[santiago78]

Hi, I'm writing because I'm trying to use ebtables to block DHCP traffic between two WRT54GL (with DD-WRT vpn v23 SP2 both of them) that are running OpenVPN in bridged mode (one router as server the other as client). The reason why I'm trying to block the DHCP traffic it's because once that the two routers are connected by OpenVPN and because they are at bridged mode, the subnet built between them has 2 DHCP server, but each DHCP server has to give IP information only to clients physically (wired or wireless) connected to the router, and with the VPN tunnel build one DHCP server can give IP information to a client connected to the router in the other side of the tunnel.

I tried to use iptables to block this using this sentence:

iptables -I INPUT -i tap0 --dport bootps -j DROP

but it didn't work. I think it didn't work because before executing openvpn I had to bridge tap0 to br0 as if it was another ethernet port in the router, so tap0 won't have an IP, so iptables won't work over that interface, it would work over br0 which is the interface that has the IP, but if I block bootps over br0 I would block DHCP coming from the VPN tunnel and also the connections from clients physically connected to the router.

When I tried to execute this ebtable sentence:

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

I get the message: The kernel doesn't support the ebtables 'filter' table.

I also tried to list the ebtables rules with ebtables -L and ebtables -t nat -L and ebtables -t broute -L but always the same message appeared.

Thanks in advance to anyone that can help me.

[santiago78]

No one knows about this issue?

[thenextdon13]

Hey guys--

Allright, i just figured this deal out:

Ah-hah-- I see-- it seems that ebt_ip is needed, and it is not included in the standard (asus in my case) install under /lib/modules/2.4.34-pre2/, which appears to be where the modules are pulled from. If you have done the ipkg install ebtables, you will have ebt_ip.o in /jffs/lib/modules/2.4.30 -- and you (apprently) can insmod it using the absolute path. Here is my output from walking through it:

[cyberde]

Sorry about the kick, but any luck on this? Cause I'm having the exact same issue here.
It should be able to run from a startup script and still allow dhcp requests from other clients but one.

[edit]
After using insmod etc I got the folowing:

[thenextdon13]

Be sure you do the insmods in the right order-
Make sure they are actually insmoded my running lsmod. (post it?)

Other than that, i don't know what to tell you... sorry!

Camden

[cyberde]

[thenextdon13]

This is EBtables, not IPTables. It is for bridges... which is why you need it.

This will work to stop dhcp over a bridge, i've used it successfully.

I see that the ebt_ip module isn't loaded on your lsmod list. It may be possible that it needs to be loaded. (not for sure, its been a while since i did this.)

HTH
Camden

[cyberde]

True, that's not inserted indeed, where can I find that module? Since it's not included with DD-WRT by default

[thenextdon13]

Tell you the truth, i don't remember where i found it.

PM me with your email, maybe i can dig it up and get it sent to you. Or perhaps it is somewhere not standard in the directory structure.

Sorry that i don't remember. I'll see if I can't figure out where I got it from

try googling it too

take care

Camden

[marv]

This is such a small file, seems like it would be easy to include with the official release since it seems quite a few people would use it!

[cyberde]

So true...

[tkbletsc]

Thanks for the info, folks.

I found a way to cram ebt_ip.o into the NVRAM, so the router can load the module after a reboot.

Full write-up here:
http://dsss.be/w/make_a_dd-wrt_bridge_silently_eat_dhcp_traffic

[SilverPuppy]

Well, it works. Sort of. Unfortunately, in my implementation, it seems to break the bridge entirely. I have tried it as provided, and also with INPUT -i changed to OUTPUT -o and nothing seems to work. The bridge is not working at all now.

I speculate that what is happening is that the DHCP for the remote box is getting eaten as well, so it never connects. Perhaps tonight I will see what happens if I leave it as INPUT -i and put it on the remote box. Perhaps that would at least keep the main location from getting the remote gateway.

Sigh...this is a very frustrating problem. Why hasn't a permanent fix for this been implemented into the OpenVPN code? Or has it? I am running some older firmware (2009). Do I need to update it and hope nothing else breaks? I hate to do that because it is working perfectly aside from this one issue. If it ain't broke, don't fix it, right?

[SilverPuppy]

A lot of the information here seems to be quite dated. I had to look HARD for this. The needle in the haystack is to be found HERE: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=477032

THIS is the solution that finally seems to work with no problems for me. I have been fooling around with this for literally YEARS looking for the correct solution to this problem. Now I am sure I have found it. MUCH THANKS to the creator of the CRON job that fixes this frustrating problem!

EDIT: As he says, DO VERIFY THE FILE PATHS. I had to change .37 to .36 because I'm using a slightly older DD-WRT and I refuse to change because everything is working perfectly as-is.

[RainMotorsports]

SilverPuppy you replied to a thread about a firmware no longer being developed. The thread was mainly 2006/2007 bumped once in 2008.....

I believe the final build of v23 is a little bit later? I like it but v24 is the only one in development now.