Joined: 08 May 2018 Posts: 13903 Location: Texas, USA
Posted: Thu Nov 11, 2021 16:51 Post subject:
MAC address filtering (layer 2) can be done with ebtables or iptables. It's like whack-a-mole, you're dancing around a topic trying to find a solution for something that may not have one that is clear to you. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
MAC address filtering (layer 2) can be done with ebtables or iptables. It's like whack-a-mole, you're dancing around a topic trying to find a solution for something that may not have one that is clear to you.
I think we're circling around the question "Why do you/I want to filter Layer 2 frames?" That question is as good/bad as asking why someone would want to filter Layer 3 packets or filter anything... There are countless reasons...
This question isn't specific to DD-WRT. It is a generic and an objective question about Netfilter tools. Is there a Netfilter tool that can filter specific Layer 2 protocols (EtherTypes) on non-bridge interfaces? EBTables tool only works on bridge interfaces and has no effect on frames that originate on other interfaces. Some router force LLDP packets on eth0-eth4 interfaces and EBTables doesn't filter them. LLDP packets provide way too much information about a router, but I am not interested in discussing why that is my concern.
The idea behind Netfilter tools is that they are generic and function (mostly) the same way on most Linux, Debian, or UNIX devices that support it. If I understand them on one device, I can understand them on another. There are new Netfilter tools that, supposedly, try to become the new standards and replace older tools (such as IPTables). Perhaps one of such tools can control non-bridge Layer 2 filtering?
If there are no such Netfilter tools, then how does one filter Layer 2 EtherType frames on non-bridge interfaces? ARP and IPv4 are just 2 of many EtherTypes...
Joined: 13 Aug 2013 Posts: 6818 Location: Romerike, Norway
Posted: Thu Nov 11, 2021 21:16 Post subject:
LAN Port to LAN Port is handled by the switch. The router does not see these packets and cannot filter them. As far as I have seen, no switch in dd-wrt supports filtering.
LAN Port to LAN Port is handled by the switch. The router does not see these packets and cannot filter them. As far as I have seen, no switch in dd-wrt supports filtering.
So is it DD-WRT firmware limitation or Netfilter limitation? Which Netfilter tools can filter switch ports?
In some routers, such as UniFi Security Gateway, LLDP frames and other Layer 2 frames come from running services which can be disabled router-wide and as such, remove the need to filter LLD packets.
I assume some kind of enterprise managed switches can filter Layer 2 frames...
BTW, if there is a better place/forum to ask such questions, please let know about it! I use this section to ask generic non-DD-WRT networking questions because I can't find a better forum for such questions...
Joined: 16 Nov 2015 Posts: 6185 Location: UK, London, just across the river..
Posted: Fri Nov 12, 2021 19:22 Post subject:
MonarchX wrote:
BTW, if there is a better place/forum to ask such questions, please let know about it! I use this section to ask generic non-DD-WRT networking questions because I can't find a better forum for such questions...
There are certain limitations in DDWRT routers, so they are meant to do a routing job only..all the rest comes as an extra/complimentary stuff, to make it all in one device...
If you seek more advanced functionality, then you'd need a high grade enterprise hardware... sophisticated firewall, managed switch and ect., moreover questions not related to DDWRT would be difficult to be answered, as they cover a different subject, not in the range of DDWRT architecture...
if you ask google you'd find more answers...or try to refer directly to the hardware manufacturers...as you need very specific hardware...
To be honest, your questions rise a curiosity mistrust and concern so far, as you are definitely taring to obscure something…what is that you need all that for...if all that is just a paranoia and desperate will to hide...its fine, for better output try the darknet... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 53045 WAP
TP-Link WR1043NDv2 -DD-WRT 54420 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 54475 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 54475 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 54475 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 54475 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Just to summarize what I wanted from initial thread was to find an answer on how isolate 2 LAN clients on the same subnet and same VLAN (or no VLAN) via EBTables, but it doesn't appear to be possible, just like it isn't possible to do so via IPTables. It is strange because both LAN clients connect to switch0 interface, which connects to br0 interface. LAN is br0. That means those 2 devices are bridged.
To isolate those 2 devices, the following commands should work, but they don't, even though the syntax iv valid:
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.A --ip-dst X.X.X.B -j DROP
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.B --ip-dst X.X.X.A -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:AA -d XX:XX:XX:XX:XX:BB -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:BB -d XX:XX:XX:XX:XX:AA -j DROP
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Nov 26, 2021 13:10 Post subject:
MonarchX wrote:
To isolate those 2 devices, the following commands should work, but they don't, even though the syntax iv valid:
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.A X.X.X.B -j DROP
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.B --ip-dst X.X.X.A -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:AA -d XX:XX:XX:XX:XX:BB -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:BB -d XX:XX:XX:XX:XX:AA -j DROP
Syntax does not seem correct the --ip-src--ip-dst is not supported apparently on the DD-WRT version of ebtables.
Commands:
--append -A chain : append to chain
--delete -D chain : delete matching rule from chain
--delete -D chain rulenum : delete rule at position rulenum from chain
--change-counters -C chain
[rulenum] pcnt bcnt : change counters of existing rule
--insert -I chain rulenum : insert rule at position rulenum in chain
--list -L [chain] : list the rules in a chain or in all chains
--flush -F [chain] : delete all rules in chain or in all chains
--init-table : replace the kernel table with the initial table
--zero -Z [chain] : put counters on zero in chain or in all chains
--policy -P chain target : change policy on chain to target
--new-chain -N chain : create a user defined chain
--rename-chain -E old new : rename a chain
--delete-chain -X [chain] : delete a user defined chain
--atomic-commit : update the kernel w/t table contained in <FILE>
--atomic-init : put the initial kernel table into <FILE>
--atomic-save : put the current kernel table into <FILE>
--atomic-file file : set <FILE> to file
Options:
--proto -p [!] proto : protocol hexadecimal, by name or LENGTH
--src -s [!] address[/mask]: source mac address
--dst -d [!] address[/mask]: destination mac address
--in-if -i [!] name[+] : network input interface name
--out-if -o [!] name[+] : network output interface name
--logical-in [!] name[+] : logical bridge input interface name
--logical-out [!] name[+] : logical bridge output interface name
--set-counters -c chain
pcnt bcnt : set the counters of the to be added rule
--modprobe -M program : try to insert modules using this program
--concurrent : use a file lock to support concurrent scripts
--version -V : print package version
Environment variable:
EBTABLES_ATOMIC_FILE : if set <FILE> (see above) will equal its value
Seems dd-wrt version is modded so who knows. The right thing here would be to open a ticket upstream ebtables side with https://www.netfilter.org and see what they say.
Joined: 16 Nov 2015 Posts: 6185 Location: UK, London, just across the river..
Posted: Fri Nov 26, 2021 16:38 Post subject:
I think somewhere here around, it was explained very much in details, what is the reason, why layer 2 filtering is not going to happen...
DDWRT SPI firewall works on WAN to LAN and LAN to WAN traffic...so, connections go trough the kernel networking stack/CPU and get inspected than routed/dropped/rejected/accepted...so, there could be applied some filtering...
While, regarding switch frames they do not go to the CPU/kernel and do not get any options to be processed, they are processed by the switch CPU and not have a chance of switch level filtering...in order to do so, DDWRT will need all new level of firewall and kernel...
That's why those commands are stripped of ebtables as they will not be usable...with the current architecture of DDWRT firmware...
get a smart/managed enterprise switch or high grade firewall...and ect. and sort your issues... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 53045 WAP
TP-Link WR1043NDv2 -DD-WRT 54420 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 54475 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 54475 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 54475 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 54475 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I think somewhere here around, it was explained very much in details, what is the reason, why layer 2 filtering is not going to happen...
DDWRT SPI firewall works on WAN to LAN and LAN to WAN traffic...so, connections go trough the kernel networking stack/CPU and get inspected than routed/dropped/rejected/accepted...so, there could be applied some filtering...
While, regarding switch frames they do not go to the CPU/kernel and do not get any options to be processed, they are processed by the switch CPU and not have a chance of switch level filtering...in order to do so, DDWRT will need all new level of firewall and kernel...
That's why those commands are stripped of ebtables as they will not be usable...with the current architecture of DDWRT firmware...
get a smart/managed enterprise switch or high grade firewall...and ect. and sort your issues...
Some commands most definitely work. For example, if I drop Broadcast packet type or ff:ff:ff:ff:ff:ff MAC address using EBTables, then perform ARP cleaning commands, I get locked out of SSH and router GUI. That's normal behavior because ARP uses Broadcast frames.
I can also block specific local IP addresses with EBTables, but blocking MAC addresses for the same local IP addresses has no effect.
The worst part is that there no counters to show whether packets are dropped or not for whichever rules. Blind trial-and-error is the only way to go about it. Making counters work should be #1 priority, but I think that's a general EBTables bug, not something related to DD-WRT.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sun Nov 28, 2021 5:28 Post subject:
in dd-wrt ebtables is implemented kernel side in any case like I said previously the ebtables implementation in dd-wrt is a frontend to the kernel implementation, as I found out.
So do report such issues upstream where applicable reporting it to dd-wrt will get nowhere imo.
