Block DHCP over bridged VPN

Discussion in 'Tomato Firmware' started by Tiansen, Jul 18, 2013.

  1. Tiansen

    Tiansen Addicted to LI Member

  2. darkknight93

    darkknight93 Networkin' Nut Member

    you might use iptables instead of the ebtables command. Give it a try - but might be that it wont work.

    I dont know where the different is between both ;)

    EDIT: t> What is the advantadge by using ebtables compared to iptables?
    They has a different purposes.
    Ebtables is Link Layer oriented filtering tool, used on linux bridge.
    Iptables is oriented for Network Layer (and upper layers).
    F.e. I made a 802.1Q VLAN match module for ebtables, because this is
    the task for bridge and at Link Layer.
  3. Tiansen

    Tiansen Addicted to LI Member

    AFAIK iptables cannot filter out DHCP broadcasts. Any other solutions??
  4. darkknight93

    darkknight93 Networkin' Nut Member

    blocking port 68 incoming from VPN Interface? :)
  5. Tiansen

    Tiansen Addicted to LI Member

    I have found this explanation on some forum about this:

    Iptables works on layer 3, it doesn't even see the bridged traffic unless you load ebtables to enable a hack. Having ebtables with this hack enabled can cause trouble with iptables rules that aren't written with this behavior in mind which includes some of the firmware default rules. Because of this loopback must be enabled which will NAT your tunneled traffic going to the same subnet, if you disable loopback then it will drop it instead of NAT'ing.

    So how can we solve this thing then??
  6. somms

    somms Network Guru Member

    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
    Entering the above under Firewall using Shibby's OpenVPN firmware on my RT-N66U acting as the OpenVPN server blocks remote OpenVPN client routers DHCP request...
  7. Tiansen

    Tiansen Addicted to LI Member

    Yes, I am very happy for you that you have ebtables ;)

    Unfortunately TomatoVPN lacks it, and the same is true for uudecode. If I could have at least one of that two tools, I could solve it. But now I am still searching for a solution. I think that to add some tool to TomatoVPN firmware is not an easy task to accomplish too.
  8. jerrm

    jerrm Network Guru Member

    The correct solution would be to get the module from your Tomato build's extras package.

    You're asking for trouble using a kernel module compiled for a different firmware, it may not work at all, but if you insist...

    Assuming your openssl is comparable with most current tomato builds, from the ddwrt post, replace:
    echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
    rm -f /tmp/ebt_ip.o.gz.u64
    and remove:
     echo "====" >> /tmp/ebt_ip.o.gz.u64
    Then replace:
    uudecode /tmp/ebt_ip.o.gz.u64 | gunzip -cd > /tmp/ebt_ip.o
    openssl enc -base64 -d -in /tmp/ebt_ip.o.gz.u64 | gunzip > /tmp/ebt_ip.o
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    If TomatoVPN lacks ebtables, then switch to another Tomato firmware variant that includes it. Its not like Shibby or Toastman don't make builds with the exact same VPN support in them.
  10. lancethepants

    lancethepants Network Guru Member

    I actually wrote that portion on the DD-WRT page of blocking DHCP over a tap connection. It' something I've researched quite a bit.

    There are a couple of threads in this forum already talking about this. Two of them I know of I've been involved in reference each other, so here's a post to one of them.
    While you're at it, you may want to block upnp and natpmp.
    That's kind of the problem of creating bridged vpn's over the internet. There could be many other protocols that would be undesirable to allow cross a site-to-site vpn. It should be possible with ebtables to block all broadcasts by default, and only allow those that you specifically want. The list of broadcasts I would allow is much shorter than the ones I would block. I would just allow arp only, and continue from there with the ones I wanted to cross the bridge. ebtables is pretty heavy on the cpu, and may significantly decrease your throughput as it has to inspect a lot of packets.
  11. somms

    somms Network Guru Member

    Looks like I'm using your Firewall script only on the Server-side OpenVPN router and its been working 100%!:)

    If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match

    I'm using the tap+ instead of tapX is the only diff I can tell!:D
  12. Tiansen

    Tiansen Addicted to LI Member

    I will try with Shibby Tomato version.

    Is this image right for WRT54GL v1.1?

    Or should I use this instead?

    I obviously need VPN support.
    What means RT? I don't want to brick my router.

    Thank you very much for answer!
  13. Tiansen

    Tiansen Addicted to LI Member

    Hm, I tried to upgrade with all versions of firmware (IPv6-VPN, Max, MiniVPN), but I always get the same message: that the file is too big for MTD. I have WRT54GL v1.1. Aren't MIPSR1 releases meant for this router?
  14. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    Recent builds are more suited to newer routers. Shibby's builds are a bit bigger due to the torrent client. If you need the torrent client then use an older Shibby build. If you don't need it then a Victek or Toastman firmware may have a smaller image for firmwares built around the same time.

    If you don't need ipv6 then try a MIPSR1 K2.4 build. Will be faster.
  15. Monk E. Boy

    Monk E. Boy Network Guru Member

    If you have a WRT-54G or WRT-54GL you need a firmware with ND drivers, not RT or RT-N. ND, RT, and RT-N just refer to the wireless driver inside the firmware, and you can't use a WRT-54G or WRT-54GL with an RT or RT-N driver. You would likely brick the router trying to flash an RT or RT-N build onto a WRT-54GL, at which point the router is just about as useful as a brick.

    Toastman should have some MIPSR1 (refers to the type of CPU inside the router, a WRT-54GL has a revision 1 MIPS CPU) K24 builds that will work. Linux kernel v2.4 (K24) builds tend to be smaller than v2.6 (K26) builds.
    Marcel Tunks likes this.
  16. Tiansen

    Tiansen Addicted to LI Member

    Now I have K24 Toastman firmware tomato-ND-1.28.8754-vpn3.6. VPN works but still cannot filter out DHCP over VPN because Toastman's build lacks ebtables too. Is there any Tomato firmware that supports ebtables?
  17. lancethepants

    lancethepants Network Guru Member

    Finding a firmware for an ND device with ebtables may be difficult. Such a firmware for Tomato may not exist. The RT builds for newer routers do have ebtables. I don't see anywhere where you mention what router you have, but it sounds like an older one, like a wrt54 variant. Especially if it only has 4MB for firmware, squeezing everything and ebtables into the firmware is a lot, possible, but not sure if any tomato developer has done it. I would suggest in any case upgrading to a more capable router.

    edit:Actually, I do recall older versions of tomato supposedly had ebtables. This was back in the day when the original developer was working on it still. He took it out in the next release because created stability issues. His releases though will not have OpenVPN, they are really old. Better off getting a MIPSR2 router with Linux 2.6

    Take a look at the bottom of the following link. By using ebtables, you're going to take a 50% hit in speed.

    That's not even mentioning the encryption/decryption that will be going on with the VPN leg of the bridge, so expect even slower. A wrt54g variant is going to struggle and slow down a bunch compared to newer stuff.
    OpenWRT probably has much better ebtables support for older routers. I would just get something newer if you're really serious about using ebtables.
  18. Tiansen

    Tiansen Addicted to LI Member

    So, I'm pretty much out of luck with this router and ebtables. Is there any alternative way to prevent DHCP broadcasts to go over VPN bridge?
    If there is no other solution, it would be also OK, if I could tell router not to assign IP number to a specific MAC address. Is it possible to do this?
    Let me explain: I have network 1 with device 1 and router 1. Then I have network 2 with device 2 and router 2. Router 1 and 2 are connected with VPN bridge. Now there's a problem if device 2 gets IP number assigned from router 1. Because then all internet traffic from device2 goes through VPN and slows it down significantly. Is there any way to tell router 1 to NOT assign IP number to device 2, so that then router 2 will assign it for sure? Because networks are relatively small, that would be acceptable solution too, if possible.
  19. lancethepants

    lancethepants Network Guru Member

    The special keyword "ignore" tells dnsmasq to never offer a DHCP lease to a machine. The machine can be specified by hardware address, client ID or hostname, for instance --dhcp-host=00:20:e0:3b:13:af,ignore This is useful when there is another DHCP server on the network which should be used by some machines.
  20. Tiansen

    Tiansen Addicted to LI Member

    It seems that if I want to use that solution with dnsmasq, I should somehow add that argument (--dhcp-host) to a command dnsmasq that gets executed during startup of router. In GUI of Tomato there is no option to include ignored MAC addresses, so how can I achieve that with command line?
  21. lancethepants

    lancethepants Network Guru Member

    Advanced -> DHCP/DNS -> Dnsmasq Custom configuration
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice