Joined: 07 Jun 2006 Posts: 1488 Location: the Netherlands
Posted: Mon Mar 12, 2007 11:53 Post subject: Stop DHCP through VPN
Hi,
Me and a friend of mine have setup a OpenVPN connection between our routers, his 192.168.1.0 and mine 192.168.0.0. We bridged them and added routes so we could reach each others network.
This all works just fine.
But now, if I hook up a device on my side of the network (192.168.0.0) I get a DHCP lease from my friends router.
After some searching on this forum I found the folowing iptables rule (added that to both routers):
Code:
iptables -I INPUT -i tap0 --dport bootps -j DROP
But unfortunatly this doesn't work.
Does anybody have an idea about blocking dhcp request through tap0?
[edit]
I think the reason is that interface=br0 in the dnsmasq config file and tap0 is bridget to br0.
Would including except-interface=tap0 work? _________________ Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N
WOW! Thanks for this info! Now my bridge is running great(v23SP2). Easy to see how to use this for blocking any other unwanted broadcast traffic. What a great fix! Thanks!
- Joe
Last edited by jsauve on Mon Apr 14, 2008 1:28; edited 1 time in total
Okay, so I noticed that when all three modules (ebtables, ebtable_filter, and ebt_ip) are loaded, the column labeled "Used by" says "[ebtable_filter ebt_ip]" for ebtables. Looks like I was loading the modules in the wrong order. I WAS loading ebt_ip, then ebtables, then ebtable_filter. NOW, I'm loading ebtables, then ebtable_filer, then ebt_ip. Now it seems to work! lsmod shows all three modules loaded from the startup script, and "ebtables -L" reveals that the rule loaded successfully too! w00t!!! The other thing I should mention is that I took the entire script into a good text editor (EditPad Pro) to make sure the text was formatted correctly. The input text area in DD-WRT can be difficult to use.
hw: WRT54GLv1.1
fw: v22SP3vpn
The ebtables portion of my startup script:
-----------------------------------------
The "sleep" commands are important!!! Couldn't get it working without these.
I also tried the same script in v24RC6.2, but no luck. It's weird: I can get the modules to load if I load them manually via the shell, but they don't work if they're in the startup script. I don't get it. :roll:
But HEY!: v23SP3 can handle multiple clients AND now I have a way to keep the sites from getting DHCP traffic from other sites. w00t!!!
I take it back. I spoke too soon. Even though I got the 3 ebtables-related modules running automatically, and the DHCP rule is properly set, I cannot ping hosts on either end of the tunnel. In fact, I can't even get the tunnel interfaces to ping eachother.
So, i just went back to v23SP2. I'm bummed because this means I can only have one client attached. Oh well. I've spent too much time on this for one weekend. I'll try again some other day after the frustration wears off.
Got it. Good to know. I didn't know a thing about DD-WRT before this weekend, and I really appreciate all the great info on this board.
Now that I know, I'll do some v24 testing. I had no luck with getting ebtables to load automatically on RC6.2, plus I couldn't get the VPN up. But, I'll try again. I'm stoked about v24 going stable whenever that's going to happen! :D
Don't ask why, but developers puts newest versions in to others/eko folder, and they are no RC nor beta, jsut snapshots... Nevertheless, latest versions seems to be polished pretty well, altough surely not finished products...