Block DHCP Broadcasts on LAN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
raiN
Posts: 1
Joined: Thu Mar 26, 2020 7:58 am

Block DHCP Broadcasts on LAN

Post by raiN » Thu Mar 26, 2020 8:11 am

Hello Forum

I have a quick question regarding the Virtual DHCP feature. When enabled, everything works fine from an outside network such as the internet. I have configured 3 static routes to push and they all work correctly. The issue is this Virtual DHCP server is also acting as a DHCP server for the VPN LAN, so users in the office are getting DHCP offers from it. I want to stop this from happening.

Network Information:
Main LAN: 192.168.99.0/24
Server Network: 192.168.88.0/24
Other Network: 192.168.100.0/24
SecureNAT IP: 192.168.30.1/24
DHCP: 192.168.30.10-192.168.30.200/24

I have removed the default gateway and DNS entries as per documentation.

Even with the Virtual DHCP server disable I still see the following in a pcap:

No. Time Source Destination Protocol Length Info
173 3.177499 192.168.30.1 192.168.30.255 ECHO 80 Request
475 8.195240 192.168.30.1 192.168.30.255 ECHO 80 Request
821 13.105168 192.168.30.1 192.168.30.255 ECHO 80 Request
1111 18.230857 192.168.30.1 192.168.30.255 ECHO 80 Request
1373 23.248450 192.168.30.1 192.168.30.255 ECHO 80 Request
1608 28.163552 192.168.30.1 192.168.30.255 ECHO 80 Request
1935 33.283816 192.168.30.1 192.168.30.255 ECHO 80 Request
2211 38.199927 192.168.30.1 192.168.30.255 ECHO 80 Request
2499 43.216402 192.168.30.1 192.168.30.255 ECHO 80 Request
2788 48.234126 192.168.30.1 192.168.30.255 ECHO 80 Request
3088 53.252599 192.168.30.1 192.168.30.255 ECHO 80 Request
3398 58.269467 192.168.30.1 192.168.30.255 ECHO 80 Request
3658 63.184695 192.168.30.1 192.168.30.255 ECHO 80 Request
3925 68.203197 192.168.30.1 192.168.30.255 ECHO 80 Request
4219 73.220298 192.168.30.1 192.168.30.255 ECHO 80 Request
4505 78.237926 192.168.30.1 192.168.30.255 ECHO 80 Request
4777 83.255632 192.168.30.1 192.168.30.255 ECHO 80 Request
5028 88.273335 192.168.30.1 192.168.30.255 ECHO 80 Request
5320 93.291139 192.168.30.1 192.168.30.255 ECHO 80 Request
5457 95.235990 192.168.30.1 192.168.99.60 SSDP 579 HTTP/1.1 200 OK
5461 95.287712 192.168.30.1 192.168.99.60 SSDP 557 HTTP/1.1 200 OK
5502 96.010602 192.168.30.1 192.168.99.60 NBNS 271 Name query response NBSTAT
5503 96.010603 192.168.30.1 192.168.99.60 NBNS 235 Name query response NBSTAT
5504 96.010603 192.168.30.1 192.168.99.60 NBNS 195 Name query response NBSTAT
5519 96.234044 192.168.30.1 192.168.99.60 SSDP 579 HTTP/1.1 200 OK
5525 96.313964 192.168.30.1 192.168.99.60 SSDP 557 HTTP/1.1 200 OK
5592 97.234249 192.168.30.1 192.168.99.60 SSDP 579 HTTP/1.1 200 OK
5604 97.333417 192.168.30.1 192.168.99.60 SSDP 557 HTTP/1.1 200 OK
5613 97.510049 192.168.30.1 192.168.99.60 NBNS 271 Name query response NBSTAT
5614 97.510049 192.168.30.1 192.168.99.60 NBNS 235 Name query response NBSTAT
5615 97.510049 192.168.30.1 192.168.99.60 NBNS 195 Name query response NBSTAT
5666 98.238554 192.168.30.1 192.168.99.60 SSDP 579 HTTP/1.1 200 OK
5668 98.240218 192.168.30.1 192.168.99.60 SSDP 557 HTTP/1.1 200 OK
5673 98.311020 192.168.30.1 192.168.30.255 ECHO 80 Request
5724 99.010946 192.168.30.1 192.168.99.60 NBNS 271 Name query response NBSTAT
5725 99.010946 192.168.30.1 192.168.99.60 NBNS 235 Name query response NBSTAT
5726 99.010947 192.168.30.1 192.168.99.60 NBNS 195 Name query response NBSTAT
5821 100.515847 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
5822 100.515881 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
5910 102.015729 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
5911 102.015734 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
5983 103.326790 192.168.30.1 192.168.30.255 ECHO 80 Request
6000 103.516105 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
6001 103.516113 192.168.99.60 192.168.30.1 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
6272 108.344738 192.168.30.1 192.168.30.255 ECHO 80 Request
6550 113.362667 192.168.30.1 192.168.30.255 ECHO 80 Request

My local computer IP is 192.168.99.60.

The Cluster Configuration is set to Standalone Server.

Apologies if this is still not enough info, I appreciate the assistance!!

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Block DHCP Broadcasts on LAN

Post by centeredki69 » Mon Apr 06, 2020 11:02 pm

Do you also have "local Bridge" running on the same "virtual HUB" as " SecureNAT" ?

OliverTejada
Posts: 46
Joined: Mon Apr 13, 2020 8:08 pm

Re: Block DHCP Broadcasts on LAN

Post by OliverTejada » Mon Apr 13, 2020 8:46 pm

If your VirtualHub has a localbridge to your physical interface, this is supposed to happen. SoftEther even warns you about this when turning on SecureNAT... Remember, the virtualhub itself is literally a switch, and if you bind it to your physical network interface, it will be like connecting two switches together, making it one broadcast domain...

Broadcasts coming from your VirtualHub can not be blocked from passing on to your LAN, unless YOUR VPN server host is connected to Managed physical switch that you can configure to deny DHCP broadcasts coming from the port it is connected to, OR by creating a VLAN to isolate the broadcasts from the rest of the ports.

If THAT is not your case, you will need to either unbind your virtual Hub from your physical interface, OR, turn off SecureNAT's DHCP server function ONLY and allow remote clients to be assigned an IP address by whatever DHCP server is run

Post Reply