Block DHCP in Local Bridge?

[ZackR1]

Hello,

I'm new to SoftEther and it looks great! Also still wrapping my head around ipv6.

How can I block DHCP across a Local Bridge / Virtual Hub?

I have a server and bridge connected and working. Each network is on a different subnet (10.0.0.x and 192.168.2.x). I can bind additional IP aliases to connect the machines I want. The problem is DHCP requests are passing and really screwing things up. ;)

I found other posts that suggested blocking 67 and 68 in the Virtual Hub Access List. This didn't work for me. I found ipv6 may use 546 and 547 and blocked those as well (both using Applies to All for source and dest).

Is there another way? Also, if using Access List, which values and for source or destination should I use?

Windows 10
SoftEther VPN 4.18, Build 9570
NAT (SOHO Router Inline)
Not using SecureNAT

Thanks in advance.

[kh_tsang]

Firstly, make sure the settings are blocking UDP ports 67 and 68, not TCP ports 67 and 68.

Can you draw the network map showing what you want to do?

[ZackR1]

Thanks kh_tsang - I think I got it.

I was mistaking "Protocol Type" for port number in Edit Access List for the Virtual Hub.

This config seems to be working (so far):
http://i.imgur.com/1ZgrJ2J.png

Crude, network diagram:
https://www.dropbox.com/s/jokll4woua3lz ... 4.pdf?dl=0
Using Cascade Connection

SoftEther rocks!

[kh_tsang]

The broadcast packets may consume your internet bandwidth. Why don't you use routing?

[ZackR1]

kh_tsang:

So this would be instead of the Cascade, correct? Still use the Virtual Hub and Access List. But what makes the connection? I think all my IP settings for the server are in the Cascade settings of the bridge install.

Your diagram shows another network.... 192.168.3.x. Where is this from? I assume related to the "tap device". In the original attached ipconfig /all, I have 2 extra adapters showing, but they don't show in Network Connections where I could configure an IP. If that's them, how do I configure them?

I assume I'm not suing the Layer 3 Switch Settings in SoftEther.

Do I need to setup both sides as Server?

[kh_tsang]

192.168.3.x is for the servers do routing.

It requires both sides to be SoftEther VPN Server.
In each server, you will need two virtual hubs, one for local bridge and one for the connection between your two servers. In each side, you will need to push the routing table to the clients using DHCP(RFC 3442), pointing the other subnet going through your Layer 3 Switch. It is a bit different from the picture I uploaded previously.

[ZackR1]

kh_tsang:

Thank you for the details.

It sounds like this might make the entire network dependent on the SoftEther server and I hate to add dependencies. I may continue to work as is for now. I can't measure what effect the broadcasts have on the bandwidth, but I can't imagine it being too much.

I'll try this sometime in the future. Sounds like I'd prefer it, if it didn't require that dependency.

Thanks again for your help.

[kh_tsang]

In my latest example, the internet connection is independent of the SoftEther VPN Server because internet traffic goes through the switch and then the router and then the internet, not the SoftEther VPN L3 Switch.

However, if you do not experience any performance problems, you don't need to chnage your setup.

[thisjun]

You can filter DHCP packets by Security policy.
http://www.softether.org/4-docs/1-manua ... y_Policies