OpenVPN Site Bridge. Clients get IP from wrong network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Jan 16, 2010 22:43    Post subject: Reply with quote
Maximus32 wrote:
I had the same problem, and this solution seems to work; DHCP traffic IS blocked. But now I get another problem:

As soon as the ebtables module is loaded, all broadcasts have their source IP set to the router's IP. Meaning games no longer work (games now try to connect to the routers IP address).

Is there a solution to this problem?

Probably because you're using an old version?

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Sponsor
Maximus32
DD-WRT Novice


Joined: 16 Jan 2010
Posts: 4

PostPosted: Sat Jan 16, 2010 23:33    Post subject: Reply with quote
No, I just installed the latest version (dd-wrt.v24-13064_VINT_openvpn.bin) for my router (wrt54g v2.2). Becouse the version I had before (v24-sp1) didn't have ebtables.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Jan 17, 2010 1:13    Post subject: Reply with quote
So then you really mean all traffic, not broadcasts (a type of frame/packet) specifically.

LAN_NET="`nvram get lan_ipaddr`/`nvram get lan_netmask`"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Maximus32
DD-WRT Novice


Joined: 16 Jan 2010
Posts: 4

PostPosted: Sun Jan 17, 2010 13:28    Post subject: Reply with quote
You're right, it was not just broadcasts.

I added those two lines and everyting seems to work fine now. Thanks a lot.
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Thu Jan 21, 2010 0:33    Post subject: Reply with quote
phuzi0n wrote:
So then you really mean all traffic, not broadcasts (a type of frame/packet) specifically.

LAN_NET="`nvram get lan_ipaddr`/`nvram get lan_netmask`"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE


Maximus32 wrote:
You're right, it was not just broadcasts.

I added those two lines and everyting seems to work fine now. Thanks a lot.


I added ebtables today myself in order to drop dhcp traffic through OpenVPN.

Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?

_________________
WRT320N
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Jan 21, 2010 1:10    Post subject: Reply with quote
ev1te wrote:
I added ebtables today myself in order to drop dhcp traffic through OpenVPN.

Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?

It's really non broadcasts going through the bridge that become source NAT'd to appear that they came from the router's LAN IP. ie. pretty much everything will appear to come from the router's LAN IP. This happens because a hack in ebtables makes it so that iptables sees bridged traffic that it normally wouldn't.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Sat Jan 23, 2010 0:06    Post subject: Reply with quote
phuzi0n wrote:
ev1te wrote:
I added ebtables today myself in order to drop dhcp traffic through OpenVPN.

Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?

It's really non broadcasts going through the bridge that become source NAT'd to appear that they came from the router's LAN IP. ie. pretty much everything will appear to come from the router's LAN IP. This happens because a hack in ebtables makes it so that iptables sees bridged traffic that it normally wouldn't.


I haven't investigated that much yet since everything works as it should when I use ebtables in my network.
DD-WRT v24-sp2 (01/02/10) big - build 13575M NEWD-2 K2.6 Eko

_________________
WRT320N
Maximus32
DD-WRT Novice


Joined: 16 Jan 2010
Posts: 4

PostPosted: Sun Jan 24, 2010 8:48    Post subject: Reply with quote
Quote:
Could you give an example of the problems you encountered, so that I can check if I have the same problem with broadcast packets?


Yes, when I try to play Far Cry, the server shows up with the routers IP, so the clients can't connect. This does not only happen with VPN traffic, it also happens with wireless to wired traffic.
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Mon Jan 25, 2010 12:00    Post subject: Reply with quote
Small recap of previous posts (for new users)

So when you have an OpenVPN bridged tunnel, DHCP packets from and to the router is also forwarded through the tunnel. (Makes it possible for clients to receive incorrect ip addresses/gateways etc. if you have DHCP servers on both sides of the tunnel)

In order to block these you have to do the following:

Quote:
# Create OpenVPN network interface and brige it to br0 ( which is LAN)
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

# Load module and configure ebtables (block dhcp over OpenVPN tunnel)
insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
LAN_NET="$(nvram get lan_ipaddr)/$(nvram get lan_netmask)"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE

# At last start OpenVPN
cd /*your openvpn config dir*/
chmod 600 server.key
openvpn --config openvpn.conf


Also could someone please explain in detail what this line actually does? (I don't like adding lines in my iptables without knowing what they do Smile ) :
    iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE

_________________
WRT320N
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Jan 25, 2010 23:36    Post subject: Reply with quote
ev1te wrote:
Also could someone please explain in detail what this line actually does? (I don't like adding lines in my iptables without knowing what they do Smile ) :
    iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE

Then you should learn iptables so you can understand what exactly it does. Explanations won't tell you everything about the rule.

It deletes a rule that the router uses to NAT loopback traffic, but due to ebtables being loaded the bridged traffic also goes through iptables and gets NAT'd unless you remove it. So the downside of this is that loopback will no longer function correctly.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Tue Jan 26, 2010 15:54    Post subject: Reply with quote
phuzi0n wrote:
ev1te wrote:
Also could someone please explain in detail what this line actually does? (I don't like adding lines in my iptables without knowing what they do Smile ) :
    iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE

Then you should learn iptables so you can understand what exactly it does. Explanations won't tell you everything about the rule.

It deletes a rule that the router uses to NAT loopback traffic, but due to ebtables being loaded the bridged traffic also goes through iptables and gets NAT'd unless you remove it. So the downside of this is that loopback will no longer function correctly.


Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.

Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it Rolling Eyes

_________________
WRT320N
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Jan 26, 2010 23:42    Post subject: Reply with quote
ev1te wrote:
Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.

Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it Rolling Eyes

Look at my posts above, it's not actually broadcast packets that get NAT'd. It's non-broadcast traffic going between interfaces that are part of software bridges (ie. br0) such as WLAN<->LAN traffic or [bridged vpn tunnel]<->LAN that gets NAT'd. You can see the effect with any packet sniffer such as Wireshark.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Wed Jan 27, 2010 19:03    Post subject: Reply with quote
phuzi0n wrote:
ev1te wrote:
Thanks for the explanation, I have some understanding of iptables, but not when it comes to postrouting and masquerade.

Does anyone know an application for simulating broadcast packets (manually sending them), so one can test this solution? I don't want to install Far Cry in order to test it Rolling Eyes

Look at my posts above, it's not actually broadcast packets that get NAT'd. It's non-broadcast traffic going between interfaces that are part of software bridges (ie. br0) such as WLAN<->LAN traffic or [bridged vpn tunnel]<->LAN that gets NAT'd. You can see the effect with any packet sniffer such as Wireshark.


Thanks, I could actually see that for myself today. When connected to an ftp server on LAN from another LAN client, the server reported that it was the routers IP that was connected and not the actual IP of the client.

Adding:
LAN_NET="$(nvram get lan_ipaddr)/$(nvram get lan_netmask)"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE
Fixes that problem.

Edit: I also noticed another downside of ebtables. Since every packet in the bridge is visible to the firewall, there is a much higher CPU usage on the router, when using WiFi. 100% CPU on the router, when transferring at only ~50 Mbps through WiFi. Sad

So now I have removed ebtables completely, and are looking for another solutions (or a faster router) Smile

_________________
WRT320N
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Jan 28, 2010 8:24    Post subject: Reply with quote
ev1te wrote:
So now I have removed ebtables completely, and are looking for another solutions (or a faster router) Smile

The other solutions are to either use a routed tunnel instead of a bridged one, or to only run one DHCP server on the subnet being shared.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Thu Jan 28, 2010 23:18    Post subject: Reply with quote
phuzi0n wrote:
ev1te wrote:
So now I have removed ebtables completely, and are looking for another solutions (or a faster router) Smile

The other solutions are to either use a routed tunnel instead of a bridged one, or to only run one DHCP server on the subnet being shared.


Routed tunnel is out of the option, then I could use an ordinary PPTP connection instead. I need the feature of broadcast packets (although not the DHCP traffic) Rolling Eyes

And one DHCP server is quite tricky, since if a client on the other side of the tunnel it will get an incorrect default gateway Which will make all traffic go through the tunnel for that client.

Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. Smile

_________________
WRT320N
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum