Fariborz, It's a tricky problem you have. You could reverse the problem by creating a VM yourself on that network and seeing what the IP/MAC address is of the DHCP server that gives it an address is (via the console proxy), then use that to trace the DHCP VM and owner. Then ask them to 'stop it (or else)'....
Kind regards Paul paul.an...@shapeblue.com www.shapeblue.com Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue -----Original Message----- From: Ivan Kudryavtsev <kudryavtsev...@bw-sw.com> Sent: 09 August 2019 03:29 To: users <users@cloudstack.apache.org> Subject: Re: Filtering DHCP traffic Even when no SGs used, the agent still creates iptables/ebtables rules and should block mac/ip spoofing, wrong dhcp announces. Im not sure how it works in the current CS version, but believe it: - either local bug which must be investigated thru agent logs and iptables/ebtables dumps - cs bug which was introduced recently. We have ancient acs 4.3 with basic zone without sg and no dhcp faking works there. Unfortunately now all my zones with SGs, so cannot check... пт, 9 авг. 2019 г., 4:17 Andrija Panic <andrija.pa...@gmail.com>: > Nope, that is the reason security groups should be used in > multi-tenant shared network... At least I'm not aware that is possible. > Not sure if hacking the DB is possible though... > > On Thu, 8 Aug 2019, 20:58 Fariborz Navidan, <mdvlinqu...@gmail.com> wrote: > > > Hello, > > I have found a user VM who is running a sort of DHCP server i.e. a > > VPN server, etc. User VM is on default shared network without > > security groups enabled in a Basic zone which does not spport > > multiple networks. Is there any way to either enable security groups > > on existing network and add rule to stop VMs offer DHCP and prevent > > conflicting with VR's DHCP or manually add a firewall rule on VR to filter > > DHCP traffic from user VMs? > > > > TIA > > >
