?
Solved

Virtual Firewall to Filter DHCP Traffic?

Posted on 2016-08-25
23
Medium Priority
?
98 Views
Last Modified: 2016-09-04
I need to setup a virtual firewall to filter DHCP traffic, just DHCP traffic, on the same LAN.

I am connecting two offices with a wireless link, configuring the two offices with the same IP scheme and I need to block DHCP traffic between the two offices. The customer's network switches cannot block DHCP traffic without creating VLANS and I do not want VLANS.

I do not need routing (same IP scheme at both offices) I just need to block DHCP traffic. I only need the DHCP filter to be in place for 2 weeks so new hardware purchases are not approved. I have a Windows 2012 R2 server with a number of unused NIC cards that I can use a Hyper-v server.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic without routing?
0
Comment
Question by:wmtrader
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 4
  • +2
23 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41771320
Why are you doing the same "IP scheme" at two different sites? That flies on the face of all best practices and while someone may answer your question, it is also a setup for failure.

Realistically any packet filtering requires some level of routing. Splitting a broadcast domain but bot having the participating machines aware of the split just isn't an architecute that TCP/IP or Ethernet were built on.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 41771349
The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. If you do not use mobile devices, having to change IP addresses all time, that should work.

A filter can only work at the edge devices, i.e at the wireless link. Just plugging in a VM somewhere doesn't help at all, because it would only work as a router - a bridged connection does not perform filtering.
0
 

Author Comment

by:wmtrader
ID: 41771762
Why are you doing the same "IP scheme" at two different sites? - The two offices will have one DHCP server in two weeks after the two domains are merged into one domain.

The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. - I would need to assign static IPs to a large number of PCs and I visitors would not get an IP if the DHCP is turned off.

A filter can only work at the edge devices, i.e at the wireless link. - my plan is to plug one the Hyper-v NICs into the wireless link and the other NIC into the LAN switch and filter DHCP traffic between the two offices.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 70

Expert Comment

by:Qlemo
ID: 41771787
Looks like you could do that with a Linux VM running ebtables, but I don't have any experience with that.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41771792
Again this sounds like a poor architectural choice. Even after whatever merging you do in a few weeks, it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them. Then you'd either have a DHCP server at each site or one DHCP server with two scopes and the router performing DHCP relay.

You really shouldn't try to stretch a broadcast domain across multiple sites. While there are rare cases that this works and it appropriate, it is very uncommon.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 41771830
Either block broadcast forwarding at the wireless devices, or block DHCP packets from passing over the link.

What wireless bridges do you have?
0
 

Author Comment

by:wmtrader
ID: 41771841
it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them - OK routing or no routing isn't the most important part of my question.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic?

Something like m0n0wall, opnsense or another one that could be virtualized in a Hyepr-v environment?
0
 

Author Comment

by:wmtrader
ID: 41771864
What wireless bridges do you have. - Alcoma model version I don't know. These are enterprise license spectrum microwave links now 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 

Author Comment

by:wmtrader
ID: 41771865
What wireless bridges do you have? - Alcoma model version I don't know. These are enterprise license spectrum microwave links not 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41771876
Routing or no routing is extremely significant to answering your question. Sophos, for example, has a great virtual UTM product. Would be great in a routed situation, but its transparent bridging is cumbersome and often doesn't work as expected. So whether i'd recommend Sophos woiod be a direct result of your chosen topology. The "important" part of your question is *directly* driven by your topology choices... which you seem intent on sweeping under the rug.

Almost all Linux firewalls are forks of the same two or three base open source projects, and all of those support transparent bridging, which is the feature you want. To the extend that it is easy to set up? None are. Again, it is a rarely used configuration so no vendor or project has streamlined it. Even non-virtual, such as Cisco ASA devices, require esoteric command line fiddles to get transparent bridging configured.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41771882
What switches do you have the bridges connected to?
0
 

Author Comment

by:wmtrader
ID: 41771884
What switches do you have the bridges connected to? - Cisco SG500 52P
0
 

Author Comment

by:wmtrader
ID: 41771919
Cliff Galiher - Sophos, for example, has a great virtual UTM product. - there is a Sophos UTM 320 at one location.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41771922
It's easy then.  Use DHCP snooping on the switches to block DHCP via the ports that the wireless bridges are connected to.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41771942
And if you were using a routed topology, I'd say use the Sophos. But as I also said in that response, it's transparent bridging is painful. Reinforcing that topology matters. If you really "need" some sort of recommendation, pfsense is as good as most opthermopen source firewalls that support running virtual and support transparent bridging.
0
 

Author Comment

by:wmtrader
ID: 41772018
Craig Beck -  Use DHCP snooping on the switches to block DHCP -

On my other Experts Exchange question I asked how I can do this (block DHCP traffic) without using VLANs and I was informed that it is not possible.

Exactly how do I do this on a SG500-52P firmware version 1.3.0.62?

Thanks
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772608
What switch or router is being used to link the sites?  It may have an option to create an ACL (access control list) that can block DHCP traffic.  And rather than deal with trying to route traffic through avirtual firewall, you could install PF sense on a desktop with two NIC's to sit between the networks and block the DHCP while allowing all other traffic.  An in-line physical firewall would be a better option, in my opinion.
0
 

Author Comment

by:wmtrader
ID: 41772615
"An in-line physical firewall would be a better option" - can PF Sense/Open Sense filter traffic when both NICs are on the same IP LAN segment, say NIC #1IP is 192.168.1.10/24 and NIC #2 IP is 192.168.1.11/24
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 41772626
I doubt any firewall will be able to handle the same subnet on two different interfaces.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41772641
Yes, pfsense can do this, both physical or virtual. That is why it is called transparent *bridging* ...it isn't routing traffic across the two NICs, it is a simple layer-2 bridge with mininal filtering. Note that if the two networks can take ach each other outside of the bridging machine, this will do no good. The bridge must provide the only connectivity between the two desired isolated networks.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41772700
DHCP snooping is the right way.
0
 

Author Closing Comment

by:wmtrader
ID: 41783994
I tried DHCP Snooping and it has proven to be the best option for my restrictions, environment and desired results.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this article, we’ll look at how to deploy ProxySQL.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question