OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: godfather007 on February 08, 2019, 12:13:38 pm
-
We have a problem with DHCP relay over our WAN interface of a branch office in our network.
Our setup is 2 OPNsense firewalls/routers on 2 sites and site 1 is the upstream router for site 2. The internetbreakout is on site 1. Between site 1 and site 2 is 172.16.253.0/30 subnet and no NAT
INTERNET <--> OPNsense1 <--> OPNsense2
On both sites we have DHCP server but we would like to turn off the DHCP server on site 2 and relay DHCP requests to the DHCP server on site 1. This is not possible because the DHCP server is behind the WAN interface of OPNsense2...
WHY??
-
After some wiresharking, digging and searching we found the problem.
If you enable the DHCP service on a (clients) interface the DHCP Relay service also starts at the interface behind which it will find the DHCP server. But in order to do that the firewall needs to know before hand where it can find the DHCP server.
Opnsense forwards DHCP discover pakkets with the IP address of the outgoing interface as source IP.
If Opnsense does not also start the DHCP Relay service on its outgoing interface it will forward DHCP Discover pakkets to the configured server. The DHCP server will respond with a DHCP Offer for the (client) network from which the pakket originally came. But Opnsense will not process the DHCP Offer on its outside interface and relay it back to the original (client) network.
The problem was fixed with a static route to the DHCP server over the WAN interface. Now Opnsense starts the DHCP Relay service on the interface for which you would like to enable DHCP Relaying AND the outside interface to process DHCP Offers.