Announcement

Collapse
No announcement yet.

How to forward a DHCP request

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to forward a DHCP request

    Hello,

    I have this lab:

    DHCP SERVER <--ISA2-->DMZ<--ISA1--->CLIENT WIN 7

    The client asks for an ip and I have set up dhcp relay in ISA1, but it is unable to get that ip.

    How could ISA1 pass the traffic through ISA2 so that it reaches DHCP Server ?

    From what I am reading, the traffic is to 255.255.255.255 , so, it is broadcast and I really do not know how to forward that.

    The port is UDP 68 and 67, (DHCP request and reply)

    Thanks in advance!
    -
    Madrid (Spain).

  • #2
    Re: How to forward a DHCP request

    You may need a DHCP relay on both ISAs (I'm guessing here, but its worth a try)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: How to forward a DHCP request

      On ISA1, you've setup the relay so that it forwards the traffic to the DHCP server behind ISA2, correct?

      Once the DHCP request is picked up by the relay, it sends it unicast to the DHCP server, so ISA1 needs to be able to send traffic to the DHCP server.

      Broadcast (i.e. 255.255.255.255) is only on the local subnet for the client that doesn't have an IP address when it's doing the initial discovery.

      Can you show your relay configuration on ISA1?
      Also, does the DHCP server have a scope setup for the subnet the client is on?

      e.g.
      site 2 10.0.0.0/24 <-ISA2-> DMZ <-ISA1-> site 1 10.0.0.1/24

      DHCP server in site 2 needs a scope setup for 10.0.0.1/24.
      The subnet information gets added to the request by the relay agent so the DHCP server knows what IP address to hand out from the configured scopes. If there's no scope setup for the local subnet the relay agent specifies, no IP address will be leased.
      Last edited by JeremyW; 11th November 2014, 18:58.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: How to forward a DHCP request

        Is there an option for an IPHELPER address on the ISA server??

        Comment


        • #5
          Re: How to forward a DHCP request

          Thanks all ! .

          1-Ossian, from Jeremy's reply I would say it is not necessary to set up another dhcp relay on isa2.

          2-Jeremy, the DHCP relay configuration in ISA1 is quite straightforward, just in Routing and remote access, there is an option, and you populate a blank space with the IP of the intended DHCP Server.

          If the traffic from ISA1 is unicast, that is really good news because then I only need to indicate in ISA2 to allow the traffic from ISA1 to DCHP-Server , if I got it right. ....But that is how things are now, so, there must be something wrong in my configuration, but it is so simple if you say it is unicast...

          3-wullieb1, I am not really sure about what you say, I am not an expert on ISA Server, but I will look for it, although I do not know what an iphelper is.

          Thanks all !
          -
          Madrid (Spain).

          Comment


          • #6
            Re: How to forward a DHCP request

            IPHELPER is another term for DHCP relay.

            Do you have the proper scopes setup on the DHCP server?
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: How to forward a DHCP request

              Is there a route from ISA2's subnet to ISA1? If there isn't the request will get to the DHCP server then will get lost at ISA2 as it doesn't know where to send it. This of course assumes they aren't on the same subnet, but getting 2 ISA Servers to work on the same subnet is a headache I don't wish to contemplate.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: How to forward a DHCP request

                Thanks a lot.

                1-Jeremy, I have set up a proper scope, thanks for the suggestion, and thanks for "iphelper".

                2-Cruachan, yes, there is a route, they are in the same subnet:

                Dhcp-Server (LAN) <--- ISA2---> Perimeter <-----ISA1------> internet

                In ISA2, there is a rule allowing all the traffic (back and forth) between dchp-server and isa1.

                I am reading that if the relationship between the lan and the perimeter network in ISA2 is NAT, then the traffic from ISA1 to 255.255.255.255 requesting a dhcp discovery won't get through ISA2, and therefore, it won't reach dhcp-server host.
                EDITION: I HAVE JUST READ AGAIN JEREMY'S IDEA that the DHCP relay (ISA1) does not forward traffic to 255.255.255.255. Sorry !

                Thanks once more.
                Last edited by loureed4; 13th November 2014, 09:59.
                -
                Madrid (Spain).

                Comment


                • #9
                  Re: How to forward a DHCP request

                  OK, I'm thoroughly confused here. It appears from the diagram you just posted that the ISA servers are in front/back configuration, but from the first diagram you posted it appears that you are trying to forward a DHCP request to a client on ISA1's external interface I.e. the internet.

                  Can you give us a better idea of the network layout with the subnets involved? I'm pretty sure DHCP relay across NAT is a big no-no, anytime I've used DHCP relay through ISA Server it's been to a perimeter network which is a routed rather than NATed relationship.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: How to forward a DHCP request

                    Thanks Cruachan.

                    A network map:

                    dhcp-server (lan) 192.168.2.0/24<----192.168.2.1 (ISA2) 192.168.3.254 ----> perimeter 192.168.3.0/24 <---------192.168.3.1 (ISA1) 192.168.1.2-------> <---- dhcp client

                    I am reading that too, that the relationship between perimeter and isa2 must or should be route and not nat, because of the broadcast 255.255.255.255 traffic. The relation between perimeter and isa1 is already route.
                    But on the other hand, it is said too that the dhcp relay in ISA1 would not send broadcast traffic to discover the dhcp server, but unicast traffic, therefore there would not be apparently any problem to pass the traffic through ISA2.




                    -
                    Madrid (Spain).

                    Comment


                    • #11
                      Re: How to forward a DHCP request

                      I came across this article :

                      http://technet.microsoft.com/en-us/l.../cc302680.aspx

                      Where I read:

                      "... The destination of DHCP requests is a broadcast address. ISA Server does not perform name resolution for broadcast traffic, but rather denies it ..."

                      So, it seems to me there must be a route relationship and not nat between the perimeter and the lan in ISA2.
                      -
                      Madrid (Spain).

                      Comment


                      • #12
                        Re: How to forward a DHCP request

                        As far as I am aware, although you can choose whether it is NAT or Route, Route is better practice. The only relationship that HAS to be NAT is the one between External and all other networks.

                        Assuming that the relationships are all route, or changed to route, and you can ping the 192.168.1.0 subnet from the 192.168.2.0 subnet and vice versa it should work. How are your routes configured? Did you add static routes from the command line on the ISA Server, or associate the subnets within the ISA Server console?
                        Last edited by cruachan; 14th November 2014, 13:58.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: How to forward a DHCP request

                          Thanks once more.

                          I double-checked it and the relation between lan and perimeter in ISA2 is route, thanks a lot for the tip that the only NAT must be between the External and the others !! , I was not sure of that.


                          DHCP server can ping up to the 192.168.1.0/24, but the dhcp client takes a apipa 169.... ip, so I am not sure if it can reach the dhcp server machine. I have not access now to the machines for some hours.

                          I added (not now, but since the beginning) a persistent static route in ISA1 so it reaches the 192.168.2.0/24 network, through the CMD, command line: "route add....." command.
                          -
                          Madrid (Spain).

                          Comment


                          • #14
                            Re: How to forward a DHCP request

                            Originally posted by loureed4 View Post
                            Where I read:

                            "... The destination of DHCP requests is a broadcast address. ISA Server does not perform name resolution for broadcast traffic, but rather denies it ..."

                            So, it seems to me there must be a route relationship and not nat between the perimeter and the lan in ISA2.
                            The article is talking about the ISA server receiving the DHCP requests from the DHCP clients. Looks like you need to add a rule to allow broadcast traffic from the local subnet on ISA1.

                            Like I said before, the DHCP relay to the DHCP server is unicast, not broadcast.
                            Regards,
                            Jeremy

                            Network Consultant/Engineer
                            Baltimore - Washington area and beyond
                            www.gma-cpa.com

                            Comment


                            • #15
                              Re: How to forward a DHCP request

                              I have the real time monitor turned on in ISA1.

                              The strangest thing happens: I see traffic TCP 67 from ISA1 to DHCP Server, but I am looking into it and dhcp requests and replies occur on UDP protocol.

                              This petition from ISA1 to the DHCP Server occurs every two or three seconds, continously, and ISA1 regards it as "unknown traffic" .

                              JeremyW, when you say: "...Looks like you need to add a rule to allow broadcast traffic from the local subnet on ISA1...." . Is it much to ask why do I need such rule? and , How can I do that? , I mean, what is the source of that rule and the destination?.

                              I use ISA Server a lot but never came across such difficulties, I am not an expert.

                              MANY THANKS !!
                              -
                              Madrid (Spain).

                              Comment

                              Working...
                              X