DHCP IP HELPER over SDWAN VPN
PierreH
Newbie ✭
Hi everyone,
I have remote sites connecting to the Head Quarter over SDWAN VPN IPSEC
Tunnel interfaces are up and Data connections (ping, smb, Terminal Services) are working fine
I enabled DHCP Server on Windows Server and IPBX Mitel in the HQ Site
DHCP IP Helper is enabled on the remote site, I can see the requests forwarded, but there is no IP released, the DHCP server ca see the request arriving, responds but we can have nothing on the remote site.
I opened a case with MSW Support, but until now no solution since Thursday
Any idea?
thank you
Category: Entry Level Firewalls
0
Answers
Yes, this can work. We have it set up with gen6 and gen7 at remote sites and gen6 at central site. I looked over the configuration and don't see anything obviously "special" that we've done to get this working.
I suggest you do a packet capture on the firewalls and see if you can work out how far the responses from the DHCP server are getting.
I don't see any IP Helper-specific logging category, unfortunately.
Hi Arkwright, support said : Noticed some dropped packets and check this KB https://www.sonicwall.com/support/knowledge-base/dhcp-server-packet-dropped-rpf-check-failed/170505829682992/
I have all the firewalls Gen7, NSA 2700 in HQ, TZ270 on remote site
I enabled the DHCP IP Helper policy on the remote site FW, DHCP policy from the VOIP Subnet to the DHCP Server (object in VPN Zone)
I have the SDWAN Route policies present
And I verified my configuration in this KB (without the WAN and NAT because every remote site has its own internet connection)
everything is the same
Do we have to configure DHCP over VPN?
I use this option for GVC connections
Just for you, I checked the firewall again. No, this is not enabled, so this isn't required.
I do remember having to disable/enable the IP Helper service in the past when it didn't work as expected but I think this was a gen6 thing, that was probably fixed by now.
it is weird, I am waiting to have SW support on the phone to see and will make tests with another remote site, so You have only the IP Helper enabled on the remote site FW? over SDWAN VPN Tunnel interface or VPN Site to site configuration?
This is SDWAN with un-numbered VPN tunnels as members.
Helper is on remote site firewalls. DHCP Helper is not on main office firewall.
@ARKWIGHT :
Do you think the subnet mask of a VPN Tunnel interface may be a problem if it is equal to /24 instead of /30 ?
I am using un-numbered tunnels, so there is no netmask.
I cannot see why the netmask would make any difference, unless it overlaps with one of the networks you are trying to communicate with. But then nothing would work, right?
@Arkwright I have heard about un-numbered tunnels but I don't know how it is in Sonicwall FW
Using un-numbered tunnels on SonicOS is easy, you simply skip the step where you create a numbered tunnel :D
Create tunnel-mode VPN policy, assign to SD-WAN group. Done.
The documentation originally said you had to use numbered tunnels, but then this changed:
https://community.sonicwall.com/technology-and-support/discussion/3647/sd-wan-with-un-numbered-vpn-tunnels
After some tests and packet monitoring with the support, We found a dropped packet, so I have to add a specific route (destination DHCP Server), then the DHCP relay worked. I don't know why it is not working since we have a SDWAN route policy for the whole LAN.
it is weird since the device - Network path found the DHCP Server behind X1 and after the specific route behind the VPN Tunnel Interface.
https://www.sonicwall.com/support/knowledge-base/dhcp-server-packet-dropped-rpf-check-failed/170505829682992/
Hi everybody, my SDWAN configuration is ok but DHCP IPHELPER is not working
I tried to configure the DHCP over VPN on central and remote gateway, but it doesnt work with IKE only with main mode
We can see the DHCP requests forwarding and going back but no DHCP is delivered on remote site
Everything is stuck now
Case created on MSW, but I don't know if they have a solution
I don't understand how a new configuration SDWAN with new firewalls is not working as expected.
Solution for DHCP IP Helper was found by a girl from Sonicwall support (Sadiya)
In "Advanced Settings" - Disable IPSec Anti-Replay
Finally after one week
Well.....it would have taken me a long time to find that because it seems like it would be completely unrelated. But on the other hand I don't work for Sonicwall support!
Hi
I'm stuck in the same place. Unfortunately the "anti-relay" option didn't bring any change. Have you made any other settings?
Hi HWK,
I only enabled this option of "anti-relay" on both sides for this installation and it is working since October 2024.
Even two weeks ago after a firmware upgrade on another client's infrastructure, We encountered the same problem with the DHCP IP Helper that was working fine and this "anti-relay" option fixed our problem.
No other settings else. Check your access rules from VPN and to VPN. My access rules were created automatically by the SDWAN rules.