Filtering DHCP requests on IPV6

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
trex_daemon
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 09, 2013 6:29 am

Filtering DHCP requests on IPV6

Post by trex_daemon » Wed Jan 31, 2018 8:58 pm

Hello,
I have 2 routers connected with openvpn , TAP interfaces.
Each router runs a DHCP server, as if one fails, the other one shall still be able to assign ip addresses to the host connected to it.
To block cross DHCP requests, I'm currently using ebtables:
/usr/sbin/ebtables -F
/usr/sbin/ebtables -I FORWARD -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I INPUT -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
/usr/sbin/ebtables -I OUTPUT -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP


Now, the problem is, that this will not block the DHCP requests for IPV6, as I've observed.
If I replace the -p IPV4 with -p IPV6 I am getting the error that for IP filtering IPV4 shall be used.
What is the solution to prevent the hosts connected to the other router to get IPV6 address over VPN ?


P.S.
- Do not suggest TUN instead of TAP. I use TAP as I need multicast and transparency of all devices on network
- One router runs tomato from shibby (the vpn client) , the other runs latest LEDE.
- Both routers have dual IPV4/IPV6 stack from ISP.


Thanks in advance!

trex_daemon
OpenVpn Newbie
Posts: 7
Joined: Tue Jul 09, 2013 6:29 am

Re: Filtering DHCP requests on IPV6

Post by trex_daemon » Wed Feb 07, 2018 5:24 pm

Meanwhile I found the solution on another forum:

/usr/sbin/ebtables -I FORWARD -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I FORWARD -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I INPUT -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP
/usr/sbin/ebtables -I OUTPUT -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 67:68 -j DROP

Post Reply