Block rogue dhcp servers

[Jazz7]

Hi, i have a cluster where there's a dhcp server VM used by the VM added into the whole cluster.
I need to block rogue dhcp servers inside the cluster (and preventing them offering to the external network too) but let the legit one working.
I tried the firewalling but i find hard to understand how to achieve this.

 

[guletz]

Hi,

dhcp protocol use udp port 67 and 68. But after your client will see that maybe they will use another tricks ... so dhcp is not the best solution. Mybe a pppoe server willl be a better choise.

 

[Jazz7]

Can't change this, the design is somewhat forced that way.

 

[Jazz7]

Maybe there's a way to isolate each vm network? that'll simplify my work enabling dhcp snooping on the switch and move the dhcp server outside the cluster.
Oh, btw the VM are working on a tagged vlan already, the problem is that all vm shares the same vlan.

 

[Jazz7]

Manually adding a rule like this in ebtables FORWARD does the job

ebtables -I FORWARD 1 -p IPv4 --ip-src ! $my-legit-dhcp-IP --ip-proto udp --ip-sport 67 -j DROP

How can i add such rule using the gui firewall?

 

[guletz]

Hi @Jazz7 again,

Your first task is to find where is this rouge dhcp. And you can find it like this:

Install in a vm a chr mikrotik ruteros (1 cpu, 256 Mb ram, 1 Gb vhdd) - you can download various formats (raw, vmdk, etc)

You can configure a dhcp server inside who can detect any rogue dhcp server, and can send an alarm (mail for example)

If such of rogue dhcp server will be detected, then you will see the mac address of the interface, so you can identify from what vm will come.

If you want I can send some links how to do it (it will take about 5 min to setup a dhcp in such a way).

A better option will be to use a dhcp-client for your vms who can use a radius server (chr can provide a very simple setup for a radius server ), but I do not know if this is possible on linux (shame on me).

Also I think that your ideea to use a dhcp server outside proxmox bridge could be useful, but the rogue dhcp could send traffic without problems for any vm that is on the same node and on the same bridge on this node.

good luck

 

[Jazz7]

Thanks but i need to block them not log.
Anyone knows how to add that rule that a reboot doesn't delete it?
Btw, the firewall UI is too limited to let users apply the right custom filters.

 

[guletz]

Anyone knows how to add that rule that a reboot doesn't delete it?

For any interface you have option iface up/down to run a script

but i need to block them not log

Yes for short term, is ok to block. But the smart way is to educate and advise your customers that they do wrong things. Now is dhcp, but tomorrow? Yes I know this is a time consuming but your clients will want to use your services, because they can get good advices, and other do not care ! Then you can make money from this (advices).

Good luck!

 

[Jazz7]

Omg almost forgot about the post-up, thanks for reminding me!
I agree with you that advise users is better than blocking and forget, but at this time i don't have enough time.
I'll consider monitoring in near future.
Thanks a lot guletz