Block DHCP to and from the Proxmox host, but allow DHCP between VMs/LXCs

H

HolgerZ

New Member
Jun 27, 2023
12
1
3
I try to replace my routers DHCP Server with the ISC Kea Server in a LXC. As I'm new to this, I want to try it on a few client LXCs first. For this I want to block all DHCP requests that would go to the router and all DHCP requests that could reach the new DHCP Server from the outside of the Proxmox host.

I tried to block all traffic in/out port 67/68 in the firewall of the Datacenter and the Proxmox host but my test LXC always gets an IP from my router. I've read that others have difficulties with dhcp too, but haven't found a solution yet and I don't have a clue where or for what I could search further.

Is it possible at all to block DHCP traffic with the Proxmox firewall, which would be the right location for the rules datacenter or PVE host.
I'm not very experienced with networks or firewalls, so any advice on how to accomplish this would be appreciated and helpful
 
Haven't played around with the firewalls enough to help you in configuring those, but if you're up for a couple of methods without firewalls there are other ways:
Probably the "easiest" method would be to create a new Linux Bridge (without any config) in proxmox and put all your DHCP-clients and the DHCP-server on this bridge (of course losing internet access while testing).
Alternatively you could put them on a VLAN (so got to use a different subnet as well) and then on your router don't enable DHCP for that vlan.
 
I've read further and found out that it is really not possible to block DHCP traffic. DHCP uses raw sockets because there is no ip and therefore it bypasses the ip stack, where the firewalls are located.

I thought about an additional Linux Bridge already but this would make things difficult for several reasons but it looks like I have to go with this option. The difficulties are that the DHCP uses a Database server that is used for other things in my network, I want to use stork to manage the dhcp, so I need access to its web interface, the integration of DNS will not be easier too I guess.

sadly VLAN is not an option at all, as my router doesn't support VLAN.


Maybe it's possible to use a Linux Bridge with its own subnet that is routed to my network. Is this possible with Proxmox and any ideas where to start? This is really new to me
 
  • Like
Reactions: deralfrede
I solved my Problem by creating another bridge with a NATed subnet and port-forwarding the needed ports. I have no more DHCP traffic from my router, so I can test the new DHCP.

I created the bridge with following configuration and this german tutorial. In the end it was simpler than I thought.
code_language.shell: 
auto vmbr1
iface vmbr1 inet static
    address 10.11.0.1/16
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.11.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -F
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1022 -j DNAT --to 10.11.0.101:22
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 10.11.0.101:8080
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back