The trouble you are running into is that giaddr is overloaded to not
only mean where to send the reply packet, but also to what physical
broadcast domain the client system is attached.


Use ISC DHCP 3.1.0a1 server which (aside from being an alpha quality
release) supports the Relay Agent Link Selection sub-option.

Also, use a relay that forms such an option.  I have no hints for you
here, ISC's doesn't (but could be made to with some trivial coding).

In this case, the relay selects an address it may be reached at (which
may be permanently translated on your NAT device, or incorporated
within it, or whatever works for you) to place in the giaddr which is
not on the same broadcast domain as the client.  It does place such an
address (on the same broadcast domain as the client) in the link
selection option, which is used for the purposes of finding an address
to allocate.

There is also the subnet selection option, but as this is a normal
DHCP option (not an encapsulated relay agent sub-option), it would
mean teaching your clients to transmit it, or funky dhcp packet
rewriting.  Neither of those are usually very workable scenarios.

Best of luck.

