Reconfig of dhcp.conf
Chris Arnold
carnold at electrichendrix.com
Wed Nov 25 14:14:56 UTC 2009
On 11/25/09 9:04 AM, "Glenn Satchell" <Glenn.Satchell at uniq.com.au> wrote:
>
>> Date: Wed, 25 Nov 2009 08:32:48 -0500
>> From: Chris Arnold <carnold at electrichendrix.com>
>>
>> On 11/25/09 1:12 AM, "Glenn Satchell" <Glenn.Satchell at uniq.com.au> wrote:
>>
>>> Hi Chris
>>>
>>> Do you still have a shared network with 192.168.123.0 and 192.168.124.0
>>> on the same physical segment?
>>
>> No sir, they are not on the same physical segment
>>
>>> If not then your new config should be fine, and hosts on each of the
>>> physical networks will get addresses in that range.
>>
>> Nothing on any subnet is getting ip's. Is there a dhcp log I can take a look
>> at? I have opened dhcp-relay ports (67 and 68) from both the dmz to trust
>> and trust to dmz to no avail. The dhcp server is on the dmz network. This
>> server has dual nic's and each nic has a different ip/subnet. Ex. eth0
>> 192.168.124.x with gateway of 192.168.124.x and eth1 192.168.123.x with
>> gateway of 192.168.123.x. I have also, on the juniper firewall, enabled
>> dhcp-relay on the interfaces (dmz and trust).
>
> So are the networks where the clients are different IP ranges to the
> server's networks?
Yes, sir
> Does that mean the firewall bridges between the
> different parts of the two subnets?
Yes, sir (I would assume so)
> Can you snoop traffic on the server to see if the discover packets are
> making it to the server? Getting dhcp through a firewall also requires
> allowing broadcast traffic from src ip 0.0.0.0 to destination
> 255.255.255.255. The dhcp logs should help a bit.
I only see 192.168.124 traffic in the dhcp logs. Nothing from 192.168.123
network; which makes sense, since 192.168.124 is dmz traffic and the dhcp
server is in the dmz = no need for a policy to allow dhcp traffic. When I
insert a policy for 255.255.255.255 broadcast traffic, the firewall errors
out and says something about VPN (I have not made it that far yet), so I
don't think this is needed in the firewall (I could be wrong)?
I would offer a "webex" meeting using mikogo if you like so you can see
exactly what is happenning. Let me know
More information about the dhcp-users
mailing list