Plzzz Help me!!!! (DHCP Relay Agent and SPLAT Problem)

[ilmaz]

Hi evb,

I'm looking forward to make se of the NGX SPLAT's DHCP Relay Agent option configurable through Sysconfig.

I've got a DHCP/DNS Server available in my DMZ (eth1) and would like to let my clints from Net1 (eth2) and Net2 (eth3) to recieve automatic IP config from that DMZ DHCP server.

Through Sysconfig I configured the DHCP Relay Agent option and specified eth2 & eth3 to operate as DHCP Relay agents and I also configured DHCP Server's address accessible through eth1 properly. Then I added rule to allow dehcp-req-localmodule, dhcp-rep-localmodule, and bootp services to be allowed from Net1 & Net2 to the SPLAT Gateway.

However, it staill doesn't work and I can see that dhcp-req-localmodule is being dropped by the SPLAT Gateay, anybody has any idea how to get it working??????

Regards,

[maurox]

Which rule is dropping your request ?
Have you got any VLAN configured ?
remember that "DHCP Relay must be enabled on both the VLAN interface and the physical interface that the VLAN interface is associated with"

Maurox

[Lackie]

Configuring a firewall to pass configuration packets, for example DHCP, requires the opening of large security holes in your firewall. Firewalls were designed to sit at the exterior of the network and to protect the inside from the outside. FireWall-1 blocks or ignores packets with a source of 0.0.0.0, a reasonable decision given the original considerations. BootP, however, requires that packets be sent with a source of 0.0.0.0.

First, anti-spoofing must be turned off on the interface receiving the original request packets.

Second, you will need to create a rule which accepts packets going to the 255.255.255.255 address. A workstation object with IP address 255.255.255.255 will accomplish this. The source must be ANY, as specifically creating an object with the address 0.0.0.0 does not work.

The firewall must also have a rule which permits traffic coming from the DHCP server going to the firewall's interface. The rule which accepts this traffic must occur before the stealth rule.

[chillyjim]

Known problem. If you have the R55 CDs install the DHCPD package from them, otherwise call support to get it.

[hono222]

You have to make sure you have SecurePlatform Pro installed in order for this to work

IN SYSCONFIG
Add your network connection for the DHCP community sysconfig option 5
Add a new connection option 1 under option 5
Add a new route sysconfig option 6
Add a new network route option 1 under option 6
Set your DHCP Server configuration sysconfig option 7
Add a subnet option 2 under option 7
Set your DHCP Relay configuration sysconfig option 8
Set your DHCP Server option 1 under option 8
Add a DHCP Server option 2 under option 8

YOUR RULE
Source
Your-DHCP-Network
External-Network 0.0.0.0 mask (0.0.0.0)

Destination
Your-DHCP Network
External-Network 0.0.0.0 mask (0.0.0.0)

Service
UDP dhcp-rep-localmodule
UDP dhcp-req-localmodule
UDP dhcp_relay

Also if your are using your external DNS server (not recommended) as the DHCP server you need that ip here as well the service UDP domain-udp look-up port

Let me know if you have problems
Goodluck!

Aloha,
hono222

[abusharif]

Quote:

Originally Posted by hono222

You have to make sure you have SecurePlatform Pro installed in order for this to work

Aloha,
hono222

No you don't. Dhcp relay works on regular splat as well

[hono222]

The Checkpoint support group told me I had to update from SPLAT to SPLAT PRO

[chillyjim]

Quote:

Originally Posted by hono222

The Checkpoint support group told me I had to update from SPLAT to SPLAT PRO

Nope, whoever told you that is flat wrong. Reopen the call and ask for it to be escalated. Tell them you resellers have told you don't need Pro.