This article describes the issue of the DHCP relay not working, when the firewall is configured with multiple VRs.
- The client sends the DHCP request.
- The firewall receives it and as the firewall is configured for DHCP relay, it will treat it as self traffic, which is different from flow traffic in terms of the firewall handling process.
- As it is self traffic, the firewall will use the default VR to perform the route lookup to reach the DHCP server. Then the route associates the interface IP address as thesource IP address for the DHCP relay packet and replays this packet with the new source IP address to DHCP server.
- The DHCP Server replies with a DHCP response packet to the relay source IP and the firewall sends it to the client. For example, if the DHCP server IP address is 1.1.1.1 and the eth2/1 firewall interface is enabled with DHCP relay, the configuration is as follows:
set zone trust vr trust-vr
set interface ethernet2/1 zone trust
set interface ethernet2/1 ip 172.19.50.2/24
set interface ethernet2/1 dhcp relay server-name "1.1.1.1"
set interface ethernet2/1 dhcp relay service
set interface ethernet1/1 zone untrust
set zone untrust vr untrust-vr
set interface ethernet1/1 ip 1.1.1.2/24
But, if in the default VR, the route to reach 1.1.1.1 uses the eth2/1 interface, then the firewall will build the DHCP request by using the 172.19.50.2 source IP address. However, the desired behavior is that the DHCP request should be built with the source IP address of 1.1.1.2 and then relayed to the 1.1.1.1 DHCP server.
Again, the default behavior is for the firewall to use the default VR to perform the route lookup to reach the DHCP server and select the related interface as the source interface in this default VR.
To resolve this issue, use either of the following methods:
In the default VR, add a specific route to the DHCP Relay server that points to the correct VR. As per the above example, set the following command:
set vr trust route 1.1.1.1/32 vr untrust-vr
Or
Set the following command:
set int <int-name> dhcp relay vpn
The command works for both VPN and non-VPN cases. With this command, the firewall will use the interface that is associated with the VR to perform the route look to reach the DHCP server, instead of using the default VR and selecting the source interface.