Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] DHCP relay: annoying low port translation

from Dion-ben Hendriks [Permanent Link]
Subject: Re: [FW-1] DHCP relay: annoying low port translation
From: Dion-ben Hendriks <D.Hendriks AT INFO.UMCN DOT NL>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 23 Jan 2007 14:28:36 +0100 
Hi Eduardo,

We (still) have a R54 ClusterXL loadsharing cluster on solaris, with DHCP relay 
for 2 interfaces (out of 12). We've seen the same, only I figured it had to do 
with the difference in the IP source on the packet (the cluster IP) and the 
server IP in the DHCP info (the node interface IP) of the packet.
We also noticed that windows seems to partially process the packet, because an 
ipconfig /renew after a failed DHCP sequence usually works, because windows 
then tries to contact the DHCP server directly, based on the DHCP info form the 
failed attempt.....strange huh...We ended up adding a DHCP relay outside of the 
FW cluster the networks in question....

Dion

-----------------------------------------------------------------------
Dion-ben Hendriks, Netwerkspecialist
UMC St Radboud
Staf Informatievoorziening - ICT in balans
<http://www.umcn.nl/overhetumc/afdelingen/staf_informatievoorziening>

UMC St Radboud / UMC Nijmegen
Route 49 Stafdienst Informatievoorziening
Postbus 9101
6500 HB Nijmegen, The Netherlands
Tel:(+31)/(0) 24 36 19330

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1 [mailto:FW-1-
> MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Eduardo Bergasa
> Sent: dinsdag 23 januari 2007 11:00
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] DHCP relay: annoying low port translation
> 
> Hello,
> 
> We are having a problem with our SecurePlatform FW1 NGX ClusterXL High
> Availabilty R62 dhcp-relay configuration.
> 
> We have configured ethernet interfaces for DHCP-relay and added to our
> policy a couple of rules to allow dhcp relay packets back and forth.
> 
> DHCP relay works correctly except for our Windows XP SP2 clients which
> have windows firewall activated.
> 
> We found that the fw1 is doing a source port translation, and it seems
> that windows firewall doesn't like packets originating from a port
> other
> than 'official' DHCP source port.
> 
> Windows firewall has a fixed startup policy which drops these packets
> and can't be modified. This startup policy overrides any exception you
> could configure in windows firewall policy.
> 
> - Did any of you have seen this port translation problem before?
> 
> - Is there any way I could tell fw1 not to translate dhcp source ports?
> 
>   It's doing this translation on rule 0 (implied NAT rule?), translates
> source IP address from the working node address to the cluster address,
> as well as source UPD port.
> 
> We have tried exactly the same configuration in a non-cluster
> configuration, and works smoothly. The problem arises when using two
> node HA cluster.
> 
> Any help, advice or idea would be greatly appreciated.
> 
> 10.9.0.8 is the IP address of one of the nodes
> 10.9.0.1 is the Cluster XL IP address
> 
> This is the problematic connection's log.
> 
> Product:                                      VPN-1 Power/UTM
> Action:                                       Accept
> Protocol:                                     udp
> Service:                                      dhcp-rep-localmodule (68)
> Source:                                       buzz (10.9.0.8)
> Destination:                                  Broadcast (255.255.255.255)
> NAT rule number:                      0
> NAT additional rule number:   0
> Source Port:                                  bootp (67)
> XlateSrc:                                     toy (10.9.0.1)
> XlateSPort:                                   11188
> SmartDefense Profile:                 Default_Protection
> Information:                                  service_id: dhcp-rep-
> localmodule
> 
> 
> 
> Thanks in advance.
> 
> --
> _____________________________________________________
> Eduardo Bergasa Balda
> UNIVERSIDAD DE LA RIOJA
> Servicio Informático    Seguridad Técnica Informática
> 
> C/Avenida de La Paz, 93             Tf:+34-941-299560
> 26006 Logroño - SPAIN               Fx:+34-941-299180
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] R55 SPLAT last build?, Tom louis
Next by Date:  Re: [FW-1] Secondary IP address on the Nokia IPSO 4.1, sin
Previous by Thread:  [FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa
Next by Thread:  Re: [FW-1] DHCP relay: annoying low port translation, Eduardo Bergasa
Indexes:  [Date] [Thread] [Top] [All Lists]