Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends.
You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:
Joined: 03 Jan 2007 Posts: 76 Location: Sweden, Stockholm
Posted: Fri Jan 29, 2010 21:45 Post subject:
somms wrote:
ev1te wrote:
Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends.
You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:
You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...
Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored.
You are not wasting your time. As it looks right now, this is the best solution. Thanks for the tip on how to ignore MAC addresses in DNSMasq, did not know that it was that easy _________________ WRT320N
Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends.
You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:
You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...
Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored.
Are these the MAC addresses of the other DHCP servers or the MAC addresses of the DHCP clients of other routes? Sorry to sound a noob (that's because I am not good at this). Would you mind to explain a little for ppl like me.
Maybe I shouldn't make it so complicated for myself, it's not for a corporate solution or anything, just to simplify my own private network withe some friends.
You could block the offensive clients MAC address on a as-needed basis by blocking the DHCP request under DD-WRT GUI Services/DNSMasq
DNSMasq: Enabled
Additional DNSMasq Options:
You would have to set the blocking on both Server and Client routers of the OpenVPN bridge to ignore each other's clients...
Probably wasting my time since my suggestion to just use static leases for known MAC addresses in a previous thread was ignored.
Are these the MAC addresses of the other DHCP servers or the MAC addresses of the DHCP clients of other routes? Sorry to sound a noob (that's because I am not good at this). Would you mind to explain a little for ppl like me.
No problem...
Those are the MAC addresses of the client computers that I want to block from making DHCP requests since they are present on the wrong/other end of the OpenVPN tap interface... _________________
Posted: Fri Feb 17, 2012 2:00 Post subject: Wow, this is nuts......
After MUCH reading of all of the ideas and struggles in this and the linked forum thread, THIS is what finally worked for me:
Code:
# Load module and configure ebtables (block dhcp over OpenVPN tunnel)
insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
LAN_NET="$(nvram get lan_ipaddr)/$(nvram get lan_netmask)"
iptables -t nat -D POSTROUTING -o br0 -s $LAN_NET -d $LAN_NET -j MASQUERADE
iptables -I FORWARD -p udp --dport 67:68 -j DROP
This went at the end of the startup script on the router at the remote location, not the main location. By adding the FORWARD rule to the one Phuzi0n suggested, it worked in my case. The Internet bandwidth at the remote location is only a few megabits, so CPU usage remains acceptable.
I know this is a very old thread, but I hope that this is helpful. This is a consistently irritating problem for which I had sought a solution for literally YEARS, and I'm glad to finally have something that worked. Mods, please don't lock this thread........
I have problems with this too. Tried using the ebtables rules only first but didn't do the trick. Then added a dnsmasq rule mentioned in another thread to block dhcp on the tap0 interface without luck.
Finally added the three last lines of your code but then I cannot connect to my remote sites??
Edit: Seems I had a problem on the server side. After a restart the bridge works and clients getting their leases from the correct dhcp-server.