Boyce, thanks for your well-intentioned response. I will be more
specific with what I am asking.
- I have a remote location at which we will not support any servers,
has no backup facilities, etc. I.e., no standalone server.
- We are currently using m0n0wall as a dhcp server there. We would
prefer to use the remote DHCP server at the other end of a VPN tunnel,
for various reasons which are, for the purpose of this question,
- I am aware that I have many options (e.g., by mac address or
captive portal ) to limit who gets valid DHCP.
Please note: DHCP relay works by creating a _unicast_ forward to the
DHCP server containing the DHCP request, so the routing limitations of
broadcast does not play into this at all.
- Can the m0n0wall route its DHCP relay unicasts to a host at the
other end of a DHCP tunnel?
Evidence for yes:
- The DHCP server, at the far end of the tunnel, can ping the LAN IP
of the m0n0wall
Evidence against yes:
-Pings from the m0n0wall to the DHCP server are (incorrectly, to my
mind) routed out the WAN interface instead of into the IPSEC tunnel
I would be grateful to anyone who can shed some light on this, or
anyone with an explanation for the seeming contraindications of this
> Original Message:
> From: D. Ubevidste <detubevidste at gmail dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Thursday, February 3 2005 07:06 PM
> Subject: [m0n0wall] DHCP Relay across an IPSEC VPN
> Esteemed comrades,
> Before I find out this doesn't work on my own -- is anyone using the
> DHCP relay to reach a DHCP server across a tunnel?
> Basic Architecture (apologies to proportion fonts users):
> DHCP server | |m0n0-A | IPSEC | m0n0-B | | DHCP |
> |--|10.0.0.1 |----VPN------|10.9.0.1 |--| Client |
> 10.0.0.25 | |<extip A>| TUNNEL |<extip B>| |Workstation|
> The dhcp server sits on a home network with a 10.0.0/24 address, the
> client on a remote 10.9.0/24 network, with two m0n0walls between and
> an IPSEC tunnel
> A The DHCP server can ping the LAN IP of the m0n0wall (10.9.0.1),
> and receive returns.
> B Pings from the m0n0wall gui to hosts on the 10.0.0/24 return
> redirects indicating that m0n0wall is pushing them onto the WAN
> (Noooo!), and they are reaching my provider's router.
> - Item A lulled me into thinking that this would work without a hitch
> - Item B seems to indicate that it may not work
> - The "block private networks" option on the WAN interface screen is
> assiduously correct in that it blocks traffic _from_ these networks,
> but not traffic _to_ these networks.
> Primary questions:
> - Has anyone done it? Would share your method with me?
> - Alternatively, if it's impossible, (would you shoot me down now?
> - If neither, i'm a bit baffled why the ping returns would use the
> correct route, but the m0n0wall-initiated pings would choose a
> different (i.e., default) route.
> Any help to offer?
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch