DHCP over VPN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
awatson
Posts: 3
Joined: Fri Oct 08, 2021 3:18 pm

DHCP over VPN

Post by awatson » Fri Oct 08, 2021 3:33 pm

I'm trying to apply some Access List rules to limit who can access what on our network while connected. We're currently using it on a flat network where the clients get DHCP from a networked DHCP server.
Here's what I've done:
Set up a deny all rule
Configured source/destination rules for each host to allow traffic to and from file servers, DNS, DHCP, etc.
Set up an allow all rule for IT so that our specific devices can still be used for offsite maintenance.

Everything is in the right order. But here's the catch; with these rules in place, DHCP no longer functions when a VPN connection is made (unless made from the IT group which takes higher priority than the blocking)

I have a rule that's supposed to allow all traffic to and from the DHCP server with higher priority than the block. (settings for both source and destination to allow all traffic from all hosts based on the IP address of the server)

If I statically assign an IP, I can access content from the server, and other resources based on the filtering rules I've applied suggesting that not all traffic is being blocked from the server - just DHCP.
If I turn off the block all rule, (or connect from the IT group) DHCP works fine which suggests its not likely a problem with DHCP configuration in SoftEther.

Any ideas?

awatson
Posts: 3
Joined: Fri Oct 08, 2021 3:18 pm

Re: DHCP over VPN

Post by awatson » Fri Oct 08, 2021 4:53 pm

I was able to figure it out with Wireshark.

DHCP uses broadcasts so we had to set up a rule that allowed all connections to send UDP to 255.255.255.255 as a destination (both host and mask).
Once the DHCP server hears the request over broadcast it was able to respond using the appropriate ports. All other rules continue to allow/block access as expected.

dsholm
Posts: 13
Joined: Mon Nov 22, 2021 4:54 pm
Contact:

Re: DHCP over VPN

Post by dsholm » Thu Dec 02, 2021 4:13 pm

I will post the rules here for DHCP to help others, I have to recreate this, I hope they don't ban my account again for whatever unknown reason.

Once you Manage your Hub that you want to modify, click Manage Access Lists and add these rules.

[*]DHCP DISCOVER/REQUEST
Action: Pass
Source 0.0.0.0 Mask 255.255.255.255
Destination 255.255.255.255 Mask 255.255.255.255
Protocol 17 (UDP)
Source port min: 68 max: 68
Destination port min: 67 max: 67

[*]DHCP OFFER/ACK
Action: Pass
Source [DHCP Servers, you need to cover all DHCP servers if you have a cluster and any VIP] Mask [Mask big enough to cover the IP, if just one then 255.255.255.255, don't use network mask for that network]
Destination [Destination Subnet] Mask [Destination Mask]
Protocol 17 (UDP)
Source port min: 67 max: 67
Destination port min: 68 max: 68

[*]DHCP OFFER/ACK-Broadcast
Action: Pass
Source [DHCP Servers, you need to cover all DHCP servers if you have a cluster and any VIP] Mask [Mask big enough to cover the IP, if just one then 255.255.255.255, don't use network mask for that network]
Destination 255.255.255.255 Mask 255.255.255.255
Protocol 17 (UDP)
Source port min: 67 max: 67
Destination port min: 68 max: 68

Let's assume some values to help some out with network masking. Let's assume we have 1 DHCP server with an IP of 192.168.1.10 and my VPN subnet is 192.168.2.0/24, the last two rules will look like this (the first rule is static):

[*]DHCP OFFER/ACK
Action: Pass
Source 192.168.1.10 Mask 255.255.255.255
Destination 192.168.2.0 Mask 255.255.255.0
Protocol 17 (UDP)
Source port min: 67 max: 67
Destination port min: 68 max: 68

[*]DHCP OFFER/ACK-Broadcast
Action: Pass
Source 192.168.1.10 Mask 255.255.255.255
Destination 255.255.255.255 Mask 255.255.255.255
Protocol 17 (UDP)
Source port min: 67 max: 67
Destination port min: 68 max: 68

Post Reply