"
Hardware: Protectli VP6650 running OPNsense 26.1.2_5 (FreeBSD 14, amd64)
Network topology:
VP6650 SFP+1 (ixl0) connected via fiber (TP-Link SM5110-SR transceivers, LC-LC OM3 cable) to UniFi USW-Aggregation core switch SFP+1
Core switch SFP+2 connected via DAC to UniFi USW-Pro-Max-24-PoE access switch SFP+1
ixl0 is configured as SwitchTrunk in OPNsense with static IP 192.168.200.2/24
igc1 is LAN interface, 192.168.76.1/24
igc2 is MGMT2 interface, 192.168.200.1/24
The problem:
Both UniFi switches are sending DHCP broadcasts on ixl0 (confirmed via tcpdump — we can see BOOTP/DHCP Request from their MAC addresses). DHCRelay is configured and running:
/usr/local/sbin/dhcrelay -d -i ixl0 192.168.76.1
sockstat shows:
_dhcp dhcrelay udp4 192.168.200.2:67 → 192.168.76.1:67
Kea is bound and listening on 192.168.76.1:67 on igc1 and has a working DHCP pool for 192.168.76.0/24.
The symptom:
tcpdump on ixl0 shows the DHCP broadcast packets arriving. However tcpdump on igc1 filtering port 67/68 shows nothing — DHCRelay is not forwarding the packets to Kea on igc1.
What we have tried:
Adding ixl0 directly to Kea listening interfaces — Kea reports "no usable IPv4 addresses" when ixl0 has no IP, and when we assign an IP on the same subnet (192.168.76.x) it conflicts with igc1
DHCRelay with ixl0 having 192.168.76.254 — DHCRelay started but sockstat showed it as a connected socket and it didn't forward broadcasts
DHCRelay with ixl0 having 192.168.200.2 (different subnet from destination 192.168.76.1) — DHCRelay starts, is running, but still does not forward packets to igc1
Switching Kea socket type between raw and udp — no change in behavior
Removing competing Kea bindings on the same subnet
Key observation:
tcpdump -i ixl0 port 67 shows NO traffic even though tcpdump -i ixl0 (without port filter) clearly shows BOOTP/DHCP Request packets. This suggests the DHCP broadcasts may not be arriving on the standard port 67 in a way that DHCRelay can capture them on this interface.
Question:
How do I correctly configure DHCRelay (or an alternative) to forward DHCP requests arriving as broadcasts on a trunk interface (ixl0/SwitchTrunk) with no native VLAN IP to Kea running on a different physical interface?
Network topology:
VP6650 SFP+1 (ixl0) connected via fiber (TP-Link SM5110-SR transceivers, LC-LC OM3 cable) to UniFi USW-Aggregation core switch SFP+1
Core switch SFP+2 connected via DAC to UniFi USW-Pro-Max-24-PoE access switch SFP+1
ixl0 is configured as SwitchTrunk in OPNsense with static IP 192.168.200.2/24
igc1 is LAN interface, 192.168.76.1/24
igc2 is MGMT2 interface, 192.168.200.1/24
The problem:
Both UniFi switches are sending DHCP broadcasts on ixl0 (confirmed via tcpdump — we can see BOOTP/DHCP Request from their MAC addresses). DHCRelay is configured and running:
/usr/local/sbin/dhcrelay -d -i ixl0 192.168.76.1
sockstat shows:
_dhcp dhcrelay udp4 192.168.200.2:67 → 192.168.76.1:67
Kea is bound and listening on 192.168.76.1:67 on igc1 and has a working DHCP pool for 192.168.76.0/24.
The symptom:
tcpdump on ixl0 shows the DHCP broadcast packets arriving. However tcpdump on igc1 filtering port 67/68 shows nothing — DHCRelay is not forwarding the packets to Kea on igc1.
What we have tried:
Adding ixl0 directly to Kea listening interfaces — Kea reports "no usable IPv4 addresses" when ixl0 has no IP, and when we assign an IP on the same subnet (192.168.76.x) it conflicts with igc1
DHCRelay with ixl0 having 192.168.76.254 — DHCRelay started but sockstat showed it as a connected socket and it didn't forward broadcasts
DHCRelay with ixl0 having 192.168.200.2 (different subnet from destination 192.168.76.1) — DHCRelay starts, is running, but still does not forward packets to igc1
Switching Kea socket type between raw and udp — no change in behavior
Removing competing Kea bindings on the same subnet
Key observation:
tcpdump -i ixl0 port 67 shows NO traffic even though tcpdump -i ixl0 (without port filter) clearly shows BOOTP/DHCP Request packets. This suggests the DHCP broadcasts may not be arriving on the standard port 67 in a way that DHCRelay can capture them on this interface.
Question:
How do I correctly configure DHCRelay (or an alternative) to forward DHCP requests arriving as broadcasts on a trunk interface (ixl0/SwitchTrunk) with no native VLAN IP to Kea running on a different physical interface?
