I have a dial-in VPN on a Vigor2925 with "Enable Relay Agent set to a Windows Server 2012 R2 with native DHCP. Over the VPN clients (Windows, Android and iPad) are getting IP's issued by the 2925 in the range set in PPP General Setup - IP Address Assignment for Dial-In Users (When DHCP Disable set). Over local WiFi the same clients are getting IP's (and DNS, WINS settings etc) from the WS2012 DHCP. There are no entries in the WS2012 DHCP log for the clients when on VPN.
On the 2925 I have "Multicast via VPN" set to Pass. I have tried disabling the firewall and Network Access Protection on the WS2012. No success. I put a Third Party DHCP server on a Windows 10 box and set DHCP relay to that and it issued IP's to VPN clients. Then put same Third Party DHCP server on another WS2012 server with firewall disabled and VPN clients cannot reach it. Can anyone offer any advice?

billatkins wrote: I put a Third Party DHCP server on a Windows 10 box and set DHCP relay to that and it issued IP's to VPN clients. Then put same Third Party DHCP server on another WS2012 server with firewall disabled and VPN clients cannot reach it.

Was the Windows 10 DHCP Server on the same IP network as your Windows 2012 Server?

Thanks for your response. I have two subnets 192.168.42.x and 192.168.2.x
All of our systems have IP's of 192.168.42.x while 192.168.2.x is used purely for for a Guest WiFi connections with the router issuing the IP addresses.
I have made some progress and can now see that the WS2012 DHCP is receiving DHCPDiscover messages but is responding with DHCPNack.
I do not know what I changed that made this happen. I was testing and unexpectedly got an IP address of 192.168.42.78 on the client which could only have come from the WS2012 DHCP. It has a scope of 192.168.42.50-192.168.42.150. The Vigor 2925 inbuilt DHCP server is only issuing IP's 192.168.42.200 and above. The next time I connected (without changing anything) the client received a 192.168.42.200 IP.

After that I can see entries in the WS2012 DHCP log every time I try and connect. The log looks like this:
15,02/09/18,18:53:55,NACK,192.168.42.78,,020AAA55EF98,,0,6,,,,,,,,,0
15,02/09/18,18:53:56,NACK,192.168.42.78,,020AAA55EF98,,0,6,,,,,,,,,0
15,02/09/18,18:53:57,NACK,192.168.42.78,,020AAA55EF98,,0,6,,,,,,,,,0
15,02/09/18,18:53:57,NACK,192.168.42.78,,020AAA55EF98,,0,6,,,,,,,,,0
15,02/09/18,18:53:57,NACK,192.168.42.78,,020AAA55EF98,,0,6,,,,,,,,,0

The MAC address is very similar to the Draytek router LAN MAC Address 00-1D-AA-55-EF-98.

The DHCP server in the router issuing 192.168.42.200+ is still active although I enabled the Relay Agent. I am questioning whether there are some timing issues. Is the Draytek DHCP server issuing IP's because it is the first to respond? Is there anyway to switch it off or delay its response time?

billatkins wrote: The DHCP server in the router issuing 192.168.42.200+ is still active although I enabled the Relay Agent. I am questioning whether there are some timing issues. Is the Draytek DHCP server issuing IP's because it is the first to respond? Is there anyway to switch it off or delay its response time?

I think this could be the crux of the issue...

On receiving the DHCP 'offers', there's presumably nothing to choose between them - because they're both for the same subnet. Presumably the first offer to arrive is 'REQUEST'ed and all subsequent ones' NAK'd /ignored?

I'm not clear if you actually want/need two DHCP servers - can you just switch the Vigor's off?

Otherwise, this a 'split scope' scenario and I'm not entirely sure how that's achieved with two discrete DHCP servers..

There's some Microsoft guidance on how to get a single DHCP server to do it, here:... https://blogs.technet.microsoft.com/teamdhcp/2009/01/22/how-to-configure-split-scope-using-wizard/

I agree one DHCP server would be preferably.
For each LAN under General Setup there are three radio buttons for DHCP configuration; "Disable", "Enable Server" and "Enable Relay Agent". "Enable Relay Agent" does not seem to turn off the router DHCP server completely. Only one button can be pressed at a time.
When I select "Disable" the WS2012 DHCP server does not issue an IP or write anything to its log. That is what I would expect as the DHCPDiscover message is coming in from the WAN and should not get through the router without the assistance of the Relay Agent. When I set "Enable Relay Agent" to the WS2012 address NAK's appear in the log and the router DHCP server issues an IP form the scope set in VPN and Remote Settings / PPP General Setup headed "IP Address Assignment for Dial-In Users
(When DHCP Disable set)".
I looked at the options available by telnet. They mirror the radio buttons. You do not seem to be able to have the DHCP relay agent running without the router DHCP server also available. There is reference to some custom options "srv dhcp option" in the manual which might help if I can find any documentation.

Thinking about it some more...

I think the 2925's DHCP server is OFF - but it's retaining the right to spring back into action - if all else has failed (i.e. "IP Address Assignment for Dial-In Users (When DHCP Disable set))".

I'd not realised it, but the Relay Agent doesn't just pass through the client's request - it seems to work more like a Proxy (or NAT), where it generates a whole new request and keeps track of which response to send to each client. That probably explains the fabricated MAC addresses showing up in the WS2012 DHCP log file.

I think you might have to look at the DHCP conversation in Wireshark to see why the WS2012 DHCP server feels unable to issue the requested IP address. Did it ever 'OFFER' that address, or did it just NAK immediately? "15" seems quite a catch-all error code. Some of the others "13=An IP address was found in use on the network" and "14=A lease request could not be satisfied because the address pool of the scope was exhausted" seem to account for the majority of things you might expect to go wrong.