Solved

DHCP and Bridged network

Posted on 2003-11-24
7
455 Views
Last Modified: 2010-03-17
Hello

I have 2 networks connected to each other with bridged VPN. Both endpoints are acting as firewall/DHCP/VPN gateway. Problem is that when someone in one end makes DHCP request, wrong endpoint may answer it.. For example, if workstation in network #1 asks DHCP REQUEST, DHCP server in network #2 answers it. That way workstation in #1 gets the gateway and DNS's from network #2 and it is using #2 firewall/DHCP/VPN gateway as default GW.

I have tried to patch kernels with ebtables so that I could filter out DHCP requests coming from other network, but recognizing those (because of bridge) is difficult. I would be happy to hear if someone has some good ideas for this..

Cheers, Mikael
0
Comment
Question by:MikaelBB
  • 2
  • 2
7 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 225 total points
ID: 9815567
Have a read of the DHCP FAQ:
http://www.dhcp-handbook.com/dhcp_faq.html

which says that DHCP uses UDP ports 67 & 68, so if you block those two ports from going across your VPN, the DHCP requests shouldn't be able to.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9815574
sorry for two posts instead of one, another alternative is to block traffic with a source of "0.0.0.0" (which is what DHCP requests are supposed to use as their source IP) from going across your VPN tunnel.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 225 total points
ID: 9891168
since you deployed a bridged VPN, all broadcast span over the networks at both ends, so the a dhcp server at other end may (that means sometimes) response locall dhcp request. in fact, it is just like two dhcp server works together on same LAN. but as you mentioned, it looks you have different subnet at each side, so i am wondering how it works.

in fact, i think you need routing VPN for your scenario, if you are sure you need differnet subnet at each side. else, just keep your bridged VPN and use one subnet for both sides, if so, only one dhcp server is needed.

btw, i dont think td_miles's comment on blocking udps 67 & 68 will work, because what you want to block are inside the tunnel of VPN, common port blocking does not work on it.

hope it helps,
bbao
0
 
LVL 2

Expert Comment

by:Xtreme-X
ID: 9999272
I thought VPN required to be different subnets? otherwise you could end up with confilicts..
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9999334
sure, so routing VPN is needed at here.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now