I want to block DHCP port 67 and 68. Tplink Modem shown in the diagram has a DHCP server doling out IPs in 10.10.10.22 - 10.10.10.32 rang. I have a VM inside ESXi host that has a DHCP server too. This VM is attached to vSwitch on ESXi host with physical uplink to Tplink modem. What happens when VM is running, it trumps over Tplink Modem DHCP and doles out IPs in 192.168.1.0/24 range to Wifi Client. One way to block VM from giving out IPs is to attach its vNIC to a different vSwitch without physical uplink.
I created following firewall rule inside Vyos Crux Release but one of them seems to work and VM continues to dole out IPs in 192.168.1.0/24 range.
set firewall name BlockDHCP rule 100 action ‘drop’ set firewall name BlockDHCP rule 100 source port ‘67’ set firewall name BlockDHCP rule 100 protocol ‘udp’ set firewall name BlockDHCP rule 100 state new ‘enable’
set interfaces ethernet eth4 firewall in name ‘BlockDHCP’
eth4 is a vNIC on Vyos where 192.168.1.25/24 address is setup. What I am missing out on to successfully block UDP port 67 ?
I tried to apply the firewall name to eth4 with local directive. Still, Wifi clients get an IP from DHCP.Still, the DHCP server inside VM behind192.168.25.1/24 interface trumps over DHCP of TPlink Modem. My mobile phone and smart tv are getting IPs from 192.168.1.0/24 scope instead of 10.10.10.1/26 range.
It sounds like you have everything in a single layer 2 domain. If that’s the case, a firewall rule on VyOS will not do anything for broadcast traffic, since it doesn’t need to traverse VyOS at all.
Right now, you just have a race condition between a DHCP server on your TP-Link router, and one on your server. It’s not a surprise that the server grade hardware returns a response to the Discover packet first.
You’ll need to segment your traffic into VLANs to prevent both DHCP servers from seeing the initial Discover packet. So 10.10.10.0/24 could be VLAN 10, and 192.168.1.0/24 could be VLAN 20.
