Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall

Subject:	Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall
From:	Crist Clark <crist.clark AT GLOBALSTAR DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 28 Jan 2005 09:49:04 -0800

David Landgren wrote:

Scott Tobias wrote:

I have only seen this done on IPSO and on that platform it required a
bootp helper so my guess is you would have to install one on your
Linux box



Thanks for the info. So, I've installed dhcrelay on the firewall, and
I'm running

  dhcrelay -i eth0 -i eth5 172.17.0.21

where eth0 and eth5 are the interfaces on the firewall to the two
different segements.

eth0 : 172.17.0.0/19 (where the DHCP server lives)
eth5 : 172.17.220.0/22 (where the client lives)

In the FW-1 logs I see that packets from 0.0.0.0:68 to
255.255.255.255:67 are accepted. But tcpdump on the firewall reports:

[root@fw-live root]# tcpdump -ni eth5
tcpdump: listening on eth5
16:13:58.584582 0.0.0.0.bootpc > 255.255.255.255.bootps:  xid:0x9c954a71
[|bootp] [tos 0x10]
16:13:58.585173 arp who-has 172.17.0.21 tell 172.17.223.254
16:13:59.576611 arp who-has 172.17.0.21 tell 172.17.223.254
16:14:00.576610 arp who-has 172.17.0.21 tell 172.17.223.254

[snip]

172.17.223.254 is the firewall's address on eth5. I also see accepted
ICMP packets from the firewall to the DHCP server.

With tcpdump on the DHCP server, however, I am not seeing any packets
arrive. So it looks like the discovery packet is getting to the firewall
but not going any further. what else should I be doing?


The firewall should be looking for 172.17.0.21 on eth0, not on eth5.
Why is it sending the ARP requests on eth5? It looks like something with
your interface configurations or routing may be messed up. What do
'netstat -rn' and 'ifconfig -a' return?
--
Crist J. Clark                               crist.clark AT globalstar DOT com
Globalstar Communications                                (408) 933-4387

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Setting up a DHCP relay across an FW-1 R55 firewall, David Landgren Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall, Scott Tobias Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall, David Landgren Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall, Crist Clark <=

Previous by Date:	Re: [FW-1] Strange Behavior - JavaScript coming across VERY Slow on NGAI not 4.1 though, Thorsten Behrens
Next by Date:	Re: [FW-1] Tunnel test failure., Ray
Previous by Thread:	Re: [FW-1] Setting up a DHCP relay across an FW-1 R55 firewall, David Landgren
Next by Thread:	Re: [FW-1] NAT and VPN, Jeremy Lieb
Indexes:	[Date] [Thread] [Top] [All Lists]