Bridged Layer 2 VPN and DHCP Servers

[Speedbird]

Hello.

 

I'm building a site-to-site VPN between 2 LANs, and I have a question about how would DHCP work on such a network. I will have 2 DHCP servers on the VPN and I want devices on one network to get an IP address from a DHCP server on the same physical LAN and use the router on the same LAN to connect to the Internet, and not the one on the other LAN. How would this work? Would a newly connected device get an IP from a local DHCP server? Would it even be able to contact a DHCP server on the other site?

 

This is the main reason why I'm skeptical about layer 2 bridging. I need devices to use the local router to connect to the internet, not the one on the other site. I know I wouldn't have such problems with layer 3 routing, but that seems more difficult to set up with the VPN software I'm using.

[brwainer]

With everything in the same broadcast domain, there is no "pure" networking way to prevent a device a site A from getting an address from the server at site B - that's the point of a single broadcast domain. If a device is configured to accept the first address offered, then the should normally get addresses from their local server - but there won't be any guarentees of that, and it would be a troubleshooting nightmare. The only solution if you had to keep everything in the same layer 2 broadcast domain, would be to specifically filter out DHCP traffic at both ends of the VPN - either in the VPN device itself, or possibly on the port the VPN device connects to (if the VPN device isn't also your main gateway router at each site). This wouldn't be "pure" networking, but it would work.

[leadeater]

You would have to setup ACLs and block DHCP packets crossing the VPN, there's other things you should do also so lookup some best practices on stretching VLANs and Layer 2 VPNs.

[Wombo]

7 hours ago, Speedbird said:

Hello.

 

I'm building a site-to-site VPN between 2 LANs, and I have a question about how would DHCP work on such a network. I will have 2 DHCP servers on the VPN and I want devices on one network to get an IP address from a DHCP server on the same physical LAN and use the router on the same LAN to connect to the Internet, and not the one on the other LAN. How would this work? Would a newly connected device get an IP from a local DHCP server? Would it even be able to contact a DHCP server on the other site?

 

This is the main reason why I'm skeptical about layer 2 bridging. I need devices to use the local router to connect to the internet, not the one on the other site. I know I wouldn't have such problems with layer 3 routing, but that seems more difficult to set up with the VPN software I'm using.

I would just create a layer 3 VPN, it will be the easiest and most flexible. If you want a security layer for the VPN just use regular IPsec, by default it doesn't allow multicast/broadcast traffic to pass through. If you want to allow some multicast/broadcast traffic but not others, I'd use GRE, and IPsec if you want the security layer.

[Speedbird]

9 hours ago, Wombo said:

I would just create a layer 3 VPN, it will be the easiest and most flexible. If you want a security layer for the VPN just use regular IPsec, by default it doesn't allow multicast/broadcast traffic to pass through. If you want to allow some multicast/broadcast traffic but not others, I'd use GRE, and IPsec if you want the security layer.

I'll just do layer 3 then, thanks. The VPN software I use (SoftEther) has capabilities for both types of VPNs, but their tutorial made layer 3 routing sound more difficult.