block dhcp answers for specific MAC address

[Phylion]

Hi there,

I have a not so normal situation with my provider in the Netherlands. I use the provided residential gateway router of the provider only for Voip & TV setop boxes. For internet i use an Asus AC66u with RMerlin firmware. Between the fiber connection and both routers is a netgear switched places. Basicly that switch uses VLAN tagging to ports so that the ASUS receives the WAN internet signal, and de RG of the provider gets the VLAN's for Voip and TV.

My providers is getting more stuff into their RG. This makes it necessary to couple both routers at the LAN side. And because of both are running DHCP that is guaranteed for messed things up.
To make it more complicated: the RG provided uses a kind of smart technology. So the device detects if there is a computer connected tot a LAN port, or that it is a TV setop box. And then it decides to what VLAn on the WAN side the device is connected. For now, the TV setopboxen get theit IP address of an DHCP pool of the provider ( outside my home ).

So i need to block DHCP answers to the setop boxes from my Asus router. I tried several iptables commands, but none of them seem to work.

iptables -A OUTPUT -m mac --mac-source zz:zz:zz:zz:zz:zz -j DROP
iptables -A INPUT -m mac --mac-source zz:zz:zz:zz:zz:zz -j DROP

unfortunaly the setop box keeps getting an ip address of the ASUS.

What am i doing wrong ?

Tnx!

 

[Ford Prefect]

...I'd use an aditional dnsmasq config to block DHCP-requests for certain hosts.

the command in question is this (from: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example)

# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore

..add it in a dnsmasq.conf.add file/script like described in here: https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[Phylion]

Thank you for this info. This seems to work.

Still I don't get why the filtering by firewall rules won't work. But this does seem to do the trick.
And as so often: next question will be: how can i force this update's without a total reboot of the router ? I searched to service stop or simular, but can't find it.

Any suggestions ?

 

[ColinTaylor]

Still I don't get why the filtering by firewall rules won't work.

Because all the DHCP traffic is within the LAN. The firewall only applies to WAN to LAN traffic.

And as so often: next question will be: how can i force this update's without a total reboot of the router ? I searched to service stop or simular, but can't find it.

# service restart_dnsmasq

 

[Phylion]

I've Always thougt that firewall rules for OUTPUT also were used for service like dnsmasq. Apparently not. So I've learned a bit more today ;-)

unfortunately does the service restart-dnsmasq not the trick to reload/reread the /jffs/config/dnsmasq.conf.add file. This works like a charm after a full reboot.

So how to force to reread/reload the dnsmasq.conf.add file also ?

 

[owine]

I've Always thougt that firewall rules for OUTPUT also were used for service like dnsmasq. Apparently not. So I've learned a bit more today ;-)

unfortunately does the service restart-dnsmasq not the trick to reload/reread the /jffs/config/dnsmasq.conf.add file. This works like a charm after a full reboot.

So how to force to reread/reload the dnsmasq.conf.add file also ?

Not sure if you made a tyop, but it is an underscore for service restart_dnsmasq, not a hyphen. That restarts dnsmasq which in turn causes it to reload the conf file and any add files.

 

[Phylion]

Indeed a type.

Just tried both commands:
1. service restart-dnsmasq
2. service restart_dnsmasq

Both lines return an empty line followed with an 'ok' line.

But sure: command 2 with the underscore reloads the custom file.

Thank you!

 

[ColinTaylor]

I've Always thougt that firewall rules for OUTPUT also were used for service like dnsmasq. Apparently not. So I've learned a bit more today ;-)

I have to humbly apologise for misleading you. What I said would be correct if the DHCP service was hosted on another server on the LAN, like in a corporate setup. The DHCP traffic would be switched and therefore not normally touched by a router. However, in this case the ASUS is the switch and a bridge and a router!

You can block your DHCP requests if you want to, although I think the dnsmasq solution is better.

Where you were probably going wrong was by appending (-A) the rule to the end of the table. The DHCP requests have already been accepted by that point. What you needed to do was to insert (-I) at the beginning of the table, before it has a chance to be accepted by any of the other rules. For example:

# iptables -I INPUT -p udp -m udp --sport 68 -m mac --mac-source e8:2a:ea:96:25:44 -j DROP

This will drop all incoming DHCPDISCOVER or DHCPREQUEST messages from the specified MAC address. (You will also have to ensure that the client has already forgotten about any IP address it had previously been given - Windows, for example, will carry on using its current IP address for some time.)

 

[Phylion]

Good point of ordering the rules in the INPUT chain. For that one perhaps the issue is indeed the fact that i am appending to the ruleset.
But this can't be the reason of the OUTPUT chain since the only rules in there were the blocking of the dhcp answer based on mac-adress.

In fact while typing this answer i suddenly understand why the output chain can't work the way i typed in the command. The source mac address of the answer will off coarse never be the one of the receiving host. How dump of me :-(

And i agree that dnsmasq option is a more logical place to hide this stuff. On the other hand: one place were all the magic happens (firewall rules) has also it charm.
I am aware of the behaviour of some clients that keep using old dhcp info when they don't offered a new ip lease. That fact i checked and rechecked.