Menu
What's new
By:
Filters Better Search

passing DHCP requests with ebtables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

mattinnc

New Around Here
I'm trying to find a way to have the Guest wireless get it's IP address from the DHCP server on the intranet but not allow any other access to the intranet.

I'm running the RT-AC66R with Merlin's build 3.0.0.4.374.39 in router mode. I know I can change the Access Intranet to On in the settings but this allows too much access.

I've read the other similar posts and found the ebtables status with the Access Intranet enabled or disabled. It seems the correct ebtables statements should be able to allow the DHCP requests but block other traffic. Unfortunately I've been unable to make it work. I'm hoping that someone, with a better understanding of ebtables might be able to offer some assistance and thoughts.

When the Access Intranet is Off. These statements exists in ebtables:

Code: 
Bridge table: filter
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP 
-o wl0.1 -j DROP

Code: 
Bridge table: broute
Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.55.0/24 --ip-proto tcp -j DROP

If the Access Intranet is On, both of those statements are missing, essentially ebtables is empty.

I seems like it should be possible to add a statement(s) ahead of these statements that would allow DHCP traffic (ports 67 & 68) to pass. Anyone have an idea??

Thanks in advance!
 
mattinnc said:
I'm trying to find a way to have the Guest wireless get it's IP address from the DHCP server on the intranet but not allow any other access to the intranet.

I'm running the RT-AC66R with Merlin's build 3.0.0.4.374.39 in router mode. I know I can change the Access Intranet to On in the settings but this allows too much access.

I've read the other similar posts and found the ebtables status with the Access Intranet enabled or disabled. It seems the correct ebtables statements should be able to allow the DHCP requests but block other traffic. Unfortunately I've been unable to make it work. I'm hoping that someone, with a better understanding of ebtables might be able to offer some assistance and thoughts.

When the Access Intranet is Off. These statements exists in ebtables:

Code: 
Bridge table: filter
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP 
-o wl0.1 -j DROP

Code: 
Bridge table: broute
Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.55.0/24 --ip-proto tcp -j DROP

If the Access Intranet is On, both of those statements are missing, essentially ebtables is empty.

I seems like it should be possible to add a statement(s) ahead of these statements that would allow DHCP traffic (ports 67 & 68) to pass. Anyone have an idea??

Thanks in advance!
Click to expand...

Does this post not provide the solution?

http://forums.smallnetbuilder.com/showpost.php?p=100435&postcount=39

...it appears to force Guests to obtain a DHCP from a designated DHCP server on the intranet but does not allow those Guests access to the intranet for other access.

Regards,
 
Actually I had looked at that post quite a bit but it does not do what I'd like to accomplish. His post uses dnsmasq to create a dhcp scope for use on the quest wireless.

I think it could be done even simpler. I dont think you need to change the IPTables as it does not appear to get changed when the ebtables are changed. Also I did discover with the Acess Intranet Off, I could flush just the bridge filter...
ebtables --flush
Click to expand...
and this would allow the guest access to the Intranet. The broute table was not changed, so this could indicate that I can add only a statement to the bridge filter and allow only DHCP requests, I'm thinking nothing else needs to change.
 
Solved

I finally figured it out! I was able to add two lines to ebtables that allowed the DHCP server to supply IP's to the Guest wireless clients without giving them any other access to the Intranet.

I added the following two lines to the firewall-start script so it survives a reboot.

Code: 
ebtables -I FORWARD -i wl0.1 -p ipv4 --ip-proto udp --ip-destination-port 67:68 -j ACCEPT
ebtables -I FORWARD -o wl0.1 -p ipv4 --ip-proto udp --ip-source-port 67:68 -j ACCEPT

This produces a ebtables filter that now looks like this:
Code: 
Bridge table: filter
Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-p IPv4 -o wl0.1 --ip-proto udp --ip-sport 67:68 -j ACCEPT , pcnt = 21 -- bcnt = 7080
-p IPv4 -i wl0.1 --ip-proto udp --ip-dport 67:68 -j ACCEPT , pcnt = 12 -- bcnt = 4056
-i wl0.1 -j DROP , pcnt = 378 -- bcnt = 52818
-o wl0.1 -j DROP , pcnt = 539 -- bcnt = 65976

I did nothing to alter the ebtables broute filter.

It works very nicely with the exception of the DNS queries, they are not able to access the local DNS server so I had to add the OpenDNS server to the scope. I'd like to find a cleaner way to either pass the DNS packets or use dnsmasq to handle the requests.

Thanks to Merlin for the great firmware and all the users on this forum that provide some really great help.
 
You must log in or register to reply here.

Similar threads

Siff
Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2)
Replies
5
Views
566
Jherb
J
vlord
gnMerlin - Guest Network Isolation
Replies
4
Views
724
IslaStewart
I
bengalih
Guest Wifi changes pre/post 386.x FW
Replies
15
Views
1K
L&LD
L&LD
S
How to block DHCP protocol over a TAP site-to-site VPN (useful if you host separate DHCP subnet ranges at each site as part of a superset subnet)
Replies
0
Views
1K
seabass
S
F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
855
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
R DNS - passing on source IP address to pihole in the cloud Asuswrt-Merlin 7
M Merlin GT-AX11000 Internet Up But No Traffic Passing Asuswrt-Merlin 12
H DHCP server change Pool Starting Address Asuswrt-Merlin 4
K Your isp dhcp is not functioning properly Asuswrt-Merlin 5
C What is the difference between DNS Director and DHCP > manually assign DNS to each client? Asuswrt-Merlin 3
Q Does merlin reset router when assigning DHCP manual IP by MAC? Asuswrt-Merlin 11
V Hostname DHCP reservation list is too long. Asuswrt-Merlin 19
S Moving DHCP to Pi-Hole Asuswrt-Merlin 2
C LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE Asuswrt-Merlin 4
garycnew [SOLUTION] WAN_Connection: ISP's DHCP did not function properly Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 890 (members: 31, guests: 859)
Top