DHCP and Bridged network

Hello

I have 2 networks connected to each other with bridged VPN. Both endpoints are acting as firewall/DHCP/VPN gateway. Problem is that when someone in one end makes DHCP request, wrong endpoint may answer it.. For example, if workstation in network #1 asks DHCP REQUEST, DHCP server in network #2 answers it. That way workstation in #1 gets the gateway and DNS's from network #2 and it is using #2 firewall/DHCP/VPN gateway as default GW.

I have tried to patch kernels with ebtables so that I could filter out DHCP requests coming from other network, but recognizing those (because of bridge) is difficult. I would be happy to hear if someone has some good ideas for this..

Cheers, Mikael
MikaelBBAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
Have a read of the DHCP FAQ:
http://www.dhcp-handbook.com/dhcp_faq.html

which says that DHCP uses UDP ports 67 & 68, so if you block those two ports from going across your VPN, the DHCP requests shouldn't be able to.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
td_milesCommented:
sorry for two posts instead of one, another alternative is to block traffic with a source of "0.0.0.0" (which is what DHCP requests are supposed to use as their source IP) from going across your VPN tunnel.
bbaoIT ConsultantCommented:
since you deployed a bridged VPN, all broadcast span over the networks at both ends, so the a dhcp server at other end may (that means sometimes) response locall dhcp request. in fact, it is just like two dhcp server works together on same LAN. but as you mentioned, it looks you have different subnet at each side, so i am wondering how it works.

in fact, i think you need routing VPN for your scenario, if you are sure you need differnet subnet at each side. else, just keep your bridged VPN and use one subnet for both sides, if so, only one dhcp server is needed.

btw, i dont think td_miles's comment on blocking udps 67 & 68 will work, because what you want to block are inside the tunnel of VPN, common port blocking does not work on it.

hope it helps,
bbao
Xtreme-XCommented:
I thought VPN required to be different subnets? otherwise you could end up with confilicts..
bbaoIT ConsultantCommented:
sure, so routing VPN is needed at here.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.