HPE Community
Switches, Hubs, and Modems
1753450 Members
5909 Online
108794 Solutions
New Discussion юеВ

Re: IP Helper address overrides firewall ?

 
SOLVED
Go to solution
Stephan G
Regular Advisor

тАО10-05-2009 03:35 AM

тАО10-05-2009 03:35 AM

IP Helper address overrides firewall ?

Hello,

i came across a strange problem (again ;) ). I've put my dhcp server into my VLAN with ip helper address.

On the firewall all requests to this server are blocked (except dhcp on port 67). I can get an ip address and everything works fine.

BUT i can also access shares on this server ?!? On all the other servers i can't (and thats the way i like it ;) ). It's the guest_VLAN and the client should only access the internet.

Can anyone tell me if i'm right and if yes .. what can i do about it ?

Greets
Stephan
0 Kudos
15 REPLIES 15
Tijl van der Steeg
Valued Contributor

тАО10-05-2009 03:41 AM

тАО10-05-2009 03:41 AM

Re: IP Helper address overrides firewall ?

It's true that IP helper enables all broadcasts.
What about denying SMB on the firewall? Seems like not everything is blocked.
Interesting case though.

As a workaround you could consider denying SMB access on the windows firewall from the guest VLAN/subnet.
0 Kudos
Stephan G
Regular Advisor

тАО10-05-2009 04:43 AM

тАО10-05-2009 04:43 AM

Re: IP Helper address overrides firewall ?

That would be a workaround. But at the moment i'm not sure if i can cover all the services. The server is also a DC and DNS server. So i have many ports to configure. I think i will do that when nobody tries to use this server.

But can someone prove this ? I mean port 445 is blocked and i can see that in my live log. So i don't understand why the access is possible.

Greets
Stephan
0 Kudos
Tijl van der Steeg
Valued Contributor

тАО10-05-2009 04:52 AM

тАО10-05-2009 04:52 AM

Re: IP Helper address overrides firewall ?

Because of the netbios forwardind i'd say. IP helper forwards all broadcast as far as i'm aware.
You can consider disabling netbios on the adapter of the server because it's legacy anyway. All servers should be DNS enabled.
0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-07-2009 01:59 AM

тАО10-07-2009 01:59 AM

Re: IP Helper address overrides firewall ?

"IP helper forwards all broadcast"
is not completely true....
IP-Helper makes the recieving router on the vlan transform the DHCP-requests from broadcasts to unicasts to the DHCP-server. With source addres comming from the router and not the subnet where the dhcp-request came from!

How is this router connected, and how is the firewall connected?
If the router (routing switch) has an interface in the client vlan and the DHCP-server vlan, this traffic will not pass the firewall but goes directly to the dhcp server
Also check your firewall filters, the requests comes from the routers ip-address.

please specify you network config (diagram) in more detail.
0 Kudos
Tijl van der Steeg
Valued Contributor

тАО10-07-2009 02:11 AM

тАО10-07-2009 02:11 AM

Re: IP Helper address overrides firewall ?

OK that's clarified :)
Although I'm sure disabling netbios fixes this, I'm curious what the root cause is
0 Kudos
Stephan G
Regular Advisor

тАО10-07-2009 03:42 AM

тАО10-07-2009 03:42 AM

Re: IP Helper address overrides firewall ?

Hello,

i*ve made some visio drawing.

The Firewall has a port tagged with vlan 99 and no vlan 1.

The DHCP Server has a connection to an untagged VLAN1 port. With an 172.20.20.12 Ip address.

The unauthorized clients gets an 192.168.99.10-150 ip address from this server.

Authorized get 172.20.20.50-254.

I hope this helps in further analysis.

The switches doesn't have "ip routing" enabled. This should be the task of the firewall.

0 Kudos
Pieter 't Hart
Honored Contributor

тАО10-07-2009 04:15 AM

тАО10-07-2009 04:15 AM

Re: IP Helper address overrides firewall ?

>>> The Firewall has a port tagged with vlan 99 and no vlan 1.
<<<
I think you mean
The Firewall has only one port connected to the switch.
- tagged with vlan 99;
- untagged in vlan 1.
is this correct?
On the firewall you must have created a "subinterface" for vlan99 to process packets for this vlan.

The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Here the firewall must connect both networks at least for dhcp, so this must act as the router!
Here you must configure the dhcp-forwarding.
HowTo depends on the model.

The unauth client-port must be untagged in vlan99.
The authorized client-port must be untagged in vlan1.

The dhcp-server must have two dhcp-scopes, one for each subnet.
0 Kudos
Stephan G
Regular Advisor

тАО10-07-2009 04:21 AM

тАО10-07-2009 04:21 AM

Re: IP Helper address overrides firewall ?

The clients get their ip address right now without problems.

For the client port: I make the decision auth/unauth with an RADIUS Server. So the port is dynamically "configured"

I don't understand what you mean with:
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!

Because it's working and when i disable the DHCP Rule on my firewall i also can see the blocked requests.

And you are right. My firewall is my router. It has an extra interface directly connected to the switch. And i thought without "ip routing" on the switch enabled every packet will pass the firewall.
0 Kudos
Stephan G
Regular Advisor

тАО10-07-2009 04:26 AM

тАО10-07-2009 04:26 AM

Re: IP Helper address overrides firewall ?

I mean extra VLAN connection and another one for the DEFAULT_VLAN
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.