Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DHCP and Bridged network

Posted on 2003-11-24
7
Medium Priority
?
554 Views
Last Modified: 2010-03-17
Hello

I have 2 networks connected to each other with bridged VPN. Both endpoints are acting as firewall/DHCP/VPN gateway. Problem is that when someone in one end makes DHCP request, wrong endpoint may answer it.. For example, if workstation in network #1 asks DHCP REQUEST, DHCP server in network #2 answers it. That way workstation in #1 gets the gateway and DNS's from network #2 and it is using #2 firewall/DHCP/VPN gateway as default GW.

I have tried to patch kernels with ebtables so that I could filter out DHCP requests coming from other network, but recognizing those (because of bridge) is difficult. I would be happy to hear if someone has some good ideas for this..

Cheers, Mikael
0
Comment
Question by:MikaelBB
  • 2
  • 2
5 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 900 total points
ID: 9815567
Have a read of the DHCP FAQ:
http://www.dhcp-handbook.com/dhcp_faq.html

which says that DHCP uses UDP ports 67 & 68, so if you block those two ports from going across your VPN, the DHCP requests shouldn't be able to.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9815574
sorry for two posts instead of one, another alternative is to block traffic with a source of "0.0.0.0" (which is what DHCP requests are supposed to use as their source IP) from going across your VPN tunnel.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 900 total points
ID: 9891168
since you deployed a bridged VPN, all broadcast span over the networks at both ends, so the a dhcp server at other end may (that means sometimes) response locall dhcp request. in fact, it is just like two dhcp server works together on same LAN. but as you mentioned, it looks you have different subnet at each side, so i am wondering how it works.

in fact, i think you need routing VPN for your scenario, if you are sure you need differnet subnet at each side. else, just keep your bridged VPN and use one subnet for both sides, if so, only one dhcp server is needed.

btw, i dont think td_miles's comment on blocking udps 67 & 68 will work, because what you want to block are inside the tunnel of VPN, common port blocking does not work on it.

hope it helps,
bbao
0
 
LVL 2

Expert Comment

by:Xtreme-X
ID: 9999272
I thought VPN required to be different subnets? otherwise you could end up with confilicts..
0
 
LVL 37

Expert Comment

by:bbao
ID: 9999334
sure, so routing VPN is needed at here.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question