OpenVPN Site Bridge. Clients get IP from wrong network

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3
Author Message
somms
DD-WRT User


Joined: 21 Mar 2008
Posts: 258

PostPosted: Fri Jan 29, 2010 1:57    Post subject: Reply with quote
ev1te wrote:

Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. Smile


You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:

dhcp-host=00:1F:16:FD:DE:22,ignore
dhcp-host=00:24:2C:20:B9:14,ignore
dhcp-host=00:1F:E1:8E:A6:19,ignore
ect.,ect...

You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...


Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored. Wink

_________________


Member of the Professional Aviation Safety Specialists Union!
Sponsor
ev1te
DD-WRT User


Joined: 03 Jan 2007
Posts: 76
Location: Sweden, Stockholm

PostPosted: Fri Jan 29, 2010 21:45    Post subject: Reply with quote
somms wrote:
ev1te wrote:

Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. Smile


You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:

dhcp-host=00:1F:16:FD:DE:22,ignore
dhcp-host=00:24:2C:20:B9:14,ignore
dhcp-host=00:1F:E1:8E:A6:19,ignore
ect.,ect...

You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...

Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored. Wink


You are not wasting your time. As it looks right now, this is the best solution. Thanks for the tip on how to ignore MAC addresses in DNSMasq, did not know that it was that easy Smile

_________________
WRT320N
samuraijack1
DD-WRT Novice


Joined: 23 Apr 2009
Posts: 14

PostPosted: Thu Feb 18, 2010 18:33    Post subject: Reply with quote
somms wrote:
ev1te wrote:

Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. Smile


You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:

dhcp-host=00:1F:16:FD:DE:22,ignore
dhcp-host=00:24:2C:20:B9:14,ignore
dhcp-host=00:1F:E1:8E:A6:19,ignore
ect.,ect...

You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...


Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored. Wink


Are these the MAC addresses of the other DHCP servers or the MAC addresses of the DHCP clients of other routes? Sorry to sound a noob (that's because I am not good at this). Would you mind to explain a little for ppl like me.
somms
DD-WRT User


Joined: 21 Mar 2008
Posts: 258

PostPosted: Thu Feb 18, 2010 19:48    Post subject: Reply with quote
samuraijack1 wrote:
somms wrote:
ev1te wrote:

Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends. Smile


You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:

dhcp-host=00:1F:16:FD:DE:22,ignore
dhcp-host=00:24:2C:20:B9:14,ignore
dhcp-host=00:1F:E1:8E:A6:19,ignore
ect.,ect...

You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...


Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored. Wink


Are these the MAC addresses of the other DHCP servers or the MAC addresses of the DHCP clients of other routes? Sorry to sound a noob (that's because I am not good at this). Would you mind to explain a little for ppl like me.


No problem...
Those are the MAC addresses of the client computers that I want to block from making DHCP requests since they are present on the wrong/other end of the OpenVPN tap interface...

_________________


Member of the Professional Aviation Safety Specialists Union!
SilverPuppy
DD-WRT Novice


Joined: 16 Sep 2010
Posts: 22

PostPosted: Fri Feb 17, 2012 2:00    Post subject: Wow, this is nuts...... Reply with quote
After MUCH reading of all of the ideas and struggles in this and the linked forum thread, THIS is what finally worked for me:

Code:
# Load module and configure ebtables (block dhcp over OpenVPN tunnel)
insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
LAN_NET="$(nvram get lan_ipaddr)/$(nvram get lan_netmask)"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE
iptables -I FORWARD -p udp --dport 67:68 -j DROP


This went at the end of the startup script on the router at the remote location, not the main location. By adding the FORWARD rule to the one Phuzi0n suggested, it worked in my case. The Internet bandwidth at the remote location is only a few megabits, so CPU usage remains acceptable.

I know this is a very old thread, but I hope that this is helpful. This is a consistently irritating problem for which I had sought a solution for literally YEARS, and I'm glad to finally have something that worked. Mods, please don't lock this thread........
wabe
DD-WRT User


Joined: 17 Jun 2006
Posts: 429

PostPosted: Thu Jul 11, 2013 8:55    Post subject: Reply with quote
SilverPuppy:

I have problems with this too. Tried using the ebtables rules only first but didn't do the trick. Then added a dnsmasq rule mentioned in another thread to block dhcp on the tap0 interface without luck.
Finally added the three last lines of your code but then I cannot connect to my remote sites??
Edit: Seems I had a problem on the server side. After a restart the bridge works and clients getting their leases from the correct dhcp-server.
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum