Pfsense VPN and DHCP

Hello, I have a Pfsense router with configured VLANs and DHCP.
I want to install a second Pfsense router on another place and connect the second router to the main somehow transparent so the computers on a second place to be able to obtain IP addresses from the MAIN DHCP server and to be a part of the VLANS.

I have draw a small schema atached here to be clear. Can you help me how to do that ?

Thank you.

Here is a resource that may help you.

DHCP is kind of tricky in this regard in that it is technically an application layer protocol and as such is built on top of the network layer. However, obviously clients in the process of obtaining an IP through DHCP don’t have an IP address yet.

DHCP is a four step process:

  1. A client sends a DHCPDISCOVER packet. This is a broadcast message (destination Since the client doesn’t have an IP address yet, it sets the source address to
  2. A DHCP server receiving the packet responds with a DHCPOFFER packet. The destination address will be set to the IP address the server offers the client and the ethernet frames this packet is contained in will be sent to the MAC address the DHCPDISCOVER originated from.

Steps three and four are DHCPREQUEST and DHCPACK by the client and server, respectively. They are not important here.

From step 2 alone it should be clear that DHCP is not routable, even though it is based on the network layer. That means a layer 3 VPN on its own will not work here. DHCP only works when the server and client are in the same broadcast domain (i.e. they can communicate on layer 2).

However, I can still see two options how you can achieve your goal:

  1. pfSense has a DHCP relay function, otherwise also known as ‘ip-helper’. It is used to route DHCP packets across subnets. I’ve never worked with that and can’t say whether it will work in your case.
  2. OpenVPN has a layer 2 mode. This might work when the two sides of the VPN should actually be in the same subnet. I’ve never used that either though.
1 Like

I would look into VXLAN and running it over an IPSec tunnel. I haven’t done this with pfsense, but it has worked fine with Cisco routers.

Thank you all for your kind answers. I’ll try to establish an IPsec tunnel to see if this can help me.

It would be much easier to set up a site-to-site OpenVPN connection, then ensure you have established Static Routes for the two networks you want connected.