SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 11-25-2012, 01:23 PM
mrgenie mrgenie is offline
New Member
 
Join Date: Nov 2012
Posts: 24
Thanks: 3
Thanked 0 Times in 0 Posts
mrgenie is just starting out
Default

Quote:
Originally Posted by RMerlin View Post
One easy way to test this is to disable the DHCP server on the local LAN segment (assuming you have control of it), and see if you are able to issue a DHCP lease renewal on one of your clients. If not, then it will confirm that your rules are indeed preventing DHCP requests from reaching the DHCP server on the other side of the tunnel.

There's a Paypal button on my personal website (link is in my signature). Thank you
Ok, the ebtables in the script file don't prevent clients from accessing remote dhcp servers. Bummers, as I really have no idea how to pull this off with openVPN itself..
Reply With Quote
  #12  
Old 11-25-2012, 01:26 PM
RMerlin's Avatar
RMerlin RMerlin is online now
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 8,607
Thanks: 44
Thanked 4,494 Times in 1,906 Posts
RMerlin is just starting out
Default

TAP VPNs are tricky. It's usually simpler to use TUNs instead, unless you actually need broadcasts to work accross the VPN.

You will probably need to insert runes inside an OpenVPN "up" script. I've seen some references to it on the web.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
  #13  
Old 11-25-2012, 01:37 PM
mrgenie mrgenie is offline
New Member
 
Join Date: Nov 2012
Posts: 24
Thanks: 3
Thanked 0 Times in 0 Posts
mrgenie is just starting out
Default Ok, now I got it working properly( I hope, fingers crossed)

I've simply added all I could think off that might be needed to get this working..

Of course several lines can be erased, will test them tomorrow what can be deleted..

but here's thus far what I got to prevent the DHCP's from other subnets being reached from other locations:

Quote:
#!/bin/sh



insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

sleep 10
ebtables -F
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
also in the logs I noticed the tap21 interface is up and running long before this script is being executed..

For those interested in blocking UPnP or PmP over nat:
Quote:
ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A INPUT --in-interface tap11--protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP

ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP

Last edited by mrgenie; 11-25-2012 at 01:40 PM.
Reply With Quote
  #14  
Old 11-26-2012, 04:43 AM
mrgenie mrgenie is offline
New Member
 
Join Date: Nov 2012
Posts: 24
Thanks: 3
Thanked 0 Times in 0 Posts
mrgenie is just starting out
Default Final edit

To get the DHCP-madness run properly (multiple DHCP over TAP bridged openVPN networks) you have to do only the following:
  1. create the jffs directory (enable the option in the webGUI)
  2. verify there's a "scripts" directory inside the jffs! If it's not you simply must reboot a few times. Sometimes the jffs is initialized properly the 2nd time you reboot, sometimes it takes you 10 reboots. You also might want to switch off/on the jffs option in the webGUI several times. No panic, it will be initialized after several attempts!
  3. inside the "/jffs/scripts" you create the "services-start" file
  4. inside this file you put the following code
    Quote:
    #!/bin/sh
    sh /jffs/scripts/filt.sh&
  5. also create a file named "filt.sh" and put inside it following code
    Quote:
    #!/bin/sh
    ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
    ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
  6. both files must be set executable. I used 755 for both files
  7. to test if it works, reboot the router and login with putty or whatever you want to use. type "ebtables -L" and you should see the proper filters listed in the ebtables

NOTE: Check if your openVPN also uses tap21. If it uses something else, of course you must adept the ebtables to your different tap number.
Note 2: see my previous post if you want to block upnp or pmp

Last edited by mrgenie; 11-26-2012 at 04:47 AM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 05:52 PM.

Top 10 Stats
Top Posters* Top Thanked
RMerlin  408
stevech  158
thelonelycode...  147
L&LD  126
azazel1024  115
KGB7  89
jim769  82
DrTeeth  71
Adamm  64
speedingcheet...  61
RMerlin  4494
stevech  275
ryzhov_al  199
TeHashX  194
RogerSC  166
L&LD  163
joegreat  105
jlake  102
PrivateJoker  93
sinshiva  88
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  32330
Old Asuswrt-Merli...  25943
Old ASUS...  22973
Old Beta Version...  17566
Old 'Heartbleed'...  14394
Old Linksys...  9648
Old Potential...  7967
Old Asus-Merlin...  7170
Old Groundhog...  6453
Old Linksys...  5959
Old Asuswrt-Merli...  220
Old Asuswrt-Merli...  193
Old Linksys...  148
Old ASUS...  125
Old Beta Version...  112
Old Potential...  98
Old Linksys...  79
Old Groundhog...  49
Old Asus router...  43
Old USB drive...  39



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.