Virtual Firewall to Filter DHCP Traffic?

Why are you doing the same "IP scheme" at two different sites? That flies on the face of all best practices and while someone may answer your question, it is also a setup for failure.

Realistically any packet filtering requires some level of routing. Splitting a broadcast domain but bot having the participating machines aware of the split just isn't an architecute that TCP/IP or Ethernet were built on.

The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. If you do not use mobile devices, having to change IP addresses all time, that should work.

A filter can only work at the edge devices, i.e at the wireless link. Just plugging in a VM somewhere doesn't help at all, because it would only work as a router - a bridged connection does not perform filtering.

Why are you doing the same "IP scheme" at two different sites? - The two offices will have one DHCP server in two weeks after the two domains are merged into one domain.

The obvious way to block DHCP traffic (at least for responses) is to stop all DHCP servers. - I would need to assign static IPs to a large number of PCs and I visitors would not get an IP if the DHCP is turned off.

A filter can only work at the edge devices, i.e at the wireless link. - my plan is to plug one the Hyper-v NICs into the wireless link and the other NIC into the LAN switch and filter DHCP traffic between the two offices.

Looks like you could do that with a Linux VM running ebtables, but I don't have any experience with that.

Again this sounds like a poor architectural choice. Even after whatever merging you do in a few weeks, it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them. Then you'd either have a DHCP server at each site or one DHCP server with two scopes and the router performing DHCP relay.

You really shouldn't try to stretch a broadcast domain across multiple sites. While there are rare cases that this works and it appropriate, it is very uncommon.

it sounds like you'd be better served with maintaining two broadcast domains which your topology already lends itself to, with *routing* between them - OK routing or no routing isn't the most important part of my question.

Which free, or 30-day trial, virtual firewall should I use in a Windows 2012 R2 Hyper-v environment to only block DHCP traffic?

Something like m0n0wall, opnsense or another one that could be virtualized in a Hyepr-v environment?

What wireless bridges do you have. - Alcoma model version I don't know. These are enterprise license spectrum microwave links now 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.

What wireless bridges do you have? - Alcoma model version I don't know. These are enterprise license spectrum microwave links not 802.11 a/b/g/n wi-fi links. I do not see any port filtering in the device management software.

Routing or no routing is extremely significant to answering your question. Sophos, for example, has a great virtual UTM product. Would be great in a routed situation, but its transparent bridging is cumbersome and often doesn't work as expected. So whether i'd recommend Sophos woiod be a direct result of your chosen topology. The "important" part of your question is *directly* driven by your topology choices... which you seem intent on sweeping under the rug.

Almost all Linux firewalls are forks of the same two or three base open source projects, and all of those support transparent bridging, which is the feature you want. To the extend that it is easy to set up? None are. Again, it is a rarely used configuration so no vendor or project has streamlined it. Even non-virtual, such as Cisco ASA devices, require esoteric command line fiddles to get transparent bridging configured.

What switches do you have the bridges connected to?

What switches do you have the bridges connected to? - Cisco SG500 52P

Cliff Galiher - Sophos, for example, has a great virtual UTM product. - there is a Sophos UTM 320 at one location.

It's easy then.  Use DHCP snooping on the switches to block DHCP via the ports that the wireless bridges are connected to.

And if you were using a routed topology, I'd say use the Sophos. But as I also said in that response, it's transparent bridging is painful. Reinforcing that topology matters. If you really "need" some sort of recommendation, pfsense is as good as most opthermopen source firewalls that support running virtual and support transparent bridging.

Craig Beck -  Use DHCP snooping on the switches to block DHCP -

On my other Experts Exchange question I asked how I can do this (block DHCP traffic) without using VLANs and I was informed that it is not possible.

Exactly how do I do this on a SG500-52P firmware version 1.3.0.62?

Thanks

What switch or router is being used to link the sites?  It may have an option to create an ACL (access control list) that can block DHCP traffic.  And rather than deal with trying to route traffic through avirtual firewall, you could install PF sense on a desktop with two NIC's to sit between the networks and block the DHCP while allowing all other traffic.  An in-line physical firewall would be a better option, in my opinion.

"An in-line physical firewall would be a better option" - can PF Sense/Open Sense filter traffic when both NICs are on the same IP LAN segment, say NIC #1IP is 192.168.1.10/24 and NIC #2 IP is 192.168.1.11/24

I doubt any firewall will be able to handle the same subnet on two different interfaces.

Yes, pfsense can do this, both physical or virtual. That is why it is called transparent *bridging* ...it isn't routing traffic across the two NICs, it is a simple layer-2 bridge with mininal filtering. Note that if the two networks can take ach each other outside of the bridging machine, this will do no good. The bridge must provide the only connectivity between the two desired isolated networks.

DHCP snooping is the right way.

I tried DHCP Snooping and it has proven to be the best option for my restrictions, environment and desired results.