Menu
▾
▴
Re: [Openvpn-users] How can I block dhcp brocasts of 1 server if I have 2 dhcp servers on the tunnel ?
|
From: Colin R. <co...@ca...> - 2008-09-03 17:35:51
|
I may be way off base here I believe in bridging mode that you are essentially below the stack so you may have to filter at the MAC Level of the two DHCP servers. This can be done with iptables/netfilter but requires appropriate kernel support which I believe is generally built into modern kernels. C Aboubacar Drame wrote: > Hi All, > > I used Openvpn to connect two sites in bridged mode > For the purposed I used only one unique subnet for both ends ; > On the ubuntu vpn server at each site I installed a DHCP server with one bloc of the ip address which will distributed to the local LAN > I am trying to use the following iptables rules on the server on the branch office only in order to block DHCP broadcast from passing through the tunnel. But it is not working; all broadcasts are sent and the DHCP on the main office is answering without giving any address (information showing on /etc/log/syslog) > > iptables -A FORWARD -p tcp --dport 67:68 -j DROP > iptables -A FORWARD -p udp --dport 67:68 -j DROP > iptables -A INPUT -p tcp --dport 67:68 -j DROP > iptables -A INPUT -p udp --dport 67:68 -j DROP > > I would like to have each dhcp server assigning only it’s given range to clients, but right now when a client request a lease each of them is answering and only one (located at the branch office) is assigning the ip address to the whole site > The other DHCP server can lease ip addresses only when the other one is not available > Here is the output of the current iptables rules in the tunnel > > root@ubuntuvpn2:~# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > DROP tcp -- anywhere anywhere tcp dpts:bootps:bootpc > DROP udp -- anywhere anywhere udp dpts:bootps:bootpc > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > DROP tcp -- anywhere anywhere tcp dpts:bootps:bootpc > DROP udp -- anywhere anywhere udp dpts:bootps:bootpc > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > A help from any one is appreciated > > Thank you. > > Aboubacar > > > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Openvpn-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-users > |
