Both routers DHCP is set to non-authoritative.
Both routers have separate domain name.
Both routers have non-overlaping IP range. (*.03 - *.100 / *.110 - *.200)
Each time a PC connects to either side of the bridge, either by Ether or Wifi, there is about a 50% chance that the PC will be assigned a IP and default GW on the opposite network. This causes ALL traffic from that PC to be routed over the VPN.
Anyone have any ideas how to stop this? Any reference material to throw my way?
iptables magic to block DHCP broadcast from client/server network?
If further info is required please advise.
I will paypal 5$ USD to the person that solves this problem or provides reference material that leads to the solution.
Thanks,
Last edited by onemyndseye on Tue Dec 01, 2009 7:15; edited 1 time in total
# block DHCP through tunnel
iptables -I INPUT -i tap0 -p udp --dport 67 -j DROP
iptables -I OUTPUT -o tap0 -p udp --dport 68 -j DROP
Alternative method that requires more processing but keeps prevents a little DHCP traffic on the tunnel:
# block DHCP through tunnel
insmod ebtables
iptables -I FORWARD -p udp --dport 67:68 -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
From a wifi client connected to *.1 after adding firewall rules
Code:
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/pan0/32:6c:4f:a8:8f:c6
Sending on LPF/pan0/32:6c:4f:a8:8f:c6
Listening on LPF/vboxnet0/0a:00:27:00:00:00
Sending on LPF/vboxnet0/0a:00:27:00:00:00
Listening on LPF/eth0/00:1f:c6:4f:60:c5
Sending on LPF/eth0/00:1f:c6:4f:60:c5
Listening on LPF/wlan0/00:1d:e0:7e:4e:45
Sending on LPF/wlan0/00:1d:e0:7e:4e:45
Sending on Socket/fallback
DHCPDISCOVER on pan0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on vboxnet0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPREQUEST of 192.168.2.179 on wlan0 to 255.255.255.255 port 67
DHCPACK of 192.168.2.179 from 192.168.2.2
bound to 192.168.2.179 -- renewal in 36361 seconds.
Still traversing the tunnel :/
I havnt had a chance yet to check the firewall logs to see whats happening but I will sometime today and post back.
I havnt yet been able to get this to happen on a Ether connected client so possible this is a 1/2 solve.. Will know more after further testing.
Did you put the same commands on both routers? _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
its odd that the requests are still getting through. best guess is since its a lan bridge the firewall is mistaking it for lan0 traffic and not tap0 *shrug* but I dunno - this isnt exactly my field of knowledge.
Im in the field right now - Hopfully examining the firewall logs will shed some light on whats going on. I need to be on site to connect/recconect to monitor properly
Also tried both of your methods together just to be through No dice
Post the output from running this via telnet on both routers.
iptables -vnL OUTPUT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Quick fix for me was just to assign static leases under services of DDWRT gui for the known computers on one side of my OpenVPN site to site bridge. Guess I could go one step further and do the same for known computers on other side as well but seems to be doing the job and didn't require additional firewall rules. Had to assign static IP's anyways since I wanted to use WOL function to remotely power up the computers also! :wink:
iptables -vnL FORWARD _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Quick fix for me was just to assign static leases under services of DDWRT gui for the known computers on one side of my OpenVPN site to site bridge. Guess I could go one step further and do the same for known computers on other side as well but seems to be doing the job and didn't require additional firewall rules. Had to assign static IP's anyways since I wanted to use WOL function to remotely power up the computers also!
Actually this doesnt help at all. There are several machines on this network (on both sides) that do have static leases. Recently a SiteB sever was taken to SiteA (Host site) for some upgrades, and guess what? When connected to the network it claimed its standard static lease from the SiteB router LOL
Dont knwo How I missed that thread though - nice find.. I'll pour over it later today when I get a chance.
Last edited by onemyndseye on Wed Dec 02, 2009 6:28; edited 1 time in total
Still did not get a chance to debug well today.. not enough hours in the day in seems . I think this is definitely NOT happening any longer for Ether connected clients... getting close
The forward rule isn't there, did you really put them in your firewall script like you're supposed to? _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I had the same problem, and this solution seems to work; DHCP traffic IS blocked. But now I get another problem:
As soon as the ebtables module is loaded, all broadcasts have their source IP set to the router's IP. Meaning games no longer work (games now try to connect to the routers IP address).