Solved

Virtual Firewall to Filter DHCP Traffic?

Posted on 2016-08-25
23
73 Views
Last Modified: 2016-09-04
I need to setup a virtual firewall to filter DHCP traffic, just DHCP traffic, on the same LAN.

I am connecting two offices with a wireless link, configuring the two offices with the same IP scheme and I need to block DHCP traffic between the two offices. The customer's network switches cannot block DHCP traffic without creating VLANS and I do not want VLANS.

I do not need routing (same IP scheme at both offices) I just need to block DHCP traffic. I only need the DHCP filter to be in place for 2 weeks so new hardware purchases are not approved. I have a Windows 2012 R2 server with a number of unused NIC cards that I can use a Hyper-v server.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic without routing?
0
Comment
Question by:wmtrader
  • 9
  • 5
  • 4
  • +2
23 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41771320
Why are you doing the same "IP scheme" at two different sites? That flies on the face of all best practices and while someone may answer your question, it is also a setup for failure.

Realistically any packet filtering requires some level of routing. Splitting a broadcast domain but bot having the participating machines aware of the split just isn't an architecute that TCP/IP or Ethernet were built on.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41771349
The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. If you do not use mobile devices, having to change IP addresses all time, that should work.

A filter can only work at the edge devices, i.e at the wireless link. Just plugging in a VM somewhere doesn't help at all, because it would only work as a router - a bridged connection does not perform filtering.
0
 

Author Comment

by:wmtrader
ID: 41771762
Why are you doing the same "IP scheme" at two different sites? - The two offices will have one DHCP server in two weeks after the two domains are merged into one domain.

The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. - I would need to assign static IPs to a large number of PCs and I visitors would not get an IP if the DHCP is turned off.

A filter can only work at the edge devices, i.e at the wireless link. - my plan is to plug one the Hyper-v NICs into the wireless link and the other NIC into the LAN switch and filter DHCP traffic between the two offices.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41771787
Looks like you could do that with a Linux VM running ebtables, but I don't have any experience with that.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41771792
Again this sounds like a poor architectural choice. Even after whatever merging you do in a few weeks, it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them. Then you'd either have a DHCP server at each site or one DHCP server with two scopes and the router performing DHCP relay.

You really shouldn't try to stretch a broadcast domain across multiple sites. While there are rare cases that this works and it appropriate, it is very uncommon.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41771830
Either block broadcast forwarding at the wireless devices, or block DHCP packets from passing over the link.

What wireless bridges do you have?
0
 

Author Comment

by:wmtrader
ID: 41771841
it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them - OK routing or no routing isn't the most important part of my question.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic?

Something like m0n0wall, opnsense or another one that could be virtualized in a Hyepr-v environment?
0
 

Author Comment

by:wmtrader
ID: 41771864
What wireless bridges do you have. - Alcoma model version I don't know. These are enterprise license spectrum microwave links now 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 

Author Comment

by:wmtrader
ID: 41771865
What wireless bridges do you have? - Alcoma model version I don't know. These are enterprise license spectrum microwave links not 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41771876
Routing or no routing is extremely significant to answering your question. Sophos, for example, has a great virtual UTM product. Would be great in a routed situation, but its transparent bridging is cumbersome and often doesn't work as expected. So whether i'd recommend Sophos woiod be a direct result of your chosen topology. The "important" part of your question is *directly* driven by your topology choices... which you seem intent on sweeping under the rug.

Almost all Linux firewalls are forks of the same two or three base open source projects, and all of those support transparent bridging, which is the feature you want. To the extend that it is easy to set up? None are. Again, it is a rarely used configuration so no vendor or project has streamlined it. Even non-virtual, such as Cisco ASA devices, require esoteric command line fiddles to get transparent bridging configured.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41771882
What switches do you have the bridges connected to?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:wmtrader
ID: 41771884
What switches do you have the bridges connected to? - Cisco SG500 52P
0
 

Author Comment

by:wmtrader
ID: 41771919
Cliff Galiher - Sophos, for example, has a great virtual UTM product. - there is a Sophos UTM 320 at one location.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41771922
It's easy then.  Use DHCP snooping on the switches to block DHCP via the ports that the wireless bridges are connected to.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41771942
And if you were using a routed topology, I'd say use the Sophos. But as I also said in that response, it's transparent bridging is painful. Reinforcing that topology matters. If you really "need" some sort of recommendation, pfsense is as good as most opthermopen source firewalls that support running virtual and support transparent bridging.
0
 

Author Comment

by:wmtrader
ID: 41772018
Craig Beck -  Use DHCP snooping on the switches to block DHCP -

On my other Experts Exchange question I asked how I can do this (block DHCP traffic) without using VLANs and I was informed that it is not possible.

Exactly how do I do this on a SG500-52P firmware version 1.3.0.62?

Thanks
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772608
What switch or router is being used to link the sites?  It may have an option to create an ACL (access control list) that can block DHCP traffic.  And rather than deal with trying to route traffic through avirtual firewall, you could install PF sense on a desktop with two NIC's to sit between the networks and block the DHCP while allowing all other traffic.  An in-line physical firewall would be a better option, in my opinion.
0
 

Author Comment

by:wmtrader
ID: 41772615
"An in-line physical firewall would be a better option" - can PF Sense/Open Sense filter traffic when both NICs are on the same IP LAN segment, say NIC #1IP is 192.168.1.10/24 and NIC #2 IP is 192.168.1.11/24
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772626
I doubt any firewall will be able to handle the same subnet on two different interfaces.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41772641
Yes, pfsense can do this, both physical or virtual. That is why it is called transparent *bridging* ...it isn't routing traffic across the two NICs, it is a simple layer-2 bridge with mininal filtering. Note that if the two networks can take ach each other outside of the bridging machine, this will do no good. The bridge must provide the only connectivity between the two desired isolated networks.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41772700
DHCP snooping is the right way.
0
 

Author Closing Comment

by:wmtrader
ID: 41783994
I tried DHCP Snooping and it has proven to be the best option for my restrictions, environment and desired results.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now