Filtering DHCP traffic within one subnet

Installing and Using OpenWrt
1

I have the following set-up

Internet <-- House 1 (192.168.8.0) <---WiFi---> House 2 (192.168.8.0) <---WiFi ---> House 3 (192.168.8.0) --> Internet

I'd like to install a network device in House 2 that connects to the WiFi bridge to/from House 3 and the local LAN in the house and filters out DHCP traffic. The reason is that I need to make sure devices in House 1 and 2 get an IP address only from the LTE Router in House 1 and devices in House 3 only get an IP address from the LTE Router in House 3. The next step is an mwan3 set-up (not relevant here).

I'm using an Asus RT-AC85P running OpenWrt 21.02.3. I'm aware that I'll have a (kind of) slow link, as all the traffic needs to pass the CPU for filtering. That's okay, it's only LTE uplinks and almost zero inter LAN traffic.

Setup Option A
I've tried a simple set-up with one bridge device for all LAN and the WAN ports. One LAN cable is in the LAN1 and one (to the WiFi bridge) in the WAN port. Traffic flows fine, but I can't filter any traffic, despite following Firewall Bridge doc. I can neither get iptables rules nor ebtables rules to filter DHCP traffic.

Here are the firewall rules I'm using:

config rule
        option name 'Deny DHCP to server'
        list proto 'udp'
        option src 'lan'
        option dest_port '67'
        option target 'DROP'
        option dest 'lan'

config rule
        option name 'Deny DHCP to client'
        list proto 'udp'
        option src 'lan'
        option dest_port '68'
        option target 'DROP'
        option dest 'lan'

I also tried ebtables rules with the MAC address of the DHCP server, but that doesn't work either. It seems like traffic between the ports never reaches the CPU.

After reading firwall on the same network, I switch to a VLAN based config:

Setup Option B

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option stp '1'

config device
        option name 'wan'
        option macaddr '24:4b:fe:f2:b0:78'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan4'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'br-lan.1'
        list ports 'br-lan.4'
        option stp '1'

config interface 'brvlan'
        option proto 'static'
        option device 'br-vlan'
        option ipaddr '192.168.8.9'
        option netmask '255.255.255.0'
        option gateway '192.168.8.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

So basically two Bridge devices:

  • br-lan with all lanX ports and the Bridge VLAN Filtering tab set to create one VLAN per LAN port.
  • br-vlan with only the VLANs for port 1 & 4 (br-lan.1, br-lan.4)

and then one Interface brvlan with the IP address 192.168.8.9.

From the Router I can ping the upstream LTE (192.168.8.1) in House 1 and the Devices in House 3. All devices can ping the Router. But they can't ping each other. Running iptables -F doesn't help either.

From running wireshark, I can see that the ARP requests my Laptop sends remain unanswered.

$ ip route
default via 192.168.8.1 dev br-vlan 
192.168.8.0/24 dev br-vlan scope link  src 192.168.8.9

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc fq_codel state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::264b:feff:fef2:b07c/64 scope link 
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
4: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
7: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
9: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
13: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 24:4b:fe:f2:b0:78 brd ff:ff:ff:ff:ff:ff
23: br-vlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.9/24 brd 192.168.8.255 scope global br-vlan
       valid_lft forever preferred_lft forever
    inet6 fe80::264b:feff:fef2:b07c/64 scope link 
       valid_lft forever preferred_lft forever
24: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::264b:feff:fef2:b07c/64 scope link 
       valid_lft forever preferred_lft forever
25: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-vlan state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff
26: br-lan.4@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-vlan state UP qlen 1000
    link/ether 24:4b:fe:f2:b0:7c brd ff:ff:ff:ff:ff:ff

Questions
So two questions, solving one is enough :wink:

  • Any idea why filtering in my set-up with one bridge for all LAN & WAN port doesn't work?
  • How I can configure OpenWrt to pass my ARP requests through the bridge from LAN port 1 to 4?
    • Is the bridge within bridge a problem? How can I set-up bridged VLANs without that?
2

Because the rules you are using are not the ones in the bridged firewall document.

I'd suspect of vlan hopping issues and not an elegant solution.

You have it already as br-lan.

3

Thank you for your reply!

Do you mean the physdev rules? As I read bridge firewall restricting forwarding should work without that. The firewall rules there are also for a different use case (selective forwardingCan you be more specific please?

Okay so I guess you mean that I set it up differently. If I change the brvlan interface to use br-lan and remove the br-vlan device, don't I end up with four VLANs that are not part of anything?

4

I got it working. To be honest, I have no clue what's different now with respect to the bridged firewall, but its working now.

Internet <-- House 1 (192.168.8.0) <---WiFi---> House 2  
(192.168.8.0) <---WiFi---> House 3 (192.168.1.0) --> Internet

My Asus RT-AC85P is now located in House 3. I basically have one bridge device with all LAN ports & the loewen_main and loewen_wiese_yellow WiFi APs as ports. One LAN port is connected to a cable that goes to the LTE router on the other side of the house. On top of that bridge I have two OpenWrt interfaces, one for the IP range of House 3 (changed to 192.168.1.0) and one for House 1-2 (192.168.8.0).

Screenshot from 2022-05-12 11-23-33
Screenshot from 2022-05-12 11-23-33957×745 94.9 KB

Separately from the bridge, there's a wlan1 interface for an open WiFi network for configuring OpenWrt. This will be disabled in production.

I set-up two production WiFi networks. The loewen_main is for House 3 locally, the loewen_wiese_yellow is for the outdoor AP connection from House 2 -> House 3. You can see the outdoor AP connected to loewen_wiese_main.

Screenshot from 2022-05-12 11-26-14
Screenshot from 2022-05-12 11-26-14953×831 138 KB

For the firewall, I opened all forwarding traffic in General Settings and added four Traffic rules.

Screenshot from 2022-05-12 11-34-49
Screenshot from 2022-05-12 11-34-49966×850 71.8 KB

The trick to allow local DHCP traffic, but block DHCP traffic flowing through the loewen_wiese_yellow WiFi link, I used the Extra Args field in the Advanced settings tab with the values -m physdev --physdev-in wlanwy for the first two rules and -m physdev --physdev-out wlanwy for the last two rules. Please excuse the misnomer of the rules (wan to lan / lan to wan), that's from an older version of the set-up.

Screenshot from 2022-05-12 11-35-15
Screenshot from 2022-05-12 11-35-15954×701 79 KB

Installing tcpdump and using ssh root@192.168.1.2 "tcpdump -i wlanwy -U -s0 -w - 'not port 22'" | wireshark -k -i - to watch traffic on the loewen_wiese_yellow network, helped me a lot to debug this set-up.

These are the packages I manually installed (I'm not using ebtables afaik, ebtables -L shows no rules):

ebtables-utils
ebtables
iptables-mod-physdev
kmod-br-netfilter
kmod-ebtables
kmod-ebtables-ipv4
kmod-ebtables-ipv6
kmod-ipt-physdev

Here are the relevant config files:

root@OpenWrt:/etc/config# cat dhcp 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wlan1'
        option interface 'wlan1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@OpenWrt:/etc/config# cat firewall 

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'
        list network 'lanmh'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Deny DHCP to server - wan to lan'
        list proto 'udp'
        option dest_port '67'
        option target 'DROP'
        option dest 'lan'
        option src 'lan'
        option extra '-m physdev --physdev-in wlanwy'

config rule
        option name 'Deny DHCP to client - wan to lan'
        list proto 'udp'
        option dest_port '68'
        option target 'DROP'
        option dest 'lan'
        option src 'lan'
        option extra '-m physdev --physdev-in wlanwy'

config rule
        option name 'Deny DHCP to server - lan to wan'
        list proto 'udp'
        option dest_port '67'
        option target 'DROP'
        option src 'lan'
        option extra '-m physdev --physdev-out wlanwy'
        option dest 'lan'

config rule
        option name 'Deny DHCP to client - lan to wan'
        list proto 'udp'
        option dest_port '68'
        option target 'DROP'
        option src 'lan'
        option extra '-m physdev --physdev-out wlanwy'
        option dest 'lan'

config zone
        option name 'cfgwlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wlan1'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

root@OpenWrt:/etc/config# cat network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd87:d7a6:c4be::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'

config device
        option name 'wan'
        option macaddr '24:4b:fe:f2:b0:78'

config interface 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option defaultroute '0'
        option type 'bridge'
        option ipaddr '192.168.8.9'
        option gateway '192.168.8.1'
        option device 'br-wan'

config interface 'wlan1'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option gateway '192.168.9.254'
        option defaultroute '0'

config device
        option type 'bridge'
        option name 'br-wan'
        list ports 'wan'
        option stp '1'

config interface 'lanmh'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.8.9'
        option netmask '255.255.255.0'
        option gateway '192.168.8.1'
        option defaultroute '0'

root@OpenWrt:/etc/config# cat wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '5g'
        option htmode 'VHT80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt-Asus-RT-AC85P'
        option encryption 'none'
        option network 'wlan1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'loewen_wiese_yellow'
        option key 'SECRET'
        option encryption 'psk2'
        option wds '1'
        option network 'lan'
        option ifname 'wlanwy'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'loewen_main'
        option encryption 'sae-mixed'
        option key 'SECRET'
        option network 'lan'
        option ifname 'wlanmain'
1 Like
5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.