Bridged VPN, using iptables to fix DHCP issue?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
slgta
DD-WRT User


Joined: 09 Jan 2008
Posts: 92

PostPosted: Mon Dec 22, 2008 4:48    Post subject: Reply with quote
sorry, I gave up on the openvpn bridge because I don't seems to be able to keep the routers up and stable.

I have been running fine without the openvpn bridge, so I have to assume that the instability was caused by the openVPN connection. ... probably with the combination of QOS, GUI management ... and a slow uplink (128Kbps).



JN wrote:
slgta, or anyone else, have you made any headway with this?

_________________
=============================================
WRT54GL v1.1 vpn-jffs-small SVN15200M
Spare: WRT54G v5 micro+ ssh SVN15200M
Sponsor
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Tue Dec 23, 2008 20:12    Post subject: Reply with quote
I'v been running two dd-wrt routers in bridged openvpn mode (one server and one client) through the internet for a couple of years now, but I haven't solved the DHCP issue yet... Mad

Please someone make my day and solve this issue! Very Happy

_________________
WRT320N
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Fri Dec 26, 2008 17:12    Post subject: Reply with quote
ev1te wrote:
I'v been running two dd-wrt routers in bridged openvpn mode (one server and one client) through the internet for a couple of years now, but I haven't solved the DHCP issue yet... Mad

Please someone make my day and solve this issue! Very Happy
Glad to hear there is somebody else interested in this.

Hopefully someone here can advise on how we might use either iptables or ebtables or find some other way to correct the DHCP issue so that computers always get DHCP from the nearest router and never the far side of the bridge.
HockeyFan4Life
DD-WRT User


Joined: 03 Jan 2008
Posts: 230

PostPosted: Fri Dec 26, 2008 17:35    Post subject: Reply with quote
I don't know how I did it, but my client router(at my inlaws place)always issues the IP to the computers they own. I have it set where my ip range from 192.168.1.200 to 192.168.1.249. And a maximum of 50 clients, as it is in the default config.

This is my Firewall Config for my client router.

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT

_________________

Routers:
E2000 latest BIG
whr-g54s client vpn
wr850g lastest mini
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sat Dec 27, 2008 18:35    Post subject: Reply with quote
HockeyFan4Life wrote:
I don't know how I did it, but my client router(at my inlaws place)always issues the IP to the computers they own. I have it set where my ip range from 192.168.1.200 to 192.168.1.249. And a maximum of 50 clients, as it is in the default config.

This is my Firewall Config for my client router.

# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT

iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT
I don't see how this can do it as there seems to be nothing about blocking DHCP requests in these commands.

Can someone come forward with a real solution to make DHCP always be served by the nearer router?
HockeyFan4Life
DD-WRT User


Joined: 03 Jan 2008
Posts: 230

PostPosted: Sat Dec 27, 2008 18:43    Post subject: Reply with quote
I don't know how it's doing it either, but that's is what is being done on my client router.
_________________

Routers:
E2000 latest BIG
whr-g54s client vpn
wr850g lastest mini
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Mon Dec 29, 2008 18:52    Post subject: Reply with quote
Any comments, anyone, on the right way to solve the problem of this thread?
knzsys
DD-WRT Novice


Joined: 11 Sep 2008
Posts: 6

PostPosted: Sun Jan 25, 2009 16:38    Post subject: My working solution Reply with quote
Hi all,

have you checked, if ebtables have correct entries by typing the following command in telnet? :

ebtables -L

should give that result:

Quote:
Bridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i tap0 --ip-proto udp --ip-dport 67:68 -j DROP

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p IPv4 -o tap0 --ip-proto udp --ip-dport 67:68 -j DROP


Otherwise ebtables is not blocking DHCP.


I tried the commands:
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
first in the firewall script, it didn't work.
ebtables -L gave empty table.

I put the commands
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
in the startupsection after the insmod commands

and it worked!

I hope this will help you. Very Happy
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Wed Jan 28, 2009 16:56    Post subject: Re: My working solution Reply with quote
knzsys wrote:
I put the commands
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
in the startupsection after the insmod commands

and it worked!
So, then you are saying that all of this goes in the startup script in this order?

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

Back on page 1 of this topic, I had the rules in the firewall and the insmods in the startup script. I guess that's why it didn't work. I will try it this way when I get a chance.
Firov
DD-WRT Novice


Joined: 09 Jan 2009
Posts: 23

PostPosted: Thu Jan 29, 2009 8:15    Post subject: Re: My working solution Reply with quote
knzsys wrote:
...


knzsys, I'm curious, have you reset power to your router and confirm that ebtables is still running correctly? If so, what version of the firmware are you using?

In my thread ( http://www.dd-wrt.com/phpBB2/viewtopic.php?t=45292&postdays=0&postorder=asc&start=0 ) I am trying to solve the exact same problem and ebtables does precisely what I want, but we've found due to a rather severe bug in DD-WRT that ebtables won't load correctly from the startup script. More specifically, ebtable_filter won't load, and without that module ebtables doesn't work.

So if your router is successfully loading ebtables from the startup script I'd be very interested in knowing which version you're using.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Thu Jan 29, 2009 14:04    Post subject: Re: My working solution Reply with quote
Firov wrote:
knzsys wrote:
...


knzsys, I'm curious, have you reset power to your router and confirm that ebtables is still running correctly? If so, what version of the firmware are you using?

In my thread ( http://www.dd-wrt.com/phpBB2/viewtopic.php?t=45292&postdays=0&postorder=asc&start=0 ) I am trying to solve the exact same problem and ebtables does precisely what I want, but we've found due to a rather severe bug in DD-WRT that ebtables won't load correctly from the startup script. More specifically, ebtable_filter won't load, and without that module ebtables doesn't work.

So if your router is successfully loading ebtables from the startup script I'd be very interested in knowing which version you're using.
Firov, did you have a chance to try the knzsys method yet, with all the commands in the startup script? I have not had time to do it yet. You might go ahead and try it with a recent version of the firmware and report back which version and whether it works. Thanks.
Firov
DD-WRT Novice


Joined: 09 Jan 2009
Posts: 23

PostPosted: Thu Jan 29, 2009 18:07    Post subject: Re: My working solution Reply with quote
JN wrote:
...


Thats what I've been trying, JN. However, as I pointed out in my thread, doing that doesn't correctly load ebtables.

Basically, the method in this thread is identical to what I've been trying.
knzsys
DD-WRT Novice


Joined: 11 Sep 2008
Posts: 6

PostPosted: Fri Feb 06, 2009 15:01    Post subject: Reply with quote
Hi JN,

Sorry for late anwsering.

Did you tried it with newest beta firmware?

I use this version:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11482/dd-wrt.v24-11482_NEWD_openvpn.bin
on WRT54GL 1.1

no problems

folder with all subversions:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11482/

NEWD means new drivers


Yes, I put the commands in startup script in this order:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

It was working after reboot.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Fri Feb 06, 2009 19:52    Post subject: Reply with quote
knzsys wrote:
Hi JN,

Sorry for late anwsering.

Did you tried it with newest beta firmware?

I use this version:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11482/dd-wrt.v24-11482_NEWD_openvpn.bin
on WRT54GL 1.1

no problems

folder with all subversions:
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11482/

NEWD means new drivers


Yes, I put the commands in startup script in this order:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o

ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

It was working after reboot.
Firov, you might want to give it another try with the newer firmware (or maybe the latest). I might too, but am quite busy and sure when I will do it.
Firov
DD-WRT Novice


Joined: 09 Jan 2009
Posts: 23

PostPosted: Sun Feb 08, 2009 22:33    Post subject: Reply with quote
I just tried it with the 11575 firmware and absolutely nothing changed. It still unloads ebtable_filter after the startup script has finished running.

This is obviously a bug with DD-WRT, so we're going to have to wait until someone takes notice of ( http://svn.dd-wrt.com:8000/dd-wrt/ticket/812 ) and fixes it.
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 3 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum