Bridged VPN, using iptables to fix DHCP issue?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Mon Feb 09, 2009 6:29    Post subject: Reply with quote
Firov, you might want to try it on 11482, the exact version that knzsys says is working.

knzsys, what happens if you try it on the 11575 that Firov just tried?
Sponsor
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Wed Feb 11, 2009 1:51    Post subject: Reply with quote
bump
liutang
DD-WRT Novice


Joined: 30 Dec 2007
Posts: 11

PostPosted: Wed Feb 11, 2009 6:56    Post subject: Reply with quote
I created a script called ebtables.wanup under /jffs/etc/config/. Then I placed the following code in there:

Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


Made it executable: chmod 700 ebtables.wanup. Rebooted the router and it looks like it's holding:

Code:

root@Momentum:/jffs/etc/config# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i tap0 --ip-proto udp --ip-dport 67:68 -j DROP

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p IPv4 -o tap0 --ip-proto udp --ip-dport 67:68 -j DROP
root@Momentum:/jffs/etc/config#



http://www.dd-wrt.com/wiki/index.php?title=Startup_Scripts#Make_the_Script_Executable

http://www.dd-wrt.com/wiki/index.php/Script_Execution

Can someone else help confirm? I'm kind of new at this. BTW, I did this on a WRT350N running 11474 mega, but I'm sure it can work with openvpn_jffs build.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Thu Feb 12, 2009 19:37    Post subject: Reply with quote
liutang wrote:
I created a script called ebtables.wanup under /jffs/etc/config/. Then I placed the following code in there:

Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


Made it executable: chmod 700 ebtables.wanup. Rebooted the router and it looks like it's holding:

Code:

root@Momentum:/jffs/etc/config# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i tap0 --ip-proto udp --ip-dport 67:68 -j DROP

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p IPv4 -o tap0 --ip-proto udp --ip-dport 67:68 -j DROP
root@Momentum:/jffs/etc/config#



http://www.dd-wrt.com/wiki/index.php?title=Startup_Scripts#Make_the_Script_Executable

http://www.dd-wrt.com/wiki/index.php/Script_Execution

Can someone else help confirm? I'm kind of new at this. BTW, I did this on a WRT350N running 11474 mega, but I'm sure it can work with openvpn_jffs build.
Where do you put the second code snippet?
liutang
DD-WRT Novice


Joined: 30 Dec 2007
Posts: 11

PostPosted: Thu Feb 12, 2009 23:23    Post subject: Reply with quote
JN wrote:
Where do you put the second code snippet?


I don't put it anywhere. The second block is me typing commands into the terminal. I included it to show that the ebtables seem to remain loaded after boot.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Fri Feb 13, 2009 1:04    Post subject: Reply with quote
liutang wrote:
JN wrote:
Where do you put the second code snippet?


I don't put it anywhere. The second block is me typing commands into the terminal. I included it to show that the ebtables seem to remain loaded after boot.
What do you have in your startup script to ensure that ebtables.wanup is executed when the router is started? Which version of DD-WRT are you using, including build number and file name of .bin file? What model of router?
liutang
DD-WRT Novice


Joined: 30 Dec 2007
Posts: 11

PostPosted: Fri Feb 13, 2009 1:54    Post subject: Reply with quote
JN wrote:
What do you have in your startup script to ensure that ebtables.wanup is executed when the router is started?


Nothing. dd-wrt looks into several special directories for special files with certain extensions. See this: http://www.dd-wrt.com/wiki/index.php/Script_Execution

JN wrote:
Which version of DD-WRT are you using, including build number and file name of .bin file? What model of router?


WRT350N as server. Running eko 11474 mega
http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11474/dd-wrt.v24-11474_NEWD_mega.bin

WRT150N client running eko 11474 openvpn jffs http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/V24_TNG/svn11474/dd-wrt.v24-11474_NEWD_openvpn_jffs_small.bin
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Sun Feb 15, 2009 23:29    Post subject: Reply with quote
Firov and knzsys, what are your latest thoughts? Did you try what I sugested at the top of this page or luitang's approach?
Firov
DD-WRT Novice


Joined: 09 Jan 2009
Posts: 23

PostPosted: Thu Feb 19, 2009 20:33    Post subject: Reply with quote
VICTORY!

After much sadness, much anger, and much frustration I have finally found a solution to this problem. At least sort of.

Its not absolutely perfect for reasons I'll explain in a moment, but it does work.

liutang's idea was key. His exact idea actually failed, for me at least. But the revelation that its possible to run scripts after startup by using the various script file extensions (ex .wanup) did at least set me on the right path.

I know that there's some bug in the startup script for DD-WRT that unloads ebtable_filter, so the challenge has been to run the ebtables start script after the router has already finished going through its other startup scripts.

This was achieved by using the ".ipup" script extension. By using the .ipup extension the script runs a second or two after the router has already finished booting, and as such, totally avoids the ebtable unload script that runs at router startup.

I'll explain exactly how to implement this in a moment, but first, I want to point out the one problem with this method.

Whenever you alter something with the webgui on DD-WRT and hit apply, it runs some sort of script that simulates restarting the router. Unfortunately, this script also unloads ebtable_filter. So, while ebtable_filter will successfully run after router bootup now, if I attempt to change anything via the webgui ebtable_filter will be unloaded. You can try this yourself just by changing, for example, the router GUI style and then hitting apply. Check ebtables and you'll see that its been unloaded.

Now, this isn't a huge problem, because if you're altering the router settings then chances are it won't be too much trouble to just go ahead and restart the script manually, or just reboot the router once you've made the changes.

So, with all of that said, its time to show precisely how to implement this. Also, its worth noting that having jffs on your router is required for this.

1. Open a command line and telnet into your router, then enter the following commands

2. mkdir -p /jffs/etc/config

3. cd /jffs/etc/config

4. Create a script called ebtables.ipup that has the following lines of text in it
Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


5. chmod 777 ebtables.ipup

6. Done (I think?)

Final Notes - This script only needs to be put on your server router. It will block all DHCP traffic, whether it comes from the local lan segment or the far lan segment.
liutang
DD-WRT Novice


Joined: 30 Dec 2007
Posts: 11

PostPosted: Fri Feb 20, 2009 3:57    Post subject: Reply with quote
Glad it worked. I didn't know I only have to do it on the server. I guess that makes sense. Very Happy On my router, it works with *.wanup. I don't know what all the other "ups" do. On one of my client servers that is going through a wirless bridge, it didn't work with *.wanup, but it did work with *.startup for some reason. Go figure. Confused I guess each person needs to experiment with different extensions. Also, sometimes you need to give it a couple of seconds to complete. On a WHR-HP-G54, it took maybe 30 seconds after the router came up for the ebtables to run.
swordfishBob
DD-WRT Novice


Joined: 28 Jul 2007
Posts: 8

PostPosted: Thu Feb 26, 2009 3:59    Post subject: similar but different filtering Reply with quote
G'day

I have a collection of WRTs running v24sp1, all set as APs, bridged, with WDS between them. It's to give extended wireless coverage for an otherwise wired LAN. All units have IP addresses in the same subnet. There's no routing, no NAT.

I want to filter on the unit that has the cabled LAN port, so that wireless clients only have ability to use Ping, DNS, DHCP and Telnet. I also need to be able to remotely access all APs by web, telnet, snmp.

My first thought was to try iptables, but that doesn't seem to be affecting anything - perhaps because there's no IP-layer routing, just bridging.
Any suggestions? ebtables? (Is that in the main v24sp1 or only special builds?)
If someone can point me to an effective way of just allowing 1 or 2 protocols for connections originating on eth1 (wireless), I'm sure I can fill in the gaps for other protocols..
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Mon Mar 02, 2009 6:46    Post subject: Reply with quote
Firov wrote:
VICTORY!
Hopefully the developers will fix the real issue soon so the commands will work in a normal startup script.
JN
DD-WRT Guru


Joined: 29 Mar 2007
Posts: 771

PostPosted: Thu Mar 26, 2009 2:34    Post subject: Reply with quote
JN wrote:
Firov wrote:
VICTORY!
Hopefully the developers will fix the real issue soon so the commands will work in a normal startup script.
Was the ebtables loading bug ever fixed for real in more recent builds?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Mar 26, 2009 3:54    Post subject: Reply with quote
I've had similar trouble with loading iptables modules in the startup script but was able to easily overcome it with a simple sleep 60 which also gives you a minute to fix things if you ever screw up your config.
30dcfbe484
DD-WRT Novice


Joined: 20 Mar 2016
Posts: 7

PostPosted: Thu Nov 03, 2016 9:43    Post subject: Reply with quote
Hi,

Very thank you for this decision, but i have problem.

In may case I have two routers: openwrt (server have static wan ip, local adreess 10.0.0.1) and ddwrt (client 10.0.0.5) with openvpn bridge.

In start up script of ddrwrt i create this code

Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


And always ok. DHCP dont go via bridge, but I have new problem. My case is:

Macbook connected to wifi on server side, takes dhcp from server, and can see all network on the server and client side.

Then Macbook connected to wifi on client side, takes dhcp from client, and can see all network on the server and client side.

Then Macbook again connected to wifi on server side, takes dhcp, and ... and cant see client side of the bridge Sad

-------

Other words.

1) device connect to server - OK, have dhcp from server, see server and client side of bridge
2) device connetc to client - OK, have dhcp from client, see server and client side of bridge
3) device again connect to server second time after connect tp client - problem, device cant see client side of the bridge

Sorry about my english.
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 4 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum