1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewalling OpenVPN

Discussion in 'Tomato Firmware' started by wetwilly, Sep 3, 2011.

  1. wetwilly

    wetwilly Addicted to LI Member

    Hello all.

    I am currently running an OpenVPN TAP peer to peer setup consisting of a pfSense 2.0 server and two TomatoUSB units. TomatoUSB is run on a WNR3500L and a WRT54GL, both running toastman's builds.

    The LAN is segmented as 10.0.1.0/22 and each site is then running
    10.0.1.1/22
    10.0.2.1/22
    10.0.3.1/22
    The dhcp-pool for each site is setup to only give leases within its own scope of 10.0.x.100-199.

    This has been running really smooth for a couple weeks except for some smaler issues that maybe someone here could help me sort out.

    As we all know dhcp broadcasts so I thought it would be best to block dhcp between the sites and decided to block upnp along with it. I did this by adding the following to
    Administration → Scripts → Firewall
    Code:
    #Block DHCP between OpenVPN TAP
    ebtables -I FORWARD -i tap11 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I FORWARD -o tap11 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I INPUT -i tap11 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I OUTPUT -o tap11 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    
    #Block UPnP between OpenVPN TAP
    ebtables -I FORWARD -i tap11 -p IPv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -I FORWARD -o tap11 -p IPv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -I INPUT -i tap11 -p IPv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
    ebtables -I OUTPUT -o tap11 -p IPv4 --ip-protocol udp --ip-destination-port 1900 -j DROP



    This worked fine on the WNR3500L as it supports ebtables but from the WRT54GL I still saw log entries about dhcp requests and upnp mappings coming from other networks and there is no ebtables binary available from the shell.


    I also noticed that the 3500L firewall scripts are being ran more that once(?) which causes the ebtables list to clutter down and look like this after a short while, same entries over and over:
    Code:
    root@wrn3500l:/tmp/home/root# ebtables -L
    Bridge table: filter
    
    Bridge chain: INPUT, entries: 10, policy: ACCEPT
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    
    Bridge chain: FORWARD, entries: 20, policy: ACCEPT
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -i tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    
    Bridge chain: OUTPUT, entries: 10, policy: ACCEPT
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 1900 -j DROP
    -p IPv4 -o tap11 --ip-proto udp --ip-dport 67:68 -j DROP 
    So to sum it up my issues are these:
    How do I block the traffic I dont want(dhcp + upnp) over the WRT54GL?
    I heard iptables wouldn't suffice(is is true?) so I haven't tried.

    How do I prevent the firewall script from being run multiple times? I guess I could add an ebtables flush to the start of the script to prevent it from cluttering but that feels like the wrong way to go about it.
    Under the OpenVPN client there is a firewall dropdown that can choose from Automatic/Custom.
    I guess that Automatic calls the /etc/openvpn/fw/script but what does the Custom call?
     
  2. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Any particular reason you are using TAP (bridged) vs TUN (routed) ? Seems like it would make life MUCH easier for you...

    I don't see why you couldn't block it with iptables... You are still letting them broadcast within each LAN, you just don't want it to go over the TAP interface...
     

Share This Page