Need help blocking DHCP when using OpenVPN Bridge

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

miller79

Occasional Visitor
I currently have two AC66U with 3.0.0.4.374.32 (Merlin build) installed and have setup a VPN bridge using TAP over TCP.

I now need to block the DHCP broadcast from both routers as the logs are showing each broadcast is receiving a response from both routers. Luckly the closer router has been winning for now but I fear this may not always be the case and wondering if there is an easy way to disable the broadcast as I wouldn't think this is an uncommon request.

Just for additional information, each routers DHCP is within the same subnet but does not overlap. I just want to make sure the internet traffic is passed to the local gateway.

Please let me know.

Thanks!
 

somms

Regular Contributor
I currently have two AC66U with 3.0.0.4.374.32 (Merlin build) installed and have setup a VPN bridge using TAP over TCP.

I now need to block the DHCP broadcast from both routers as the logs are showing each broadcast is receiving a response from both routers. Luckly the closer router has been winning for now but I fear this may not always be the case and wondering if there is an easy way to disable the broadcast as I wouldn't think this is an uncommon request.

Just for additional information, each routers DHCP is within the same subnet but does not overlap. I just want to make sure the internet traffic is passed to the local gateway.

Please let me know.

Thanks!
http://linksysinfo.org/index.php?threads/block-dhcp-over-bridged-vpn.68790/

Code:
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Entering the above under Firewall using Shibby's OpenVPN firmware on my RT-N66U acting as the OpenVPN server blocks remote OpenVPN client routers DHCP request...

EDIT: Just noticed you are using TCP so you would have to use tcp in above instead of udp...
 
Last edited:

miller79

Occasional Visitor
Entering the above under Firewall using Shibby's OpenVPN firmware on my RT-N66U acting as the OpenVPN server blocks remote OpenVPN client routers DHCP request...

You mention Shibby's OpenVPN firmware. Is this the same version that is on Merlin? Also where exactly would those setting be entered? I'm guessing the custom configuration location but not 100% as there is no firewall configuration location.

I could not find a lot of documentation on using the OpenVPN within Merlin so I have been doing a lot of try and test configuration until I got it working.

Thanks!
 

miller79

Occasional Visitor
I got it working!!! Here is some small documentation in case anyone else is trying to do this as well.

Following the following guides to setup the JFFS partition to setup the custom scripts directory:

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://github.com/RMerl/asuswrt-merlin/wiki/JFFS

I used SSH and connected to the router and navigated to the /JFFS/scripts folder. I used VI to create the file that looked like the following:

Code:
#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

I tried using TCP but apparently the DHCP broadcast comes across as UDP so I changed it back. Also do not forget to change the permissions in that folder:

Code:
chmod a+rx /jffs/scripts/*

I set this on both routers and restarted. After checking the logs, the DHCP signal was no longer there.

Thanks for the hint somms but it got me up and running!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top