pfSense

Currently, DHCP Relay does not work with OpenVPN TAP nor IPsec VTI.

Since the VTI doesn't have a MAC, the interface is not available to dhcrelay to bind to. Selecting just the LAN interface leads to the following being executed:

    if (empty($srvifaces) && empty($srvrelayifs)) {
        log_error(gettext("No suitable upstream interfaces found for running dhcrelay!"));
        return; /* XXX */
    }

One can manually start dhcrelay instead like so:

/usr/local/sbin/dhcrelay -a -i vmx1 172.19.1.4

In this case, 172.19.1.4 is a DHCP Server on the other side of the VTI tunnel. The resulting behavior is as follows (verified by packet captures):

1. DHCP Discover broadcast is received on vmx1.
2. DHCP Discover unicast is sent over IPsec with the VTI IP as source IP (determined by routing table).
3. DHCP Server receives DHCP Discover message and sends an offer (* see note below).
4. DHCP Offer is sent back through VTI tunnel.
5. At this point, it seems as if dhcrelay ignores the response - possibly because it's not listening on the VTI.

Though it's questionable if this can be made to work over IPsec VTI, this worked previously with OpenVPN TAP.

NOTE: The DHCP Server will not respond with a DHCP Offer unless the configuration is manually modified. There was a pull request to add this functionality to the GUI here: https://github.com/pfsense/pfsense/pull/1406