I have a rather puzzling problem. I have two XT8s set up in the following configuration:
^
|
v
XT8-INNER:WAN <---> LAN(eth1):XT8-Outer:LAN(eth2) <---> Broadband Hub <---> Internet
^
|
v
Outer network
- I hope this makes sense.
The problem I'm having is that the inner XT8 seems to be allowing DHCP requests and responses through the WAN port from either side. The effect of this is that when a DHCP request is made, the DHCP servers on both the SuperHub and INNER will respond. This can result in clients on one network receiving addresses from the other network, causing confusion as to which address a client receives and more than a little confusion with routing.
I would have thought that the WAN firewall configuration ought to default to preventing DHCP packets passing across the boundary but the rules don't seem to include anything to match them:
iptables -S -v| egrep -i '67|68'
produces nothing but a bunch of unrelated DNS rules.
I'm predominantly using the web interface to manage them but I do have SSH enabled so I'm able to run lower level command directly. I've tried a bunch of iptables and ebtables rules (new to me) to drop UDP port 67 and 68 packets crossing the INNER WAN interface -
On INNER:
iptables -A INPUT -i eth0 -p udp --destination-port 68 --source-port 67 -j DROP
iptables -A INPUT -i eth0 -p udp --destination-port 67 --source-port 68 -j DROP
iptables -A OUTPUT -o eth0 -p udp --destination-port 68 --source-port 67 -j DROP
iptables -A OUTPUT -o eth0 -p udp --destination-port 67 --source-port 68 -j DROP
That didn't work.
Also on INNER:
ebtables -A FORWARD -i eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -o eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
Didn't work.
So I tried:
ebtables -A INPUT -i eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A OUTPUT -o eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
- Nope.
INNER's WAN is connected to eth1 of OUTER so I tried these rather specific rules:
ebtables -A FORWARD -i eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -o eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
and when that didn't work, I tried this:
ebtables -A INPUT -i eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A OUTPUT -o eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
Again, no joy.
(As an aside, not having tcpdump on the XT8s makes it a little harder to investigate but I couldn't find a port for these boxes.)
Unsurprisingly I couldn't find any option within Admin interface along the lines of "Did you want to enable forwarding DHCP requests and responses over WAN port?".
Any ideas? Many thanks.
- A Virgin Media SuperHub 3 acting as cable router, DHCP enabled but WiFi disabled.
- An outer XT8 connected to the VM Hub through LAN, DHCP disabled but WiFi enabled (effectively offloading the WiFi function of the underpowered SuperHub)
- An inner XT8 with its WAN connected to OUTER's LAN, with WiFi and DHCP enabled (keeping the inner LAN protected from devices on the outer LAN).
^
|
v
XT8-INNER:WAN <---> LAN(eth1):XT8-Outer:LAN(eth2) <---> Broadband Hub <---> Internet
^
|
v
Outer network
- I hope this makes sense.
The problem I'm having is that the inner XT8 seems to be allowing DHCP requests and responses through the WAN port from either side. The effect of this is that when a DHCP request is made, the DHCP servers on both the SuperHub and INNER will respond. This can result in clients on one network receiving addresses from the other network, causing confusion as to which address a client receives and more than a little confusion with routing.
I would have thought that the WAN firewall configuration ought to default to preventing DHCP packets passing across the boundary but the rules don't seem to include anything to match them:
iptables -S -v| egrep -i '67|68'
produces nothing but a bunch of unrelated DNS rules.
I'm predominantly using the web interface to manage them but I do have SSH enabled so I'm able to run lower level command directly. I've tried a bunch of iptables and ebtables rules (new to me) to drop UDP port 67 and 68 packets crossing the INNER WAN interface -
On INNER:
iptables -A INPUT -i eth0 -p udp --destination-port 68 --source-port 67 -j DROP
iptables -A INPUT -i eth0 -p udp --destination-port 67 --source-port 68 -j DROP
iptables -A OUTPUT -o eth0 -p udp --destination-port 68 --source-port 67 -j DROP
iptables -A OUTPUT -o eth0 -p udp --destination-port 67 --source-port 68 -j DROP
That didn't work.
Also on INNER:
ebtables -A FORWARD -i eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -o eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
Didn't work.
So I tried:
ebtables -A INPUT -i eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A OUTPUT -o eth0 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
- Nope.
INNER's WAN is connected to eth1 of OUTER so I tried these rather specific rules:
ebtables -A FORWARD -i eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -o eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
and when that didn't work, I tried this:
ebtables -A INPUT -i eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A OUTPUT -o eth1 -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
Again, no joy.
(As an aside, not having tcpdump on the XT8s makes it a little harder to investigate but I couldn't find a port for these boxes.)
Unsurprisingly I couldn't find any option within Admin interface along the lines of "Did you want to enable forwarding DHCP requests and responses over WAN port?".
Any ideas? Many thanks.