What's new

Need help blocking DHCP when using OpenVPN Bridge

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

miller79

Occasional Visitor
I currently have two AC66U with 3.0.0.4.374.32 (Merlin build) installed and have setup a VPN bridge using TAP over TCP.

I now need to block the DHCP broadcast from both routers as the logs are showing each broadcast is receiving a response from both routers. Luckly the closer router has been winning for now but I fear this may not always be the case and wondering if there is an easy way to disable the broadcast as I wouldn't think this is an uncommon request.

Just for additional information, each routers DHCP is within the same subnet but does not overlap. I just want to make sure the internet traffic is passed to the local gateway.

Please let me know.

Thanks!
 
I currently have two AC66U with 3.0.0.4.374.32 (Merlin build) installed and have setup a VPN bridge using TAP over TCP.

I now need to block the DHCP broadcast from both routers as the logs are showing each broadcast is receiving a response from both routers. Luckly the closer router has been winning for now but I fear this may not always be the case and wondering if there is an easy way to disable the broadcast as I wouldn't think this is an uncommon request.

Just for additional information, each routers DHCP is within the same subnet but does not overlap. I just want to make sure the internet traffic is passed to the local gateway.

Please let me know.

Thanks!
http://linksysinfo.org/index.php?threads/block-dhcp-over-bridged-vpn.68790/

Code:
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Entering the above under Firewall using Shibby's OpenVPN firmware on my RT-N66U acting as the OpenVPN server blocks remote OpenVPN client routers DHCP request...

EDIT: Just noticed you are using TCP so you would have to use tcp in above instead of udp...
 
Last edited:
Entering the above under Firewall using Shibby's OpenVPN firmware on my RT-N66U acting as the OpenVPN server blocks remote OpenVPN client routers DHCP request...

You mention Shibby's OpenVPN firmware. Is this the same version that is on Merlin? Also where exactly would those setting be entered? I'm guessing the custom configuration location but not 100% as there is no firewall configuration location.

I could not find a lot of documentation on using the OpenVPN within Merlin so I have been doing a lot of try and test configuration until I got it working.

Thanks!
 
I got it working!!! Here is some small documentation in case anyone else is trying to do this as well.

Following the following guides to setup the JFFS partition to setup the custom scripts directory:

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://github.com/RMerl/asuswrt-merlin/wiki/JFFS

I used SSH and connected to the router and navigated to the /JFFS/scripts folder. I used VI to create the file that looked like the following:

Code:
#!/bin/sh
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

I tried using TCP but apparently the DHCP broadcast comes across as UDP so I changed it back. Also do not forget to change the permissions in that folder:

Code:
chmod a+rx /jffs/scripts/*

I set this on both routers and restarted. After checking the logs, the DHCP signal was no longer there.

Thanks for the hint somms but it got me up and running!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top