- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: IP Helper address overrides firewall ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 03:35 AM
тАО10-05-2009 03:35 AM
i came across a strange problem (again ;) ). I've put my dhcp server into my VLAN with ip helper address.
On the firewall all requests to this server are blocked (except dhcp on port 67). I can get an ip address and everything works fine.
BUT i can also access shares on this server ?!? On all the other servers i can't (and thats the way i like it ;) ). It's the guest_VLAN and the client should only access the internet.
Can anyone tell me if i'm right and if yes .. what can i do about it ?
Greets
Stephan
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 03:41 AM
тАО10-05-2009 03:41 AM
Re: IP Helper address overrides firewall ?
What about denying SMB on the firewall? Seems like not everything is blocked.
Interesting case though.
As a workaround you could consider denying SMB access on the windows firewall from the guest VLAN/subnet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 04:43 AM
тАО10-05-2009 04:43 AM
Re: IP Helper address overrides firewall ?
But can someone prove this ? I mean port 445 is blocked and i can see that in my live log. So i don't understand why the access is possible.
Greets
Stephan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-05-2009 04:52 AM
тАО10-05-2009 04:52 AM
Re: IP Helper address overrides firewall ?
You can consider disabling netbios on the adapter of the server because it's legacy anyway. All servers should be DNS enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 01:59 AM
тАО10-07-2009 01:59 AM
Re: IP Helper address overrides firewall ?
is not completely true....
IP-Helper makes the recieving router on the vlan transform the DHCP-requests from broadcasts to unicasts to the DHCP-server. With source addres comming from the router and not the subnet where the dhcp-request came from!
How is this router connected, and how is the firewall connected?
If the router (routing switch) has an interface in the client vlan and the DHCP-server vlan, this traffic will not pass the firewall but goes directly to the dhcp server
Also check your firewall filters, the requests comes from the routers ip-address.
please specify you network config (diagram) in more detail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 02:11 AM
тАО10-07-2009 02:11 AM
Re: IP Helper address overrides firewall ?
Although I'm sure disabling netbios fixes this, I'm curious what the root cause is
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 03:42 AM
тАО10-07-2009 03:42 AM
Re: IP Helper address overrides firewall ?
i*ve made some visio drawing.
The Firewall has a port tagged with vlan 99 and no vlan 1.
The DHCP Server has a connection to an untagged VLAN1 port. With an 172.20.20.12 Ip address.
The unauthorized clients gets an 192.168.99.10-150 ip address from this server.
Authorized get 172.20.20.50-254.
I hope this helps in further analysis.
The switches doesn't have "ip routing" enabled. This should be the task of the firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 04:15 AM
тАО10-07-2009 04:15 AM
Re: IP Helper address overrides firewall ?
<<<
I think you mean
The Firewall has only one port connected to the switch.
- tagged with vlan 99;
- untagged in vlan 1.
is this correct?
On the firewall you must have created a "subinterface" for vlan99 to process packets for this vlan.
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!
Here the firewall must connect both networks at least for dhcp, so this must act as the router!
Here you must configure the dhcp-forwarding.
HowTo depends on the model.
The unauth client-port must be untagged in vlan99.
The authorized client-port must be untagged in vlan1.
The dhcp-server must have two dhcp-scopes, one for each subnet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 04:21 AM
тАО10-07-2009 04:21 AM
Re: IP Helper address overrides firewall ?
For the client port: I make the decision auth/unauth with an RADIUS Server. So the port is dynamically "configured"
I don't understand what you mean with:
The switches don't have ip routing enabled
=> so an ip-helper adress configured here has no function!
An ip-helper must be configured at the router!
Because it's working and when i disable the DHCP Rule on my firewall i also can see the blocked requests.
And you are right. My firewall is my router. It has an extra interface directly connected to the switch. And i thought without "ip routing" on the switch enabled every packet will pass the firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-07-2009 04:26 AM
тАО10-07-2009 04:26 AM