PDA

View Full Version : DHCP Relay on a UTM-1 270 NXG R65



BrianHeston
2009-08-31, 13:37
I am attempting to setup DHCP relaying from one subnet to three others through my UTM-1 270 NGX R65.

Here is my topology:

Subnet - Interface - Name
172.16.128.0/24 - DMZ - Servers
172.16.129.0/24 - Internal - Parish
172.16.130.0/24 - LAN1 - School1
172.16.131.0/24 - LAN1.2 - School2

I have NAT enabled on all subnets.

I have Anti-Spoofing enabled on all subnets.

IP - Node Name
255.255.255.255 - DHCP-Broadcast
0.0.0.0 - DHCP-Request
172.16.128.21 - Server1 (DHCP Server)


I have setup the following rules for DHCP:

Source: Any
Destination: DHCP-Broadcast, Server1, fw
Service: dhcp-relay, dhcp-req-localmodule, dhcp-rep-localmodule, bootp
Action: Accept

Source: DHCP-Broadcast, Server1, fw
Destination: Any
Service: dhcp-relay, dhcp-req-localmodule, dhcp-rep-localmodule, bootp
Action: Accept

I have also tried including the node DHCP-Request as the source under the first rule, and destination under the second.

I have tried disabling SmartDefence.

I have tried placing a rule to accept Any:Any traffic as rule number 1.

Everything appears to be working fine if I statically assign IP addresses on any subnet. All of the other rules for handling traffic between subnets are doing what they are supposed to. I just can't get the DHCP to work.

If this doesn't work out, is there any reason why I shouldn't just let the fw do DHCP in a Windows domain environment? I know that it is preferable to have a domain controller doing DHCP, but is there any significant reason other than automatic DNS updates? I am using RAS, but that should still function just fine since it hands out addresses on the server subnet anyway.

If there's anything else that I've left out, just let me know.

Thanks,
Brian

melipla
2009-08-31, 13:47
You didn't mention your config in sysconfig. Have you gone in there to enable DHCP relay on all of the interfaces?

Also take a look at /var/log/messages as it will also give you dhcp information messages.

BrianHeston
2009-08-31, 13:50
Sorry.

Yes I've enabled DHCP relay on all internal interfaces via sysconfig.

One thing to note about that is that the LAN1.2 VLAN showed up twice in that list.

BrianHeston
2009-08-31, 14:39
I looked at /var/log/messages and could not see any messages about DHCP when I tried to obtain an address from the client.

I'm farily new to linux so it doesn't help that half of the administration on this is done through bash. Is there a quick way to check and see if the dhcrelay deamon is running and to make sure that it starts automatically?

Thanks,
Brian

sisu-up
2009-08-31, 16:39
Did you enable the relay function at the OS level? On SPLAT (I'm not familiar with UTM) you have to enable the dhcprelay process and configure interfaces that need to forward the discovers. This is true for VSX VPN-1 and I believe it is true for VPN-1/FW-1 products as well. Your rules look OK.

BrianHeston
2009-08-31, 16:47
I did enable the DHCP Relay via sysconfig. However, I'm still not certain how to verify that it is actually running.

Thanks

BrianHeston
2009-08-31, 20:12
I found that the dhcrelay service was not running. I started it and DHCP is now working. I even rebooted the appliance a couple of times to verify that it will start successfully on bootup.

Now I'm having trouble passing simple web traffic, but that's for another thread.

Thanks for the help guys.