[ previous ] [ next ] [ threads ]
 From:  "D. Ubevidste" <detubevidste at gmail dot com>
 To:  Boyce Ezell <boyceezell at yahoo dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DHCP Relay across an IPSEC VPN
 Date:  Fri, 4 Feb 2005 12:07:29 -0500
Boyce, thanks for your well-intentioned response.  I will be more
specific with what I am asking.


 - I have a remote location at which we will not support any servers,
has no backup facilities, etc. I.e., no standalone server.
 - We are currently using m0n0wall as a dhcp server there. We would
prefer to use the remote DHCP server at the other end of a VPN tunnel,
for various reasons which are, for the purpose of this question,
 - I am aware that I have many options (e.g., by  mac address or
captive portal ) to limit who gets valid DHCP.
Please note: DHCP relay works by creating a _unicast_ forward to the
DHCP server containing the DHCP request, so the routing limitations of
broadcast does not play into this at all.

Core question: 
 - Can the m0n0wall route its DHCP relay unicasts to a host at the
other end of a DHCP tunnel?

Evidence for yes:
 - The DHCP server, at the far end of the tunnel, can ping the LAN IP
of the m0n0wall

Evidence against yes:
-Pings from the m0n0wall to the DHCP server are (incorrectly, to my
mind) routed out the WAN interface instead of into the IPSEC tunnel

I would be grateful to anyone who can shed some light on this, or
anyone with an explanation for the seeming contraindications of this



> Original Message:
> From: D. Ubevidste <detubevidste at gmail dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Date: Thursday, February 3 2005 07:06 PM
> Subject: [m0n0wall] DHCP Relay across an IPSEC VPN
> Esteemed comrades,
> Before I find out this doesn't work on my own -- is anyone using the
> DHCP relay to reach a DHCP server across a tunnel?
> Basic Architecture (apologies to proportion fonts users):
> DHCP server |  |m0n0-A   |   IPSEC     | m0n0-B  |  |   DHCP    |
>             |--| |----VPN------| |--|  Client   |
>   |  |<extip A>|   TUNNEL    |<extip B>|  |Workstation|
> The dhcp server sits on a home network with a 10.0.0/24 address, the
> client on a remote 10.9.0/24 network, with two m0n0walls between and
> an IPSEC tunnel
> Data:
>  A  The DHCP server can ping the LAN IP of the m0n0wall (,
> and receive returns.
>  B Pings from the m0n0wall gui to hosts on the 10.0.0/24 return
> redirects indicating that m0n0wall is pushing them onto the WAN
> (Noooo!), and they are reaching my provider's router.
> Observations:
>  - Item A lulled me into thinking that this would work without a hitch
>  - Item B seems to indicate that it may not work
>  - The "block private networks" option on the WAN interface screen is
> assiduously correct in that it blocks traffic _from_ these networks,
> but not traffic _to_ these networks.
> Primary questions:
>  - Has anyone done it? Would share your method with me?
>  -  Alternatively, if it's impossible, (would you shoot me down now?
>  - If neither, i'm a bit baffled why the ping returns would use the
> correct route, but the m0n0wall-initiated pings would choose a
> different (i.e., default) route.
> Any help to offer?
> Thanks,
> du
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch