I have cascaded VPN for redundancy (with VMware SMP FT on the main controller).
I am trying to keep my clients from ever knowing about each other.  I want them to talk to one IP and even then only on certain ports.  I also only want that one IP to initiate communications to the clients only on specific ports.
The port restrictions will vary but this is not where I need help.  Where I need help is at the end of my rules I need a deny all other traffic rule.  This is causing me problems with DHCP.
I have tried allowing all 67/68 UDP and also from 0.0.0.0 to 255.255.255.255.  This needs to specific to DHCP.  I would love to deny that broadcast to the other clients, but that might not be possible; but if it is that is great too (it's denied with a client firewall now).  It seems none of what I have tried works, it always causes DHCP process to fail.  I am not sure what I am missing, also where can I find the log file with all the denials, that might help me classify the traffic being denied and allow it.
Thoughts?
			
									
									
						DHCP and Simple Hub ACL Discussion
- 
				dsadmin
- Posts: 7
- Joined: Tue Oct 08, 2019 2:34 pm
Re: DHCP and Simple Hub ACL Discussion
What I ended up doing was simply allowing Source Ports udp/67-68 to Destination Ports udp/67-68 and it seems to work.  I tried to specify broadcast only but that did not seem to work.
			
									
									
						- 
				ozone
- Posts: 65
- Joined: Thu Sep 19, 2019 7:18 pm
Re: DHCP and Simple Hub ACL Discussion
I was intrigued how you did the above in SE???I tried to specify broadcast only....
- 
				dsadmin
- Posts: 7
- Joined: Tue Oct 08, 2019 2:34 pm
Re: DHCP and Simple Hub ACL Discussion
Maybe this will help
I finally sat down and diagramed the requests and responses for DHCP.
I have three rules, one is specific to 0.0.0.0/32 and 255.255.255.255/32, the second rule is my DHCP server network range as the source and my network address at port 68 as destination and the last rule is my DHCP servers network range with a destination of 255.255.255.255/32. All traffic is UDP.
==== 1 ====
Memo: DHCP DISCOVER/REQUEST
Action: Pass
Source is 0.0.0.0/32
Destination is 255.255.255.255/32
Protocol Type is UDP/17
Source Port range is 68/68 and Destination Port range is 67/67
==== 2 ====
Memo: DHCP OFFER/ACK
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is NetworkAddress/Mask (for example: 192.168.1.0/24)
Protocol Type is UDP/17
Source Port range is 67/67 and Destination Port range is 68/68
==== 3 ====
Memo: DHCP OFFER/ACK BROADCAST
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is 255.255.255.255/32
Protocol Type is UDP/17
Source Port range is 67/67 and Destination Port range is 68/68
This will allow for your Bridge interface to pass DHCP and this is far more granular so others cannot become a DHCP on that subnet.
The reason for the DHCPServerNetwork/Mask is you might have a cluster/VRRP'd device or a pair of DHCP servers responding. If you have two individual DHCP servers, you can do a /30 and really narrow the scope.
I have other rules for DNS and so forth and at the end I explicitly deny All IPv4/IPv6 Protocol Types.
			
									
									
						I finally sat down and diagramed the requests and responses for DHCP.
I have three rules, one is specific to 0.0.0.0/32 and 255.255.255.255/32, the second rule is my DHCP server network range as the source and my network address at port 68 as destination and the last rule is my DHCP servers network range with a destination of 255.255.255.255/32. All traffic is UDP.
==== 1 ====
Memo: DHCP DISCOVER/REQUEST
Action: Pass
Source is 0.0.0.0/32
Destination is 255.255.255.255/32
Protocol Type is UDP/17
Source Port range is 68/68 and Destination Port range is 67/67
==== 2 ====
Memo: DHCP OFFER/ACK
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is NetworkAddress/Mask (for example: 192.168.1.0/24)
Protocol Type is UDP/17
Source Port range is 67/67 and Destination Port range is 68/68
==== 3 ====
Memo: DHCP OFFER/ACK BROADCAST
Action: Pass
Source is DHCPServerNetwork/Mask (for example: 192.168.1.248/29, I have cluster routers with DHCP services)
Destination is 255.255.255.255/32
Protocol Type is UDP/17
Source Port range is 67/67 and Destination Port range is 68/68
This will allow for your Bridge interface to pass DHCP and this is far more granular so others cannot become a DHCP on that subnet.
The reason for the DHCPServerNetwork/Mask is you might have a cluster/VRRP'd device or a pair of DHCP servers responding. If you have two individual DHCP servers, you can do a /30 and really narrow the scope.
I have other rules for DNS and so forth and at the end I explicitly deny All IPv4/IPv6 Protocol Types.
