Can someone else help confirm? I'm kind of new at this. BTW, I did this on a WRT350N running 11474 mega, but I'm sure it can work with openvpn_jffs build.
Can someone else help confirm? I'm kind of new at this. BTW, I did this on a WRT350N running 11474 mega, but I'm sure it can work with openvpn_jffs build.
I don't put it anywhere. The second block is me typing commands into the terminal. I included it to show that the ebtables seem to remain loaded after boot.
I don't put it anywhere. The second block is me typing commands into the terminal. I included it to show that the ebtables seem to remain loaded after boot.
What do you have in your startup script to ensure that ebtables.wanup is executed when the router is started? Which version of DD-WRT are you using, including build number and file name of .bin file? What model of router?
After much sadness, much anger, and much frustration I have finally found a solution to this problem. At least sort of.
Its not absolutely perfect for reasons I'll explain in a moment, but it does work.
liutang's idea was key. His exact idea actually failed, for me at least. But the revelation that its possible to run scripts after startup by using the various script file extensions (ex .wanup) did at least set me on the right path.
I know that there's some bug in the startup script for DD-WRT that unloads ebtable_filter, so the challenge has been to run the ebtables start script after the router has already finished going through its other startup scripts.
This was achieved by using the ".ipup" script extension. By using the .ipup extension the script runs a second or two after the router has already finished booting, and as such, totally avoids the ebtable unload script that runs at router startup.
I'll explain exactly how to implement this in a moment, but first, I want to point out the one problem with this method.
Whenever you alter something with the webgui on DD-WRT and hit apply, it runs some sort of script that simulates restarting the router. Unfortunately, this script also unloads ebtable_filter. So, while ebtable_filter will successfully run after router bootup now, if I attempt to change anything via the webgui ebtable_filter will be unloaded. You can try this yourself just by changing, for example, the router GUI style and then hitting apply. Check ebtables and you'll see that its been unloaded.
Now, this isn't a huge problem, because if you're altering the router settings then chances are it won't be too much trouble to just go ahead and restart the script manually, or just reboot the router once you've made the changes.
So, with all of that said, its time to show precisely how to implement this. Also, its worth noting that having jffs on your router is required for this.
1. Open a command line and telnet into your router, then enter the following commands
2. mkdir -p /jffs/etc/config
3. cd /jffs/etc/config
4. Create a script called ebtables.ipup that has the following lines of text in it
Final Notes - This script only needs to be put on your server router. It will block all DHCP traffic, whether it comes from the local lan segment or the far lan segment.
Glad it worked. I didn't know I only have to do it on the server. I guess that makes sense. On my router, it works with *.wanup. I don't know what all the other "ups" do. On one of my client servers that is going through a wirless bridge, it didn't work with *.wanup, but it did work with *.startup for some reason. Go figure. I guess each person needs to experiment with different extensions. Also, sometimes you need to give it a couple of seconds to complete. On a WHR-HP-G54, it took maybe 30 seconds after the router came up for the ebtables to run.
Posted: Thu Feb 26, 2009 3:59 Post subject: similar but different filtering
G'day
I have a collection of WRTs running v24sp1, all set as APs, bridged, with WDS between them. It's to give extended wireless coverage for an otherwise wired LAN. All units have IP addresses in the same subnet. There's no routing, no NAT.
I want to filter on the unit that has the cabled LAN port, so that wireless clients only have ability to use Ping, DNS, DHCP and Telnet. I also need to be able to remotely access all APs by web, telnet, snmp.
My first thought was to try iptables, but that doesn't seem to be affecting anything - perhaps because there's no IP-layer routing, just bridging.
Any suggestions? ebtables? (Is that in the main v24sp1 or only special builds?)
If someone can point me to an effective way of just allowing 1 or 2 protocols for connections originating on eth1 (wireless), I'm sure I can fill in the gaps for other protocols..
I've had similar trouble with loading iptables modules in the startup script but was able to easily overcome it with a simple sleep 60 which also gives you a minute to fix things if you ever screw up your config.
And always ok. DHCP dont go via bridge, but I have new problem. My case is:
Macbook connected to wifi on server side, takes dhcp from server, and can see all network on the server and client side.
Then Macbook connected to wifi on client side, takes dhcp from client, and can see all network on the server and client side.
Then Macbook again connected to wifi on server side, takes dhcp, and ... and cant see client side of the bridge
-------
Other words.
1) device connect to server - OK, have dhcp from server, see server and client side of bridge
2) device connetc to client - OK, have dhcp from client, see server and client side of bridge
3) device again connect to server second time after connect tp client - problem, device cant see client side of the bridge