Stop DHCP through VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Mon Mar 12, 2007 11:53    Post subject: Stop DHCP through VPN Reply with quote
Hi,

Me and a friend of mine have setup a OpenVPN connection between our routers, his 192.168.1.0 and mine 192.168.0.0. We bridged them and added routes so we could reach each others network.
This all works just fine.

But now, if I hook up a device on my side of the network (192.168.0.0) I get a DHCP lease from my friends router.
After some searching on this forum I found the folowing iptables rule (added that to both routers):
Code:
iptables -I INPUT -i tap0 --dport bootps -j DROP
But unfortunatly this doesn't work.

Does anybody have an idea about blocking dhcp request through tap0?

[edit]
I think the reason is that interface=br0 in the dnsmasq config file and tap0 is bridget to br0.
Would including except-interface=tap0 work?

_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
Sponsor
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Tue Mar 13, 2007 15:52    Post subject: Reply with quote
Little bump Surprised
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
wcarlson40
DD-WRT Novice


Joined: 09 Jun 2006
Posts: 39

PostPosted: Wed Mar 14, 2007 4:18    Post subject: Reply with quote
I've been following, seems I have the same problem (see my last post in this thread http://www.dd-wrt.com/phpBB2/viewtopic.php?t=9358&highlight= ). My temporary solution was to switch back to Routed mode (rather than bridging).
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Wed Mar 14, 2007 9:09    Post subject: Reply with quote
I'm currently discussing a solution in http://www.dd-wrt.com/phpBB2/viewtopic.php?p=68459#68459 using ebtables...
_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
cyberde
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1488
Location: the Netherlands

PostPosted: Thu Mar 15, 2007 17:46    Post subject: Reply with quote
Solved! :)

I've folowed everything in the thread I posted in the post above. I have gotten ebt_ip.o from thenextdon13 (thnx!) so that could be insmodded too.

After that just had to run the following command:
Code:
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
and no more DHCP requests are routed over the VPN.


ebt_ip.o.txt
 Description:
Remove .txt from the files' extension

Download
 Filename:  ebt_ip.o.txt
 Filesize:  2.25 KB
 Downloaded:  1372 Time(s)


_________________
Firmware: DD-WRT v24-sp2 (latest available) mega
WRT320N

Donater
tkbletsc
DD-WRT Novice


Joined: 12 Apr 2008
Posts: 3

PostPosted: Sat Apr 12, 2008 4:14    Post subject: Reply with quote
Thanks for the info, folks.

I found a way to cram ebt_ip.o into the NVRAM, so the router can load the module after a reboot.

Full write-up here:
http://dsss.be/w/make_a_dd-wrt_bridge_silently_eat_dhcp_traffic
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Sun Apr 13, 2008 18:22    Post subject: Reply with quote
WOW! Thanks for this info! Now my bridge is running great(v23SP2). Easy to see how to use this for blocking any other unwanted broadcast traffic. What a great fix! Thanks!

- Joe


Last edited by jsauve on Mon Apr 14, 2008 1:28; edited 1 time in total
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Sun Apr 13, 2008 20:01    Post subject: Reply with quote
Now I'd like to get working ebt_ip.o for x86 version, have looked and looked, no go...
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Mon Apr 14, 2008 0:15    Post subject: Reply with quote
Word of caution: ebtables doesn't seem to work in v23 SP3:

Code:
~ # ebtables -L
The kernel doesn't support the ebtables 'filter' table.


Gonna try a v24 RC next.

- Joe
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Mon Apr 14, 2008 1:27    Post subject: Reply with quote
OK, so it's not that ebtables isn't available, it's that my script won't load it! I have to load it manually.

The portion of my startup script that's SUPPOSED to load ebtables:

Code:
# BEGIN insmod ebtables and block DHCP traffic thru tunnel
echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
echo "H4sIADwAAAACA5VWz28bVRD+dteON20KG9eq3BJUB21UVy1m2+RQRCO5cX5w" >> /tmp/ebt_ip.o.gz.u64
echo "yMGHHpAQcr32Eq9wHMveIFAPNSkHDq7wIb1H5R+p0gpx7J8QtaH8EBfuSGbm" >> /tmp/ebt_ip.o.gz.u64
echo "vbdh8whEHelp9ps3883Mm/ecPFhZXzUMA7EYsPEPAv5Ikc1BdUGgIt7CWSQl" >> /tmp/ebt_ip.o.gz.u64
echo "i5ejFJY8B2VntjrAecIFPByyLUM2B4cjA43RGDveN6g4HJMD7CxeH9nvo5KT" >> /tmp/ebt_ip.o.gz.u64
echo "XK9HNva9KsUxPo/fiKvyyMZ7N5hrmrgmVUxHcV0hrmm8OrK3FBfbJmC6FnyK" >> /tmp/ebt_ip.o.gz.u64
echo "M92P4At7AUuPBsRZwHMPWBq+TXUOHBN5DJzZsg8T5uM8DnfHqHi4ZMHMmpjL" >> /tmp/ebt_ip.o.gz.u64
echo "+7hWaCKNQW62CFzCy91rTgUW1VSg2gykXdZpwgae3FpDWeRap9oc6qeCPYH5" >> /tmp/ebt_ip.o.gz.u64
echo "+6LqDZQnd0qeCyqPqWI4D5+vQzXHua6rXBvqTIsqlzzffS9LfiZpORc+y8Oh" >> /tmp/ebt_ip.o.gz.u64
echo "oWYD/Dycgj90nWXqaUXkuE887B/bc1gRfGzL8YwdiBmniIf5TMU1hV+GjohZ" >> /tmp/ebt_ip.o.gz.u64
echo "QwbLgsvGgcX+sd1K2A2aCe/xtzybH76fIdsNmtPv47Rr49muTfh9NbcU9kXd" >> /tmp/ebt_ip.o.gz.u64
echo "V1W/WboLT8lvjIee6wR0ZtLOtbnOipgN4x8pBfN58L0zYl47Xh73HLbpdyR7" >> /tmp/ebt_ip.o.gz.u64
echo "dEd21N1l31e78bwpXtTmqP14RjnyUXMS+2yXve9x5beBi7Q+vGKjQL1+655s" >> /tmp/ebt_ip.o.gz.u64
echo "Oy5hF6fKx+a/bX9l8ARvIO/SuvwfXMn9gvX/+wun7LfDRtDpB4tr1XV8EfQ6" >> /tmp/ebt_ip.o.gz.u64
echo "Qbv2ZdDrh1udxZulhdK8x86l/tebUd0nHfWkbsVfvaBdioKvIvnVrEd1lPx+" >> /tmp/ebt_ip.o.gz.u64
echo "n+FG2Pl8S9q7zR5Km83A394o1f1w/iahrabYfwO5LN4aMKFwmVY10Z96wHiH" >> /tmp/ebt_ip.o.gz.u64
echo "1mQi7hMb4LFNqfiUuOvAVYVjipElOXW+OY3vJwrOKz4rwfeB0jHfC+3sY74F" >> /tmp/ebt_ip.o.gz.u64
echo "2UPXTPjlE37Mx/iOqi+WX8lvoPmxLGr1Hdj8VmR9mUR9qxpfK3W8vnjvrvo2" >> /tmp/ebt_ip.o.gz.u64
echo "E37uCXmnE72y0B8XfHYCX5KLZYaKOiB9TtWdUmczqfHRm8GnJ/DpYhyr7c9x" >> /tmp/ebt_ip.o.gz.u64
echo "cs/SoixYGk5reFLDZzQ8oeGM8OB3mBO/fwb99sh3F+M57Q7Ma3hVvyOBH9XC" >> /tmp/ebt_ip.o.gz.u64
echo "bqmBsBNGNXop2+0AjXZQ72x3Y1irRa2wHyOO4BfXj4JebbMeNVrCtN3RjOLu" >> /tmp/ebt_ip.o.gz.u64
echo "pUx5j1jPGFJ/p/QLpfdMqelHGGm6SEXSE1OyzzQtjzGtW4xpkLcZn5N98/6y" >> /tmp/ebt_ip.o.gz.u64
echo "2i/y7InnutKc31T/qjAuKF1W+p7SfwMbOFhxAAkAAA==" >> /tmp/ebt_ip.o.gz.u64
echo "====" >> /tmp/ebt_ip.o.gz.u64
uudecode /tmp/ebt_ip.o.gz.u64 | gzip -cd > /tmp/ebt_ip.o
insmod /tmp/ebt_ip.o
insmod ebtables
insmod ebtable_filter
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


The last four lines are the ones that actually load ebtables and add the DHCP rule.

But, when I run lsmod from the shell, neither ebtables OR ebtable_filter are there! What gives? Then I just run the following in the shell:

Code:
insmod ebtables
insmod ebtable_filter


NOW if I run lsmod, the modules show as loaded. I can then add the DHCP ebtable rules just fine.

The script above worked just fine in v23SP2! Why won't it work in anything higher? (I've tried v23SP3 and v24RC6.2) Why do I have to load manually?

What's the deal?!?!?

- Joe
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Mon Apr 14, 2008 3:01    Post subject: Reply with quote
Okay, so I noticed that when all three modules (ebtables, ebtable_filter, and ebt_ip) are loaded, the column labeled "Used by" says "[ebtable_filter ebt_ip]" for ebtables. Looks like I was loading the modules in the wrong order. I WAS loading ebt_ip, then ebtables, then ebtable_filter. NOW, I'm loading ebtables, then ebtable_filer, then ebt_ip. Now it seems to work! lsmod shows all three modules loaded from the startup script, and "ebtables -L" reveals that the rule loaded successfully too! w00t!!! The other thing I should mention is that I took the entire script into a good text editor (EditPad Pro) to make sure the text was formatted correctly. The input text area in DD-WRT can be difficult to use.

hw: WRT54GLv1.1
fw: v22SP3vpn

The ebtables portion of my startup script:
-----------------------------------------
Code:
echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
echo "H4sIADwAAAACA5VWz28bVRD+dteON20KG9eq3BJUB21UVy1m2+RQRCO5cX5w" >> /tmp/ebt_ip.o.gz.u64
echo "yMGHHpAQcr32Eq9wHMveIFAPNSkHDq7wIb1H5R+p0gpx7J8QtaH8EBfuSGbm" >> /tmp/ebt_ip.o.gz.u64
echo "vbdh8whEHelp9ps3883Mm/ecPFhZXzUMA7EYsPEPAv5Ikc1BdUGgIt7CWSQl" >> /tmp/ebt_ip.o.gz.u64
echo "i5ejFJY8B2VntjrAecIFPByyLUM2B4cjA43RGDveN6g4HJMD7CxeH9nvo5KT" >> /tmp/ebt_ip.o.gz.u64
echo "XK9HNva9KsUxPo/fiKvyyMZ7N5hrmrgmVUxHcV0hrmm8OrK3FBfbJmC6FnyK" >> /tmp/ebt_ip.o.gz.u64
echo "M92P4At7AUuPBsRZwHMPWBq+TXUOHBN5DJzZsg8T5uM8DnfHqHi4ZMHMmpjL" >> /tmp/ebt_ip.o.gz.u64
echo "+7hWaCKNQW62CFzCy91rTgUW1VSg2gykXdZpwgae3FpDWeRap9oc6qeCPYH5" >> /tmp/ebt_ip.o.gz.u64
echo "+6LqDZQnd0qeCyqPqWI4D5+vQzXHua6rXBvqTIsqlzzffS9LfiZpORc+y8Oh" >> /tmp/ebt_ip.o.gz.u64
echo "oWYD/Dycgj90nWXqaUXkuE887B/bc1gRfGzL8YwdiBmniIf5TMU1hV+GjohZ" >> /tmp/ebt_ip.o.gz.u64
echo "QwbLgsvGgcX+sd1K2A2aCe/xtzybH76fIdsNmtPv47Rr49muTfh9NbcU9kXd" >> /tmp/ebt_ip.o.gz.u64
echo "V1W/WboLT8lvjIee6wR0ZtLOtbnOipgN4x8pBfN58L0zYl47Xh73HLbpdyR7" >> /tmp/ebt_ip.o.gz.u64
echo "dEd21N1l31e78bwpXtTmqP14RjnyUXMS+2yXve9x5beBi7Q+vGKjQL1+655s" >> /tmp/ebt_ip.o.gz.u64
echo "Oy5hF6fKx+a/bX9l8ARvIO/SuvwfXMn9gvX/+wun7LfDRtDpB4tr1XV8EfQ6" >> /tmp/ebt_ip.o.gz.u64
echo "Qbv2ZdDrh1udxZulhdK8x86l/tebUd0nHfWkbsVfvaBdioKvIvnVrEd1lPx+" >> /tmp/ebt_ip.o.gz.u64
echo "n+FG2Pl8S9q7zR5Km83A394o1f1w/iahrabYfwO5LN4aMKFwmVY10Z96wHiH" >> /tmp/ebt_ip.o.gz.u64
echo "1mQi7hMb4LFNqfiUuOvAVYVjipElOXW+OY3vJwrOKz4rwfeB0jHfC+3sY74F" >> /tmp/ebt_ip.o.gz.u64
echo "2UPXTPjlE37Mx/iOqi+WX8lvoPmxLGr1Hdj8VmR9mUR9qxpfK3W8vnjvrvo2" >> /tmp/ebt_ip.o.gz.u64
echo "E37uCXmnE72y0B8XfHYCX5KLZYaKOiB9TtWdUmczqfHRm8GnJ/DpYhyr7c9x" >> /tmp/ebt_ip.o.gz.u64
echo "cs/SoixYGk5reFLDZzQ8oeGM8OB3mBO/fwb99sh3F+M57Q7Ma3hVvyOBH9XC" >> /tmp/ebt_ip.o.gz.u64
echo "bqmBsBNGNXop2+0AjXZQ72x3Y1irRa2wHyOO4BfXj4JebbMeNVrCtN3RjOLu" >> /tmp/ebt_ip.o.gz.u64
echo "pUx5j1jPGFJ/p/QLpfdMqelHGGm6SEXSE1OyzzQtjzGtW4xpkLcZn5N98/6y" >> /tmp/ebt_ip.o.gz.u64
echo "2i/y7InnutKc31T/qjAuKF1W+p7SfwMbOFhxAAkAAA==" >> /tmp/ebt_ip.o.gz.u64
echo "====" >> /tmp/ebt_ip.o.gz.u64
uudecode /tmp/ebt_ip.o.gz.u64 | gzip -cd > /tmp/ebt_ip.o
sleep 5
insmod ebtables
sleep 5
insmod ebtable_filter
sleep 5
insmod /tmp/ebt_ip.o
sleep 5
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


The "sleep" commands are important!!! Couldn't get it working without these.

I also tried the same script in v24RC6.2, but no luck. It's weird: I can get the modules to load if I load them manually via the shell, but they don't work if they're in the startup script. I don't get it. :roll:

But HEY!: v23SP3 can handle multiple clients AND now I have a way to keep the sites from getting DHCP traffic from other sites. w00t!!!

- Joe
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Mon Apr 14, 2008 4:33    Post subject: Reply with quote
I take it back. I spoke too soon. Even though I got the 3 ebtables-related modules running automatically, and the DHCP rule is properly set, I cannot ping hosts on either end of the tunnel. In fact, I can't even get the tunnel interfaces to ping eachother.

So, i just went back to v23SP2. I'm bummed because this means I can only have one client attached. Oh well. I've spent too much time on this for one weekend. I'll try again some other day after the frustration wears off.

- Joe
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Mon Apr 14, 2008 18:18    Post subject: Reply with quote
Well v23 SP3 development have stopped ages ago, so you could as well just try v24? Smile Latest testversions is pretty solid stuff finally Wink
jsauve
DD-WRT Novice


Joined: 11 Apr 2008
Posts: 26

PostPosted: Mon Apr 14, 2008 19:02    Post subject: Reply with quote
Got it. Good to know. I didn't know a thing about DD-WRT before this weekend, and I really appreciate all the great info on this board.

Now that I know, I'll do some v24 testing. I had no luck with getting ebtables to load automatically on RC6.2, plus I couldn't get the VPN up. But, I'll try again. I'm stoked about v24 going stable whenever that's going to happen! :D

- Joe
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Finland

PostPosted: Mon Apr 14, 2008 19:05    Post subject: Reply with quote
Actually newest ones resides here: http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-RC7-9414/

Don't ask why, but developers puts newest versions in to others/eko folder, and they are no RC nor beta, jsut snapshots... Nevertheless, latest versions seems to be polished pretty well, altough surely not finished products...
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum