Blocking DHCP on separate network

FabFab10 · July 14, 2008, 11:22am

Hi,
i’m using RB333 to interconnect 2 remote LANs in routing mode.
Both LAN have a separate DHCP leasing addresses for their own adress space.
My problem is that clients on LAN1 sometimes do get address from DHCP server on LAN2 and it seems i’m not able to prevent this.
What am I doing wrong?

LAN1
192.168.1.0/24
DHCP server 192.168.1.7
RB333 192.168.1.246

LAN2
192.168.0.0/24
DHCP server 192.168.0.2
RB333 192.168.0.3

hilton · July 14, 2008, 4:31pm

You could add a drop rule on the forward chain for ports 67 and 68.

gmsmstr · July 14, 2008, 4:33pm

Since they have both their own address space, why not route them instead of bridging them?

FabFab10 · July 14, 2008, 5:02pm

First of all thanks for answering.
In fact i’m routing between them (at least that’s what i want to do)
I’ve tried to setup a drop rule but it seems that it’s not working

hilton · July 14, 2008, 5:58pm

show us the rule you tried.

gmsmstr · July 14, 2008, 11:05pm

If you are routing, then these don’t pass the broadcast domain. Hence, they never go past your router. However, the only way they would be passed is if there is a bridge in place.

FabFab10 · July 15, 2008, 8:12am

I’ve set filter rules on IP-Firewall to drop UDP port 67 and 68 on chain forward.
Since i’ve not installed this unit (but the company who did it seems not so present…) how can i double check if this link has been setup as rounting?

thanks

hilton · July 15, 2008, 8:26am

Well do this;

/interface bridge print

Then see what it says and let us know.

/ip route print will also tell you what is setup

changeip · July 15, 2008, 8:28am

or you two lans are plugged into the same switch : )

FabFab10 · July 15, 2008, 8:40am

Here is the response, you will see a destination 192.168.98.xx because actually there is a rebound on a mountain site, since the 2 offices are not visible, and so there are 4 devices:

[admin@HIPERLINK-STA] > interface bridge print
Flags: X - disabled, R - running
0 R name="hiperlink-bridge" mtu=1500 arp=enabled
mac-address=00:0C:42:1C:FB:39 protocol-mode=stp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@HIPERLINK-STA] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE IN..

0 A S 192.168.0.0/24 r 192.168.98.3 1 hi..
1 ADC 192.168.1.0/24 192.168.1.246 0 hi..
2 ADC 192.168.98.0/24 192.168.98.4 0 hi..
[admin@HIPERLINK-STA] >

FabFab10 · July 15, 2008, 12:09pm

Just to be more clear i try to draw a scheme of our configuration

LAN1<->RB333-1 <-------------> RB333-2<->RB333-3<-------->RB333-4<->LAN2

RB333-2 and RB333-3 are physically in the same site and they are bridged.
RB333-1 and RB333-4 are located in the LANs premises and they are expected to act as routers.
So basically RB333-2 and RB333-3 are trasparent

hilton · July 15, 2008, 1:49pm

Confirm that all four RBs on at the same physical premises?

I’m not sure why you need 2 and 3? If they’re at the same LAN, why not just connect them up on the switch?

I’m sure I’m missing something. But as you’ve mentioned the bridge, that’s where the DHCP broadcasts are slipping across. As Dennis says, rather route then.