DHCP and Simple Hub ACL Discussion

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dsadmin
Posts: 6
Joined: Tue Oct 08, 2019 2:34 pm

DHCP and Simple Hub ACL Discussion

Post by dsadmin » Tue Oct 08, 2019 2:57 pm

I have cascaded VPN for redundancy (with VMware SMP FT on the main controller).

I am trying to keep my clients from ever knowing about each other. I want them to talk to one IP and even then only on certain ports. I also only want that one IP to initiate communications to the clients only on specific ports.

The port restrictions will vary but this is not where I need help. Where I need help is at the end of my rules I need a deny all other traffic rule. This is causing me problems with DHCP.

I have tried allowing all 67/68 UDP and also from 0.0.0.0 to 255.255.255.255. This needs to specific to DHCP. I would love to deny that broadcast to the other clients, but that might not be possible; but if it is that is great too (it's denied with a client firewall now). It seems none of what I have tried works, it always causes DHCP process to fail. I am not sure what I am missing, also where can I find the log file with all the denials, that might help me classify the traffic being denied and allow it.

Thoughts?

dsadmin
Posts: 6
Joined: Tue Oct 08, 2019 2:34 pm

Re: DHCP and Simple Hub ACL Discussion

Post by dsadmin » Wed Oct 09, 2019 3:05 am

What I ended up doing was simply allowing Source Ports udp/67-68 to Destination Ports udp/67-68 and it seems to work. I tried to specify broadcast only but that did not seem to work.

ozone
Posts: 62
Joined: Thu Sep 19, 2019 7:18 pm

Re: DHCP and Simple Hub ACL Discussion

Post by ozone » Wed Oct 09, 2019 3:25 pm

I tried to specify broadcast only....
I was intrigued how you did the above in SE???

dsadmin
Posts: 6
Joined: Tue Oct 08, 2019 2:34 pm

Re: DHCP and Simple Hub ACL Discussion

Post by dsadmin » Mon Sep 28, 2020 10:14 pm

Maybe this will help

I finally sat down and diagramed the requests and responses for DHCP.

I have three rules, one is specific to 0.0.0.0/32 and 255.255.255.255/32, the second rule is my DHCP server network range as the source and my network address at port 68 as destination and the last rule is my DHCP servers network range with a destination of 255.255.255.255/32. All traffic is UDP.

==== 1 ====
Memo: DHCP DISCOVER/REQUEST
Action: Pass
Source is 0.0.0.0/32
Destination is 255.255.255.255/32

Protocol Type is UDP/17

Source Port range is 68/68 and Destination Port range is 67/67

==== 2 ====
Memo: DHCP OFFER/ACK
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is NetworkAddress/Mask (for example: 192.168.1.0/24)

Protocol Type is UDP/17

Source Port range is 67/67 and Destination Port range is 68/68

==== 3 ====
Memo: DHCP OFFER/ACK BROADCAST
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is 255.255.255.255/32

Protocol Type is UDP/17

Source Port range is 67/67 and Destination Port range is 68/68

This will allow for your Bridge interface to pass DHCP and this is far more granular so others cannot become a DHCP on that subnet.

The reason for the DHCPServerNetwork/Mask is you might have a cluster/VRRP'd device or a pair of DHCP servers responding. If you have two individual DHCP servers, you can do a /30 and really narrow the scope.

I have other rules for DNS and so forth and at the end I explicitly deny All IPv4/IPv6 Protocol Types.

Post Reply