Solved

Virtual Firewall to Filter DHCP Traffic?

Posted on 2016-08-25
23
94 Views
Last Modified: 2016-09-04
I need to setup a virtual firewall to filter DHCP traffic, just DHCP traffic, on the same LAN.

I am connecting two offices with a wireless link, configuring the two offices with the same IP scheme and I need to block DHCP traffic between the two offices. The customer's network switches cannot block DHCP traffic without creating VLANS and I do not want VLANS.

I do not need routing (same IP scheme at both offices) I just need to block DHCP traffic. I only need the DHCP filter to be in place for 2 weeks so new hardware purchases are not approved. I have a Windows 2012 R2 server with a number of unused NIC cards that I can use a Hyper-v server.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic without routing?
0
Comment
Question by:wmtrader
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 4
  • +2
23 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41771320
Why are you doing the same "IP scheme" at two different sites? That flies on the face of all best practices and while someone may answer your question, it is also a setup for failure.

Realistically any packet filtering requires some level of routing. Splitting a broadcast domain but bot having the participating machines aware of the split just isn't an architecute that TCP/IP or Ethernet were built on.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 41771349
The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. If you do not use mobile devices, having to change IP addresses all time, that should work.

A filter can only work at the edge devices, i.e at the wireless link. Just plugging in a VM somewhere doesn't help at all, because it would only work as a router - a bridged connection does not perform filtering.
0
 

Author Comment

by:wmtrader
ID: 41771762
Why are you doing the same "IP scheme" at two different sites? - The two offices will have one DHCP server in two weeks after the two domains are merged into one domain.

The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. - I would need to assign static IPs to a large number of PCs and I visitors would not get an IP if the DHCP is turned off.

A filter can only work at the edge devices, i.e at the wireless link. - my plan is to plug one the Hyper-v NICs into the wireless link and the other NIC into the LAN switch and filter DHCP traffic between the two offices.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 70

Expert Comment

by:Qlemo
ID: 41771787
Looks like you could do that with a Linux VM running ebtables, but I don't have any experience with that.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41771792
Again this sounds like a poor architectural choice. Even after whatever merging you do in a few weeks, it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them. Then you'd either have a DHCP server at each site or one DHCP server with two scopes and the router performing DHCP relay.

You really shouldn't try to stretch a broadcast domain across multiple sites. While there are rare cases that this works and it appropriate, it is very uncommon.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41771830
Either block broadcast forwarding at the wireless devices, or block DHCP packets from passing over the link.

What wireless bridges do you have?
0
 

Author Comment

by:wmtrader
ID: 41771841
it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them - OK routing or no routing isn't the most important part of my question.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic?

Something like m0n0wall, opnsense or another one that could be virtualized in a Hyepr-v environment?
0
 

Author Comment

by:wmtrader
ID: 41771864
What wireless bridges do you have. - Alcoma model version I don't know. These are enterprise license spectrum microwave links now 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 

Author Comment

by:wmtrader
ID: 41771865
What wireless bridges do you have? - Alcoma model version I don't know. These are enterprise license spectrum microwave links not 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41771876
Routing or no routing is extremely significant to answering your question. Sophos, for example, has a great virtual UTM product. Would be great in a routed situation, but its transparent bridging is cumbersome and often doesn't work as expected. So whether i'd recommend Sophos woiod be a direct result of your chosen topology. The "important" part of your question is *directly* driven by your topology choices... which you seem intent on sweeping under the rug.

Almost all Linux firewalls are forks of the same two or three base open source projects, and all of those support transparent bridging, which is the feature you want. To the extend that it is easy to set up? None are. Again, it is a rarely used configuration so no vendor or project has streamlined it. Even non-virtual, such as Cisco ASA devices, require esoteric command line fiddles to get transparent bridging configured.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41771882
What switches do you have the bridges connected to?
0
 

Author Comment

by:wmtrader
ID: 41771884
What switches do you have the bridges connected to? - Cisco SG500 52P
0
 

Author Comment

by:wmtrader
ID: 41771919
Cliff Galiher - Sophos, for example, has a great virtual UTM product. - there is a Sophos UTM 320 at one location.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41771922
It's easy then.  Use DHCP snooping on the switches to block DHCP via the ports that the wireless bridges are connected to.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41771942
And if you were using a routed topology, I'd say use the Sophos. But as I also said in that response, it's transparent bridging is painful. Reinforcing that topology matters. If you really "need" some sort of recommendation, pfsense is as good as most opthermopen source firewalls that support running virtual and support transparent bridging.
0
 

Author Comment

by:wmtrader
ID: 41772018
Craig Beck -  Use DHCP snooping on the switches to block DHCP -

On my other Experts Exchange question I asked how I can do this (block DHCP traffic) without using VLANs and I was informed that it is not possible.

Exactly how do I do this on a SG500-52P firmware version 1.3.0.62?

Thanks
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772608
What switch or router is being used to link the sites?  It may have an option to create an ACL (access control list) that can block DHCP traffic.  And rather than deal with trying to route traffic through avirtual firewall, you could install PF sense on a desktop with two NIC's to sit between the networks and block the DHCP while allowing all other traffic.  An in-line physical firewall would be a better option, in my opinion.
0
 

Author Comment

by:wmtrader
ID: 41772615
"An in-line physical firewall would be a better option" - can PF Sense/Open Sense filter traffic when both NICs are on the same IP LAN segment, say NIC #1IP is 192.168.1.10/24 and NIC #2 IP is 192.168.1.11/24
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772626
I doubt any firewall will be able to handle the same subnet on two different interfaces.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41772641
Yes, pfsense can do this, both physical or virtual. That is why it is called transparent *bridging* ...it isn't routing traffic across the two NICs, it is a simple layer-2 bridge with mininal filtering. Note that if the two networks can take ach each other outside of the bridging machine, this will do no good. The bridge must provide the only connectivity between the two desired isolated networks.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41772700
DHCP snooping is the right way.
0
 

Author Closing Comment

by:wmtrader
ID: 41783994
I tried DHCP Snooping and it has proven to be the best option for my restrictions, environment and desired results.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Resolve DNS query failed errors for Exchange
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question