Help please for TTL 1 in a Belkin RT3200

ojgu20 · August 15, 2023, 2:47pm

I want to configure the TTL to 1, this in order to prevent those who I allow to connect to my network from sharing the internet with their cell phone or other device, either as an access point or as a bluetooth.
Please I need help regarding this issue. I'm not quite sure what packages to install and what configuration to do and how to do it.

Lynx · August 15, 2023, 2:51pm

I use the script below, stored at /usr/share/nftables.d/ruleset-post/adjust-ttl.nft, to change ttl in a different context:

# adjust-ttl

# This nft script facilitates adjusting the ttl of outgoing packets

# author: Lynx (OpenWrt forum)

table inet adjust-ttl
flush table inet adjust-ttl

table inet adjust-ttl {

        chain hook-postrouting {

                type filter hook postrouting priority filter

                # fix ttl to help disguise use of router over mobile network
                # for bridge mode set ttl to 64
                # for USB tethering set ttl to 65

                oifname wan ip ttl set 65
        }
}

lleachii · August 15, 2023, 2:53pm

Setting a TTL to 1 would cause all traffic destined for the Internet to fail at the first router it encounters (i.e. TTL Exceeded in Transit).

You would need to make a custom rule that only allows your devices a TTL of X (and higher).

where x == the normal TTL of the client as received on the ingress interface on the OpenWrt.

Lynx · August 15, 2023, 3:01pm

Yeah, so maybe something in the forward hook:

ip ttl < $max_ttl drop

ojgu20 · August 15, 2023, 3:09pm

Well, what I really want is that they cannot share the internet connection as an access point or via bluetooh from other cell phones. I mention the TTL thing because that's what I saw was an option, but I didn't know the problems that this can cause. The router that I have with the OpenWRT firmware is the main one and from there the devices that I want to limit are connected (in fact I would even like to limit only a few, and with my cell phone I have free access).

Lynx · August 15, 2023, 3:31pm

But I think the idea still holds.

There may be a simpler option here, and hopefully someone will suggest something.

@dave14305 any thoughts?

mk24 · August 15, 2023, 4:10pm

Change the interface name from wan to br-guest or whatever LAN-like interface is serving the devices connected.

dave14305 · August 15, 2023, 4:12pm

So inbound traffic from WAN to LAN should be set with TTL of 1 or IPv6 hoplimit of 1?

nft add rule inet fw4 mangle_postrouting oifname "br-lan" ip ttl set 1
nft add rule inet fw4 mangle_postrouting oifname "br-lan" ip6 hoplimit set 1

moeller0 · August 15, 2023, 4:50pm

Well if you can play TTL/hoplimit games so can your users...

Lynx · August 15, 2023, 5:28pm

Ah yes - nice!

True, but that's some next level shizzle.