Solved

DHCP and Bridged network

Posted on 2003-11-24
7
506 Views
Last Modified: 2010-03-17
Hello

I have 2 networks connected to each other with bridged VPN. Both endpoints are acting as firewall/DHCP/VPN gateway. Problem is that when someone in one end makes DHCP request, wrong endpoint may answer it.. For example, if workstation in network #1 asks DHCP REQUEST, DHCP server in network #2 answers it. That way workstation in #1 gets the gateway and DNS's from network #2 and it is using #2 firewall/DHCP/VPN gateway as default GW.

I have tried to patch kernels with ebtables so that I could filter out DHCP requests coming from other network, but recognizing those (because of bridge) is difficult. I would be happy to hear if someone has some good ideas for this..

Cheers, Mikael
0
Comment
Question by:MikaelBB
  • 2
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 225 total points
ID: 9815567
Have a read of the DHCP FAQ:
http://www.dhcp-handbook.com/dhcp_faq.html

which says that DHCP uses UDP ports 67 & 68, so if you block those two ports from going across your VPN, the DHCP requests shouldn't be able to.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9815574
sorry for two posts instead of one, another alternative is to block traffic with a source of "0.0.0.0" (which is what DHCP requests are supposed to use as their source IP) from going across your VPN tunnel.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 225 total points
ID: 9891168
since you deployed a bridged VPN, all broadcast span over the networks at both ends, so the a dhcp server at other end may (that means sometimes) response locall dhcp request. in fact, it is just like two dhcp server works together on same LAN. but as you mentioned, it looks you have different subnet at each side, so i am wondering how it works.

in fact, i think you need routing VPN for your scenario, if you are sure you need differnet subnet at each side. else, just keep your bridged VPN and use one subnet for both sides, if so, only one dhcp server is needed.

btw, i dont think td_miles's comment on blocking udps 67 & 68 will work, because what you want to block are inside the tunnel of VPN, common port blocking does not work on it.

hope it helps,
bbao
0
 
LVL 2

Expert Comment

by:Xtreme-X
ID: 9999272
I thought VPN required to be different subnets? otherwise you could end up with confilicts..
0
 
LVL 37

Expert Comment

by:bbao
ID: 9999334
sure, so routing VPN is needed at here.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Comparing Internet speeds via throughput 3 99
BTnet 100Mb Broadband Query 2 80
Cisco 1841 failed checking exit interface 5 79
internet traffic 2 119
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question