Scott Tobias wrote:
I have only seen this done on IPSO and on that platform it required a
bootp helper so my guess is you would have to install one on your
Linux box
Thanks for the info. So, I've installed dhcrelay on the firewall, and
I'm running
dhcrelay -i eth0 -i eth5 172.17.0.21
where eth0 and eth5 are the interfaces on the firewall to the two
different segements.
eth0 : 172.17.0.0/19 (where the DHCP server lives)
eth5 : 172.17.220.0/22 (where the client lives)
In the FW-1 logs I see that packets from 0.0.0.0:68 to
255.255.255.255:67 are accepted. But tcpdump on the firewall reports:
[root@fw-live root]# tcpdump -ni eth5
tcpdump: listening on eth5
16:13:58.584582 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9c954a71
[|bootp] [tos 0x10]
16:13:58.584583 :: > ff02::1:ff91:838e: icmp6: neighbor sol: who has
fe80::2d0:59ff:fe91:838e
16:13:58.585173 arp who-has 172.17.0.21 tell 172.17.223.254
16:13:59.576611 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:00.576610 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:02.153500 fe80::2d0:59ff:fe91:838e > ff02::2:5281:94fb: HBH icmp6:
multicast listener report max resp delay: 0 addr: ff02::2:5281:94fb [hlim 1]
16:14:04.673728 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9c954a71
secs:8 [|bootp] [tos 0x10]
16:14:04.673842 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:05.666608 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:06.666611 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:07.353602 fe80::2d0:59ff:fe91:838e > ff02::1:ff91:838e: HBH icmp6:
multicast listener report max resp delay: 0 addr: ff02::1:ff91:838e [hlim 1]
followed by an a repeating series of blocks:
16:14:11.683772 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9c954a71
secs:15 [|bootp] [tos 0x10]
16:14:11.683882 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:12.676609 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:13.676610 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:19.683794 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9c954a71
secs:23 [|bootp] [tos 0x10]
172.17.223.254 is the firewall's address on eth5. I also see accepted
ICMP packets from the firewall to the DHCP server.
With tcpdump on the DHCP server, however, I am not seeing any packets
arrive. So it looks like the discovery packet is getting to the firewall
but not going any further. what else should I be doing?
Thanks,
David
On Thu, 27 Jan 2005 21:36:47 +0100, David Landgren <david AT landgren DOT net>
wrote:
Hello list,
I want to set up a new segment hanging off my firewall (FW-1 R55 running
on Linux), and to make things as simple as possible, I'd like to relay
the DHCP requests over to a server sitting in another segment and let it
manage the requests.
Do I have to install a dhcp relay daemon at the OS level, or can FW-1
handle this all by itself? I've drawn a blank in the documentation.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
