to create a working VPN bridge between 2 Buffalo routers, which I tested between two different ISPs and find it working. (Of the two client router startup scripts provided, I had to use the first one, not the edit, to get it to work). However, I find that a laptop connecting to the VPN client router by DHCP (Computer D in my drawing) sometimes receives an IP from the DHCP server on the local router, and sometimes from the DHCP on the VPN server router. While accessing my LAN resources on the server side works with either, I find that Internet requests are routed through the VPN tunnel when the DHCP on the VPN server router provides the IP address and not through the tunnel when the DHCP on the client router provides the address.
When I connect a laptop to the client router via DHCP, how can I get it to consistently use the client router's DHCP?
Thanks in advance.
MyOPENVPNSituation.gif
Description:
Filesize:
34.09 KB
Viewed:
24095 Time(s)
Last edited by JN on Thu Nov 20, 2008 14:53; edited 1 time in total
I would like to add that I tried to do this with iptables four different ways, but could not get any of them to do the trick.
I modified the client and server routers by adding each of the following code snippets to my firewall in turn, each time replacing the code snippet added in the prior trial. The first three continue to show my original glitch (doing nothing visible) and the forth prevents a computer from connecting to the client router by DHCP altogether.
I think your mistake might be trying to specify a destination for the dhcp discover packet, because this should be a subnet broadcast... ie your machine looking for a dhcp server doesn't even know what machine the dhcp server is on.
Try something like this:
IPTABLES -A INPUT -p UDP -i tap0 --dport 67 --sport 68 -j DROP
One needs ebtables in order to filter traffic in "inside" bridge-device.
ADD: There is thread about this, use search
I am seeing a lot of spurious results in the search. Can you please link here to the specific thread you were thinking of? Or more specifically, how might I use ebtables to accomplish my goal here?
when I'm back home I will give you the iptables rules.
But iptables won't work as in this case VPN and LAN is on same bridge, and the bridge device is the only LAN "device" there effectively, iptables can block traffic between "devices", ebtables can then block/alter traffic specifically inside bridge-device...
Can someone please post the necessary commands to load ebtables, and the ebtables commands to reject DHCP traffic across the OpenVPN bridge?
olmari wrote:
But iptables won't work as in this case VPN and LAN is on same bridge, and the bridge device is the only LAN "device" there effectively, iptables can block traffic between "devices", ebtables can then block/alter traffic specifically inside bridge-device...
Posted: Sun Nov 30, 2008 4:39 Post subject: Re: ebtables is part of dd-wrt build
slgta wrote:
Can someone please post the necessary commands to load ebtables, and the ebtables commands to reject DHCP traffic across the OpenVPN bridge?
I was going to ask a similar question after that link to an old half solved confusing thread. Hopefully someone will come in and tell us what to do to solve this problem on current v24 releases.
Well I did link to an thread that has these commands already... And Also brainslayer added the correct module into source so now it is just as easy as start using the ebtables: http://svn.dd-wrt.com:8000/dd-wrt/changeset/11026
Well I did link to an thread that has these commands already... And Also brainslayer added the correct module into source so now it is just as easy as start using the ebtables: http://svn.dd-wrt.com:8000/dd-wrt/changeset/11026
Are you saying, that with v24, all slgta and I need to do is to add the following code into our firewall script in both the VPN server and VPN client routers, and that there is no longer anything else to do to enable ebtables? (I pulled this code out of the thread linked to here and changed the interface to tap0.)
Basically that should be it... Remember that as of the moment I have no way of confirming this ebtables command are totally correct, but nevertheless now it is only matter of fine-tuning it :wink: