Solved

DHCP and Bridged network

Posted on 2003-11-24
7
498 Views
Last Modified: 2010-03-17
Hello

I have 2 networks connected to each other with bridged VPN. Both endpoints are acting as firewall/DHCP/VPN gateway. Problem is that when someone in one end makes DHCP request, wrong endpoint may answer it.. For example, if workstation in network #1 asks DHCP REQUEST, DHCP server in network #2 answers it. That way workstation in #1 gets the gateway and DNS's from network #2 and it is using #2 firewall/DHCP/VPN gateway as default GW.

I have tried to patch kernels with ebtables so that I could filter out DHCP requests coming from other network, but recognizing those (because of bridge) is difficult. I would be happy to hear if someone has some good ideas for this..

Cheers, Mikael
0
Comment
Question by:MikaelBB
  • 2
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 225 total points
ID: 9815567
Have a read of the DHCP FAQ:
http://www.dhcp-handbook.com/dhcp_faq.html

which says that DHCP uses UDP ports 67 & 68, so if you block those two ports from going across your VPN, the DHCP requests shouldn't be able to.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9815574
sorry for two posts instead of one, another alternative is to block traffic with a source of "0.0.0.0" (which is what DHCP requests are supposed to use as their source IP) from going across your VPN tunnel.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 225 total points
ID: 9891168
since you deployed a bridged VPN, all broadcast span over the networks at both ends, so the a dhcp server at other end may (that means sometimes) response locall dhcp request. in fact, it is just like two dhcp server works together on same LAN. but as you mentioned, it looks you have different subnet at each side, so i am wondering how it works.

in fact, i think you need routing VPN for your scenario, if you are sure you need differnet subnet at each side. else, just keep your bridged VPN and use one subnet for both sides, if so, only one dhcp server is needed.

btw, i dont think td_miles's comment on blocking udps 67 & 68 will work, because what you want to block are inside the tunnel of VPN, common port blocking does not work on it.

hope it helps,
bbao
0
 
LVL 2

Expert Comment

by:Xtreme-X
ID: 9999272
I thought VPN required to be different subnets? otherwise you could end up with confilicts..
0
 
LVL 37

Expert Comment

by:bbao
ID: 9999334
sure, so routing VPN is needed at here.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question