting up the bogus static route, and I've tried that, but so far nothing has worked...

I know I can just run DHCP at the remote office from the m0n0wall, but I'd like to be consistant with the rest of my sites, and I'm trying to find a less costly alternative to the Cisco routers we have at the other sites.  With those, you can use the ip-helper command to route DHCP requests.  Plus, we are changing out hardware at the HQ pretty often right now, and I'd like to have to make DHCP changes that reflect this in just one place rather than several.

Surely there has got to be a way to do it!!!
« Reply #1 on: September 16, 2009, 17:34:26 »
joespower *
Posts: 11

Wow, approaching 200 views and no replys.  Seriously?  This doesn't seem like it would be hard to accomplish.  Can someone just explain to me why its so hard?
« Reply #2 on: September 17, 2009, 10:15:00 »
markb ****
Posts: 331

Not sure if it's related but I had problems with DHCP relay when I had DHCP enabled on another interface.  I had to relay all DHCP for all subnets I couldn't do it for just one.
« Reply #3 on: September 17, 2009, 14:26:14 »
p0rkjello *
Posts: 12

Someone posting the same issue over on the pfsense board. As you mentioned a static route was the fix. You might want to look into that again.

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

http://doc.m0n0.ch/handbook/faq-snmpovervpn.html



~~~~~~ snip ~~~~~~

Ok, I got it to work. I didn't read the article mentioned above carefully enough.


From the article:
Quote
... You can fake it out by adding a bogus static route :to the remote end of the tunnel...
In my scenario "the remote end" is really the firewall with the DHCP server behind it (i.e. the main site firewall.)

So I added a static route on the main site pfSense and machines in the remote site started picking up IPs right away. The static route says:

Code:
Interface: LAN | Network: <LAN IP of far pfSense>/32 | Gateway: LAN IP of this pfSense | Desc: Dummy statix route to fix DHCP Relay

What clued me in that I was creating the static route on the wrong firewall was these messages in the main site firewall:

Code:
Jan 5 22:49:50 last message repeated 2 times
Jan 5 22:49:50 dhcrelay: packet to bogus giaddr <LAN IP of far pfSense>.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines