DHCP Relay Does Not Work with Windows DHCP Server and Source NAT Configured

DHCP Relay Does Not Work with Windows DHCP Server and Source NAT Configured

54531
Created On 09/25/18 19:30 PM - Last Modified 06/06/23 19:50 PM


Resolution


Overview

When DHCP relay is configured on an L3 device, DHCP requests are sent from this L3 device to a Windows DHCP server as unicast packets. This unicast traffic goes through a Palo Alto Networks device with source NAT. End clients do not receive IP addresses via DHCP protocol.

 

Details

In this setup, the L3 device works as a DHCP relay for 172.30.14.0/24 subnet where the end hosts are located. The IP address configured on an L3 device is 172.30.14.1 and this L3 device sends DHCP unicast messages to the Windows DHCP server on 10.145.0.200. These messages are going through the Palo Alto Networks device, which has two L3 interfaces in two different zones. One interface is in the 172.30.14.0/24 segment in the trust zone, which is the same zone end hosts and L3 device are located. The other is with the IP address 10.145.0.106 in the Untrust zone, which is the same zone where the DHCP server is located. The firewall permits all traffic from any zone, any-to-any communication, and has static source NAT with bi-directional traffic enabled for the IP address on L3 device 172.30.14.1. That address is translated to 10.145.0.101.

End hosts are not able to receive DHCP address from the DHCP server.

 

Packet capture has been taken from the windows DHCP server:

Screen Shot 2014-08-04 at 4.24.13 PM.png

 

The DHCP Discover message, packet 13, is received on the server with the NATed source address 10.145.0.101 as expected. However, DHCP Offer is sent from the server to the destination address 172.30.14.1, instead of 10.145.0.101. 172.30.14.1 is Gateway IP address switched by relay (GIADDR). This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device.

 

Resolution

To workaround this windows DHCP server problem, NAT should not be used for the IP address of an L3 device that works as DHCP relay, which is 172.30.14.1 in this example. These are packets captured on the windows DHCP server when source NAT is not configured for the 172.30.14.1 address on Palo Alto Networks device:

Screen Shot 2014-08-04 at 4.22.29 PM.png

 

All messages above are directly exchanged between the L3 device (DHCP relay device - 172.30.14.1) and the windows DHCP server (10.145.0.200).

 

owner: gbogojevic
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language