Options

Ip helper ip address blocked as spoofing

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi

M370 running 12.10.1

I have enabled ip helper on a Cisco IOS vlan where the ip helper address is on a remote bovpn tunnel. The Cisco vlan has the static ip address assigned in the same subnet as the WG vlan. The WG vlan interface is also configured to run as a DHCP server which is working.

So my Cisco vlan settings are:
ip address static (same subnet)
ip helper ip address to WG vlan dhcp server
ip address ip address to Aruba Clearpass server

The problem is Fireware blocks the ip helper BOOTP/DHCP Server packets send to the Clearpass server as spoofing.

Webshop-HA2 Deny SOURCE-IP DEST-IP bootps/udp 67 67 Internal network Firebox ip spoofing sites 328 255 (Internal Policy)

Why do fireware do this as the ip subnet is already configured on the WG vlan interface?

Regards
Robert

Comments

  • Options
    Bruce_BriggsBruce_Briggs

    Seems to me that the source IP addr is expected to be coming from the WG VLAN and not the Cisco VLAN.
    Do the 2 VLANs have the same VLAN ID?
    Are they on different WG firewall interfaces?

  • Options
    Robert_VilhelmsenRobert_Vilhelmsen

    @Bruce_Briggs

    Same vlan id 3 and on the same fysical interface.

Sign In to comment.