Ip helper ip address blocked as spoofing


M370 running 12.10.1

I have enabled ip helper on a Cisco IOS vlan where the ip helper address is on a remote bovpn tunnel. The Cisco vlan has the static ip address assigned in the same subnet as the WG vlan. The WG vlan interface is also configured to run as a DHCP server which is working.

So my Cisco vlan settings are:
ip address static (same subnet)
ip helper ip address to WG vlan dhcp server
ip address ip address to Aruba Clearpass server

The problem is Fireware blocks the ip helper BOOTP/DHCP Server packets send to the Clearpass server as spoofing.

Webshop-HA2 Deny SOURCE-IP DEST-IP bootps/udp 67 67 Internal network Firebox ip spoofing sites 328 255 (Internal Policy)

Why do fireware do this as the ip subnet is already configured on the WG vlan interface?



  • Options

    Seems to me that the source IP addr is expected to be coming from the WG VLAN and not the Cisco VLAN.
    Do the 2 VLANs have the same VLAN ID?
    Are they on different WG firewall interfaces?

  • Options


    Same vlan id 3 and on the same fysical interface.

Sign In to comment.