CARP + BSD dhcrelay causes duplicate ACKs – Suggest replacing with ISC dhcrelay

[Rookie24]

Hi OPNsense Team and Community,

after extensive testing and analysis in a production-like environment, I would like to raise awareness of a critical issue involving `dhcrelay` in combination with CARP.

==========================
🧩 Problem Description
==========================

When running OPNsense in HA with CARP and enabling the built-in `dhcrelay` service (BSD-based), the system exhibits unstable DHCP relay behavior:

- Both CARP nodes forward DHCPDISCOVER messages simultaneously
- Clients receive multiple DHCPOFFERs and DHCPACKs
- Race conditions: leases are refused or misconfigured
- Backup nodes forward traffic they shouldn't – even in BACKUP state

The issue stems from the fact that the current `dhcrelay` is not CARP-aware and cannot suppress itself when not the active node.

==========================
🧪 Workaround
==========================

Running `isc-dhcrelay` on a dedicated Linux VM eliminates the problem entirely:

- Only one instance is active
- Clean forwarding of DHCP across VLANs
- No duplicate traffic or race conditions

==========================
⚙️ Feature Request
==========================

I would like to propose:

1. Integrate `isc-dhcrelay` as an alternative in OPNsense (optional via GUI or plugin)
2. Allow selection between BSD-based and ISC-based relay
3. Eventually deprecate the BSD relay if it can't be made CARP-aware

Alternatively:

- Allow relay suppression on BACKUP via CARP hooks or devd triggers
- Document safe HA relay strategies within OPNsense

==========================
🧪 Test Environment
==========================

- OPNsense 24.1 / 24.7 (RC)
- CARP HA setup with shared VIP
- Central DHCP server (Windows / Kea)
- Relay on VLANs, reproducible issues with `tcpdump`

I'm happy to assist with logs, traces or help test future solutions.
Thank you for your great work on OPNsense!

Best regards, 
Rookie24

[Monviech (Cedrik)]

https://github.com/opnsense/core/pull/8714