Block DHCP on VPN Bridge


I am connecting four LEDE Routers via an OpenVPN Bridge. Every router has its own gateway for internet. Therefore, every router works a DHCP-Server (same subnet, different range). This works most of the time, but sometimes I get a DHCP-Release from the other side of the tunnel which results in using the wrong gateway for Internet (I always want to use the gateway of the router I am currently connected to via Wifi/Lan).

According to some posts on the internet, I tried to block DHCP with ebtables:

ebtables -I FORWARD -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I FORWARD -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I INPUT -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP

But I get the following error:

root@LEDE:~# ebtables -I FORWARD -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
Unable to update the kernel. Two possible causes:

  1. Multiple ebtables programs were executing simultaneously. The ebtables
    userspace tool doesn't by default support multiple ebtables programs running
    concurrently. The ebtables option --concurrent or a tool like flock can be
    used to support concurrent scripts that update the ebtables kernel tables.
  2. The kernel doesn't support a certain ebtables extension, consider
    recompiling your kernel or insmod the extension.

It seems like I am missing the module "ebt_ip" but I can't load it:

insmod ebt_ip.o
Failed to find ebt_ip.o. Maybe it is a built in module ?

So the question is:
How can I Block DHCP from entering the tap interface in LEDE?

Expand to understand why I use TAP instead of TUN
  • I want to bridge my roomies router to one big lan for games, streaming, etc. what mostly relays on mDNS and is only possible with tap (layer3)
  • I dont mind overhead as there is a gigabit connection
  • More details and the whole plan here: Bridge multiple Lede Routers using VPN and one DHCP

I took the idea of using ebtables from here. Please don't tell me there is something ddWRT is able to do what LEDE can't :wink:

There are several kmod-ebetables packages, did you install any of them?

All I did was "opkg install ebtables" which installed some of them. So you are saying there are more in other packages? How can I find the right one?

I needed:

opkg install kmod-ebtables-ipv4

Now entering the rules doesn't result in an error anymore.
I will test if it really blocks DHCP and report here later.