I had the same problem, and this solution seems to work; DHCP traffic IS blocked. But now I get another problem:
As soon as the ebtables module is loaded, all broadcasts have their source IP set to the router's IP. Meaning games no longer work (games now try to connect to the routers IP address).
Is there a solution to this problem?
Probably because you're using an old version? _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
No, I just installed the latest version (dd-wrt.v24-13064_VINT_openvpn.bin) for my router (wrt54g v2.2). Becouse the version I had before (v24-sp1) didn't have ebtables.
So then you really mean all traffic, not broadcasts (a type of frame/packet) specifically.
LAN_NET="`nvram get lan_ipaddr`/`nvram get lan_netmask`"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Thu Jan 21, 2010 0:33 Post subject:
phuzi0n wrote:
So then you really mean all traffic, not broadcasts (a type of frame/packet) specifically.
LAN_NET="`nvram get lan_ipaddr`/`nvram get lan_netmask`"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE
Maximus32 wrote:
You're right, it was not just broadcasts.
I added those two lines and everyting seems to work fine now. Thanks a lot.
I added ebtables today myself in order to drop dhcp traffic through OpenVPN.
Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets? _________________ WRT320N
I added ebtables today myself in order to drop dhcp traffic through OpenVPN.
Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?
It's really non broadcasts going through the bridge that become source NAT'd to appear that they came from the router's LAN IP. ie. pretty much everything will appear to come from the router's LAN IP. This happens because a hack in ebtables makes it so that iptables sees bridged traffic that it normally wouldn't. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Sat Jan 23, 2010 0:06 Post subject:
phuzi0n wrote:
ev1te wrote:
I added ebtables today myself in order to drop dhcp traffic through OpenVPN.
Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?
It's really non broadcasts going through the bridge that become source NAT'd to appear that they came from the router's LAN IP. ie. pretty much everything will appear to come from the router's LAN IP. This happens because a hack in ebtables makes it so that iptables sees bridged traffic that it normally wouldn't.
I haven't investigated that much yet since everything works as it should when I use ebtables in my network.
DD-WRT v24-sp2 (01/02/10) big - build 13575M NEWD-2 K2.6 Eko _________________ WRT320N
Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?
Yes, when I try to play Far Cry, the server shows up with the routers IP, so the clients can't connect. This does not only happen with VPN traffic, it also happens with wireless to wired traffic.
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Mon Jan 25, 2010 12:00 Post subject:
Small recap of previous posts (for new users)
So when you have an OpenVPN bridged tunnel, DHCP packets from and to the router is also forwarded through the tunnel. (Makes it possible for clients to receive incorrect ip addresses/gateways etc. if you have DHCP servers on both sides of the tunnel)
In order to block these you have to do the following:
Quote:
# Create OpenVPN network interface and brige it to br0 ( which is LAN)
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
Then you should learn iptables so you can understand what exactly it does. Explanations won't tell you everything about the rule.
It deletes a rule that the router uses to NAT loopback traffic, but due to ebtables being loaded the bridged traffic also goes through iptables and gets NAT'd unless you remove it. So the downside of this is that loopback will no longer function correctly. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Then you should learn iptables so you can understand what exactly it does. Explanations won't tell you everything about the rule.
It deletes a rule that the router uses to NAT loopback traffic, but due to ebtables being loaded the bridged traffic also goes through iptables and gets NAT'd unless you remove it. So the downside of this is that loopback will no longer function correctly.
Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.
Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it _________________ WRT320N
Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.
Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it
Look at my posts above, it's not actually broadcast packets that get NAT'd. It's non-broadcast traffic going between interfaces that are part of software bridges (ie. br0) such as WLAN<->LAN traffic or [bridged vpn tunnel]<->LAN that gets NAT'd. You can see the effect with any packet sniffer such as Wireshark. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Wed Jan 27, 2010 19:03 Post subject:
phuzi0n wrote:
ev1te wrote:
Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.
Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it
Look at my posts above, it's not actually broadcast packets that get NAT'd. It's non-broadcast traffic going between interfaces that are part of software bridges (ie. br0) such as WLAN<->LAN traffic or [bridged vpn tunnel]<->LAN that gets NAT'd. You can see the effect with any packet sniffer such as Wireshark.
Thanks, I could actually see that for myself today. When connected to an ftp server on LAN from another LAN client, the server reported that it was the routers IP that was connected and not the actual IP of the client.
Adding:
LAN_NET="$(nvram get lan_ipaddr)/$(nvram get lan_netmask)"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE
Fixes that problem.
Edit: I also noticed another downside of ebtables. Since every packet in the bridge is visible to the firewall, there is a much higher CPU usage on the router, when using WiFi. 100% CPU on the router, when transferring at only ~50 Mbps through WiFi.
So now I have removed ebtables completely, and are looking for another solutions (or a faster router) _________________ WRT320N
So now I have removed ebtables completely, and are looking for another solutions (or a faster router)
The other solutions are to either use a routed tunnel instead of a bridged one, or to only run one DHCP server on the subnet being shared. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Thu Jan 28, 2010 23:18 Post subject:
phuzi0n wrote:
ev1te wrote:
So now I have removed ebtables completely, and are looking for another solutions (or a faster router)
The other solutions are to either use a routed tunnel instead of a bridged one, or to only run one DHCP server on the subnet being shared.
Routed tunnel is out of the option, then I could use an ordinary PPTP connection instead. I need the feature of broadcast packets (although not the DHCP traffic)
And one DHCP server is quite tricky, since if a client on the other side of the tunnel it will get an incorrect default gateway Which will make all traffic go through the tunnel for that client.
Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. _________________ WRT320N