Re: [Openvpn-users] OpenVPN to filter out dhcp traffic?

  • Subject: Re: [Openvpn-users] OpenVPN to filter out dhcp traffic?
  • From: Johan Dahlberg <jodahlberg@xxxxxxxxx>
  • Date: Sat, 19 Mar 2005 10:56:42 +0100

Thanks for the reply.

Yes I've tried that, and it will not work.. And as I understand it,
it's the "Raw sockets" which ISC DHCP uses that makes iptables unable
to see the dhcp packets, thus unable to filter it..

On Sat, 19 Mar 2005 10:49:41 +0100, Christian Røsnes
<christian@xxxxxxxxx> wrote:
> On Saturday 19 March 2005 10:15, Johan Dahlberg wrote:
> > Hello,
> > I have a question which I can't get an answer to anywhere on the net.
> > So I thougt maybe you can help me. But first I must thank you for a
> > truly great piece of software. :-)
> >
> > My problem is DHCP. I'm running a VPN between two sites using ethernet
> > bridging, both sites has their own DHCP-server up and running, and
> > this is causing quite a mess for the network since the networks has
> > their own subnets/routes. And on occasion the clients on one network
> > get it's IP assigned by the DHCP-server on the other side of the VPN.
> > Since the default route for that client will be trough the VPN, it
> > drains a lot of bandwidth and also adds lots of both latency and
> > unnecessary bandwidth usage when talking to clients standing right
> > beside it.
> >
> > I've been pulling my hair out for days trying to solve this. Over here
> > OpenVPN is running on Linux 2.6 on both ends, and I've tried all kinds
> > of tricks with the kernel & filtering to block dhcp from passing
> > through the vpn-link, without success.
> >
> I'm not sure how the OpenVPN ethernet briding works in terms of
> iptables filtering, but have you checked if any/all of these
> iptables rule will block DHCP traffic between the sites ?
> # On each vpn server:
> # Assuming vpn device is tun0 on both servers.
> iptables -A INPUT -p UDP -i tun0 -d \
>          --destination-port 67:68 -j DROP
> iptables -A FORWARD -p UDP -i tun0 -d \
>          --destination-port 67:68 -j DROP
> iptables -A OUTPUT -p UDP -i tun0 -d \
>          --destination-port 67:68 -j DROP
> Christian

