OpenVPN Site Bridge. Clients get IP from wrong network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Mon Nov 30, 2009 18:54    Post subject: OpenVPN Site Bridge. Clients get IP from wrong network Reply with quote
my vpn config is detailed here:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=373551#373551


Both routers DHCP is set to non-authoritative.
Both routers have separate domain name.
Both routers have non-overlaping IP range. (*.03 - *.100 / *.110 - *.200)

Both routers are:
DD-WRT v24-sp2 (07/22/09) vpn
(SVN revision 12548M NEWD Eko)

Each time a PC connects to either side of the bridge, either by Ether or Wifi, there is about a 50% chance that the PC will be assigned a IP and default GW on the opposite network. This causes ALL traffic from that PC to be routed over the VPN.

Anyone have any ideas how to stop this? Any reference material to throw my way?

iptables magic to block DHCP broadcast from client/server network?

If further info is required please advise.

I will paypal 5$ USD to the person that solves this problem or provides reference material that leads to the solution.

Thanks,


Last edited by onemyndseye on Tue Dec 01, 2009 7:15; edited 1 time in total
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Nov 30, 2009 21:45    Post subject: Reply with quote
Put it at the bottom of your firewall script.

# block DHCP through tunnel
iptables -I INPUT -i tap0 -p udp --dport 67 -j DROP
iptables -I OUTPUT -o tap0 -p udp --dport 68 -j DROP


Alternative method that requires more processing but keeps prevents a little DHCP traffic on the tunnel:

# block DHCP through tunnel
insmod ebtables
iptables -I FORWARD -p udp --dport 67:68 -j DROP

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Tue Dec 01, 2009 7:12    Post subject: Reply with quote
Thanks for the reply..


I was hopefull but it looks like no dice:

the two routers are 192.168.2.1 and 192.168.2.2


From a wifi client connected to *.1 after adding firewall rules
Code:

Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/pan0/32:6c:4f:a8:8f:c6
Sending on   LPF/pan0/32:6c:4f:a8:8f:c6
Listening on LPF/vboxnet0/0a:00:27:00:00:00
Sending on   LPF/vboxnet0/0a:00:27:00:00:00
Listening on LPF/eth0/00:1f:c6:4f:60:c5
Sending on   LPF/eth0/00:1f:c6:4f:60:c5
Listening on LPF/wlan0/00:1d:e0:7e:4e:45
Sending on   LPF/wlan0/00:1d:e0:7e:4e:45
Sending on   Socket/fallback
DHCPDISCOVER on pan0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on vboxnet0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPREQUEST of 192.168.2.179 on wlan0 to 255.255.255.255 port 67
DHCPACK of 192.168.2.179 from 192.168.2.2
bound to 192.168.2.179 -- renewal in 36361 seconds.


Still traversing the tunnel :/

I havnt had a chance yet to check the firewall logs to see whats happening but I will sometime today and post back.


I havnt yet been able to get this to happen on a Ether connected client so possible this is a 1/2 solve.. Will know more after further testing.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Dec 01, 2009 7:35    Post subject: Reply with quote
Did you put the same commands on both routers?
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Tue Dec 01, 2009 8:26    Post subject: Reply with quote
Yes :(

its odd that the requests are still getting through. best guess is since its a lan bridge the firewall is mistaking it for lan0 traffic and not tap0 *shrug* but I dunno - this isnt exactly my field of knowledge.

Im in the field right now - Hopfully examining the firewall logs will shed some light on whats going on. I need to be on site to connect/recconect to monitor properly

Also tried both of your methods together just to be through No dice Sad
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Dec 01, 2009 9:40    Post subject: Reply with quote
Post the output from running this via telnet on both routers.

iptables -vnL OUTPUT

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Tue Dec 01, 2009 12:25    Post subject: Reply with quote
sure.. here ya go:


Host router (*.1)
Code:

root@exodus:~# iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 33 packets, 5849 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      tap0    0.0.0.0/0            0.0.0.0/0           udp dpt:68
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  293 49288 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  113 25155 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  113 25155 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Client router (*.2)
Code:

root@guardog:~# iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 92 packets, 20651 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      tap0    0.0.0.0/0            0.0.0.0/0           udp dpt:68
somms
DD-WRT User


Joined: 21 Mar 2008
Posts: 261

PostPosted: Tue Dec 01, 2009 20:04    Post subject: Reply with quote
Quick fix for me was just to assign static leases under services of DDWRT gui for the known computers on one side of my OpenVPN site to site bridge. Guess I could go one step further and do the same for known computers on other side as well but seems to be doing the job and didn't require additional firewall rules. Had to assign static IP's anyways since I wanted to use WOL function to remotely power up the computers also! :wink:


Code:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP



http://www.dd-wrt.com/phpBB2/viewtopic.php?p=259391&highlight=#259391

EDIT: Looks like above inserted into startup commands may be a better solution but I haven't tested...

_________________


Member of the Professional Aviation Safety Specialists Union!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Dec 01, 2009 22:10    Post subject: Reply with quote
Check this now.

iptables -vnL FORWARD

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Wed Dec 02, 2009 6:17    Post subject: Reply with quote
Quote:

Quick fix for me was just to assign static leases under services of DDWRT gui for the known computers on one side of my OpenVPN site to site bridge. Guess I could go one step further and do the same for known computers on other side as well but seems to be doing the job and didn't require additional firewall rules. Had to assign static IP's anyways since I wanted to use WOL function to remotely power up the computers also!


Actually this doesnt help at all. There are several machines on this network (on both sides) that do have static leases. Recently a SiteB sever was taken to SiteA (Host site) for some upgrades, and guess what? When connected to the network it claimed its standard static lease from the SiteB router LOL

Dont knwo How I missed that thread though - nice find.. I'll pour over it later today when I get a chance.


Last edited by onemyndseye on Wed Dec 02, 2009 6:28; edited 1 time in total
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Wed Dec 02, 2009 6:27    Post subject: Reply with quote
Host (*.1)
Code:

root@exodus:~# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       192.168.3.0/24       0.0.0.0/0           
   99  5250 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
 421K  330M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 5819  656K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5819  656K forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Client (*.2)
Code:

root@guardog:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  215  9804 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.168       tcp dpt:16768
  461 31511 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.168       udp dpt:16768
    0     0 ACCEPT     47   --  *      vlan1   192.168.2.0/24       0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      vlan1   192.168.2.0/24       0.0.0.0/0           tcp dpt:1723
    9   540 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
 7877  401K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 706K  527M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 702K  527M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.47        tcp dpt:63969
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.47        udp dpt:63969
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.174       udp dpt:55036
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.174       udp dpt:54466
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.168       udp dpt:59462
    0     0 TRIGGER    0    --  vlan1  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 4391  252K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
 4391  252K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           



Still did not get a chance to debug well today.. not enough hours in the day in seems Sad. I think this is definitely NOT happening any longer for Ether connected clients... getting close Smile
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Dec 02, 2009 7:13    Post subject: Reply with quote
The forward rule isn't there, did you really put them in your firewall script like you're supposed to?
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Wed Dec 02, 2009 14:27    Post subject: Reply with quote
Iv restarted since last time I tried them both together.

I have:
Code:

iptables -I INPUT -i tap0 -p udp --dport 67 -j DROP
iptables -I OUTPUT -o tap0 -p udp --dport 68 -j DROP


in my firewall script.


I understood the methods to be separate? Will test further with the forward rule added
onemyndseye
DD-WRT Novice


Joined: 01 Aug 2009
Posts: 36

PostPosted: Wed Dec 02, 2009 15:32    Post subject: Reply with quote
aaaah. Nice. with the forward rule the solution works. I double checked this by shutting 1 DHCP server down at a time and then broadcasting DHCPREQ

Thank you very much my friend Smile Please pm me with your email.


Code:

# block DHCP through tunnel
insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
iptables -I INPUT -i tap0 -p udp --dport 67 -j DROP
iptables -I OUTPUT -o tap0 -p udp --dport 68 -j DROP
iptables -I FORWARD -p udp --dport 67:68 -j DROP
# These lines just for good measure
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
Maximus32
DD-WRT Novice


Joined: 16 Jan 2010
Posts: 4

PostPosted: Sat Jan 16, 2010 21:49    Post subject: Reply with quote
I had the same problem, and this solution seems to work; DHCP traffic IS blocked. But now I get another problem:

As soon as the ebtables module is loaded, all broadcasts have their source IP set to the router's IP. Meaning games no longer work (games now try to connect to the routers IP address).

Is there a solution to this problem?
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum