Hello,
Is it possible to enable DHCP relaying from one subnet to another through Securepoint?
Thank you, Andy.
How do you configure DHCP relay from one subnet to another?
Moderator: Securepoint
There are 10 types of people in the world... those who understand binary and those who don\'t.
Hello,
Thanks for this. I think dhcrelay is ok.
The DHCP servers are located on our LAN (eth7).
We want DHCP broadcasts originating in dmz1 (eth4), to be forwarded to the LAN DHCP servers.
'/usr/sbin/dhcrelay -q -i eth4 -m forward 192.168.200.1 192.168.200.2'
However, the broadcast packets are being dropped at the securepoints dmz1 interface.
I created two network objects;
255.255.255.255/32 in zone 'firewall-dmz1' = 'DMZ1_Interface'
0.0.0.0/0 in zone 'dmz1' = 'DMZ1_any'
I created a service group with one service object;
Name: 'DHCPRelay', protocol: UDP, Source: 67:68, Destination: 67:68
I then created a firewall rule;
From: DMZ_any, To: DMZ_Interface, Service: DHCPRelay
However the logs show my DHCP broadcasts are being dropped!!!
Log;
'Firewall DROP' IN=eth4 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:80:5d:b0:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=16 PROTO=UDP SPT=68 DPT=67 LEN=308
Thanks for this. I think dhcrelay is ok.
The DHCP servers are located on our LAN (eth7).
We want DHCP broadcasts originating in dmz1 (eth4), to be forwarded to the LAN DHCP servers.
'/usr/sbin/dhcrelay -q -i eth4 -m forward 192.168.200.1 192.168.200.2'
However, the broadcast packets are being dropped at the securepoints dmz1 interface.
I created two network objects;
255.255.255.255/32 in zone 'firewall-dmz1' = 'DMZ1_Interface'
0.0.0.0/0 in zone 'dmz1' = 'DMZ1_any'
I created a service group with one service object;
Name: 'DHCPRelay', protocol: UDP, Source: 67:68, Destination: 67:68
I then created a firewall rule;
From: DMZ_any, To: DMZ_Interface, Service: DHCPRelay
However the logs show my DHCP broadcasts are being dropped!!!
Log;
'Firewall DROP' IN=eth4 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:80:5d:b0:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=16 PROTO=UDP SPT=68 DPT=67 LEN=308
Hi,
if the zones on eth4 equal "dmz1;firewall-dmz1" I don't see any reason, why the (DHCP Request) packets are dropped.
For letting the DHCP Reply packets pass through the firewall, you need to create a rule:
[Your DHCP-Server](internal) -> 255.255.255.255/32(internal-interface) -> dhcp-relay
To ensure, that the rules are correctly written to iptables execute the following command in a root-shell:
The output should read similar to the following:
Note:
According to the dhcrelay-manpages you need to specify the outgoing interface of the relayed DHCP-request as well as the incoming.
Unfortunately, I wasn't able to completely test dhcrelay in my environment.
I saw the request-packet on the external interface, but my router didn't send an answer :roll:
if the zones on eth4 equal "dmz1;firewall-dmz1" I don't see any reason, why the (DHCP Request) packets are dropped.
For letting the DHCP Reply packets pass through the firewall, you need to create a rule:
[Your DHCP-Server](internal) -> 255.255.255.255/32(internal-interface) -> dhcp-relay
To ensure, that the rules are correctly written to iptables execute the following command in a root-shell:
Code: Alles auswählen
# iptables -L INPUT -t filter -n -v | grep "67:68"Code: Alles auswählen
82 26896 ACCEPT_LOG_ALL_8 udp -- eth4 * 0.0.0.0/0 255.255.255.255 udp spts:67:68 dpts:67:68 state NEW,ESTABLISHED
8 4608 ACCEPT_LOG_ALL_7 udp -- eth1 * 192.168.200.1 255.255.255.255 udp spts:67:68 dpts:67:68 state NEW,ESTABLISHEDAccording to the dhcrelay-manpages you need to specify the outgoing interface of the relayed DHCP-request as well as the incoming.
Unfortunately, I wasn't able to completely test dhcrelay in my environment.
I saw the request-packet on the external interface, but my router didn't send an answer :roll:
Zuletzt geändert von Erik am Sa 25.07.2009, 12:24, insgesamt 1-mal geändert.
