Hello,
I have 2 routers connected with openvpn , TAP interfaces.
Each router runs a DHCP server, as if one fails, the other one shall still be able to assign ip addresses to the host connected to it.
To block cross DHCP requests, I'm currently using ebtables:
/usr/sbin/ebtables -F
/usr/sbin/ebtables -I FORWARD -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I INPUT -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I OUTPUT -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
Now, the problem is, that this will not block the DHCP requests for IPV6, as I've observed.
If I replace the -p IPV4 with -p IPV6 I am getting the error that for IP filtering IPV4 shall be used.
What is the solution to prevent the hosts connected to the other router to get IPV6 address over VPN ?
P.S.
- Do not suggest TUN instead of TAP. I use TAP as I need multicast and transparency of all devices on network
- One router runs tomato from shibby (the vpn client) , the other runs latest LEDE.
- Both routers have dual IPV4/IPV6 stack from ISP.
Thanks in advance!
Filtering DHCP requests on IPV6
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 7
- Joined: Tue Jul 09, 2013 6:29 am
-
- OpenVpn Newbie
- Posts: 7
- Joined: Tue Jul 09, 2013 6:29 am
Re: Filtering DHCP requests on IPV6
Meanwhile I found the solution on another forum:
/usr/sbin/ebtables -I FORWARD -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I INPUT -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I OUTPUT -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I INPUT -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I OUTPUT -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP