Bug #16131
open
DHCP Relay not working when CARP Status VIP is other than None
0%
Description
Hello,
I have an IPSec tunnel between a PFSense and another firewall. Behind the other firewall, there's a PXE server that handles DHCP and everything related.
I want to relay DHCP requests from behind the PFSense to the PXE server, 10.10.10.5. The thing is, if I select a CARP Status VIP in the DHCP Relay menu, the packets get forwarded to the PXE server, the PXE server issues a reply, the reply ends up in PFSense but doesn't go out to the LAN interface (behavior observed by running tcpdump -ni enc0 port 67 or port 68 -e -vv and tcpdump -ni vtnet1 port 67 or port 68 -e -vv).
When CARP Status VIP is set to None, everything works as expected.
P.S. using Kea as the DHCP server (don't know if the relay is also using Kea, but I guess so). Changed from the old isc-dhcp since that one wasn't working either :D
Thank you!
Updated by Kris Phillips 10 days ago
I'm going to guess this is due to IPSec, as DHCP Relay is unpredictable with IPSec (especially tunnel mode).
Are you running a VTI or tunnel mode between these two firewalls?
Updated by Silviu Bajenaru 6 days ago
Kris Phillips wrote in #note-1:
I'm going to guess this is due to IPSec, as DHCP Relay is unpredictable with IPSec (especially tunnel mode).
Are you running a VTI or tunnel mode between these two firewalls?
I'm running in tunnel mode (default, policy based one).
I don't get why a CARP IP would mess this up.
Thank you!
Updated by Kris Phillips 3 days ago
Silviu Bajenaru wrote in #note-2:
Kris Phillips wrote in #note-1:
I'm going to guess this is due to IPSec, as DHCP Relay is unpredictable with IPSec (especially tunnel mode).
Are you running a VTI or tunnel mode between these two firewalls?
I'm running in tunnel mode (default, policy based one).
I don't get why a CARP IP would mess this up.Thank you!
What are you using for a downstream interface if you're using tunnel mode? Relaying DHCP across any kind of IPSec tunnel is unsupported in pfSense and can have unpredictable results.