Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DHCP IP HELPER over SDWAN VPN

Hi everyone,

I have remote sites connecting to the Head Quarter over SDWAN VPN IPSEC

Tunnel interfaces are up and Data connections (ping, smb, Terminal Services) are working fine

I enabled DHCP Server on Windows Server and IPBX Mitel in the HQ Site

DHCP IP Helper is enabled on the remote site, I can see the requests forwarded, but there is no IP released, the DHCP server ca see the request arriving, responds but we can have nothing on the remote site.

I opened a case with MSW Support, but until now no solution since Thursday

Any idea?

thank you

Category: Entry Level Firewalls
Reply

Answers

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    edited November 2023

    Yes, this can work. We have it set up with gen6 and gen7 at remote sites and gen6 at central site. I looked over the configuration and don't see anything obviously "special" that we've done to get this working.

    I suggest you do a packet capture on the firewalls and see if you can work out how far the responses from the DHCP server are getting.

    I don't see any IP Helper-specific logging category, unfortunately.

  • PierreHPierreH Newbie ✭

    Hi Arkwright, support said : Noticed some dropped packets and check this KB https://www.sonicwall.com/support/knowledge-base/dhcp-server-packet-dropped-rpf-check-failed/170505829682992/

    I have all the firewalls Gen7, NSA 2700 in HQ, TZ270 on remote site

    I enabled the DHCP IP Helper policy on the remote site FW, DHCP policy from the VOIP Subnet to the DHCP Server (object in VPN Zone)

    I have the SDWAN Route policies present

  • PierreHPierreH Newbie ✭

    And I verified my configuration in this KB (without the WAN and NAT because every remote site has its own internet connection)

    everything is the same



  • PierreHPierreH Newbie ✭

    Do we have to configure DHCP over VPN?

    I use this option for GVC connections

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Just for you, I checked the firewall again. No, this is not enabled, so this isn't required.

    I do remember having to disable/enable the IP Helper service in the past when it didn't work as expected but I think this was a gen6 thing, that was probably fixed by now.

  • PierreHPierreH Newbie ✭

    it is weird, I am waiting to have SW support on the phone to see and will make tests with another remote site, so You have only the IP Helper enabled on the remote site FW? over SDWAN VPN Tunnel interface or VPN Site to site configuration?

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    This is SDWAN with un-numbered VPN tunnels as members.

    Helper is on remote site firewalls. DHCP Helper is not on main office firewall.

  • PierreHPierreH Newbie ✭

    @ARKWIGHT :

    Do you think the subnet mask of a VPN Tunnel interface may be a problem if it is equal to /24 instead of /30 ?

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    I am using un-numbered tunnels, so there is no netmask.

    I cannot see why the netmask would make any difference, unless it overlaps with one of the networks you are trying to communicate with. But then nothing would work, right?

  • PierreHPierreH Newbie ✭

    @Arkwright I have heard about un-numbered tunnels but I don't know how it is in Sonicwall FW

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Using un-numbered tunnels on SonicOS is easy, you simply skip the step where you create a numbered tunnel :D

    Create tunnel-mode VPN policy, assign to SD-WAN group. Done.

    The documentation originally said you had to use numbered tunnels, but then this changed:

    https://community.sonicwall.com/technology-and-support/discussion/3647/sd-wan-with-un-numbered-vpn-tunnels

  • PierreHPierreH Newbie ✭

    After some tests and packet monitoring with the support, We found a dropped packet, so I have to add a specific route (destination DHCP Server), then the DHCP relay worked. I don't know why it is not working since we have a SDWAN route policy for the whole LAN.

    it is weird since the device - Network path found the DHCP Server behind X1 and after the specific route behind the VPN Tunnel Interface.

    https://www.sonicwall.com/support/knowledge-base/dhcp-server-packet-dropped-rpf-check-failed/170505829682992/

  • PierreHPierreH Newbie ✭

    Hi everybody, my SDWAN configuration is ok but DHCP IPHELPER is not working

    I tried to configure the DHCP over VPN on central and remote gateway, but it doesnt work with IKE only with main mode

    We can see the DHCP requests forwarding and going back but no DHCP is delivered on remote site

    Everything is stuck now

    Case created on MSW, but I don't know if they have a solution

    I don't understand how a new configuration SDWAN with new firewalls is not working as expected.

  • PierreHPierreH Newbie ✭

    Solution for DHCP IP Helper was found by a girl from Sonicwall support (Sadiya)

    In "Advanced Settings" - Disable IPSec Anti-Replay

    Finally after one week


  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Well.....it would have taken me a long time to find that because it seems like it would be completely unrelated. But on the other hand I don't work for Sonicwall support!

Sign In or Register to comment.