Bridge ARP isolation via EBTables

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Fri Oct 22, 2021 15:18    Post subject: Bridge ARP isolation via EBTables Reply with quote
If VLAN is not possible for whichever setup, then is it possible to use EBTables to isolate certain devices from each other?

At the moment anyone with access to bridge (br0) interface can see all local client ARP requests for all interfaces via "tcpdump -ni br0 arp" command. I need to make sure that any client can only see ARP frames to router and local DNS server, but local DNS server (and of course router) must see all frames.

How can I do that via EBTables?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4717
Location: UK, London, just across the river..

PostPosted: Sat Oct 23, 2021 7:54    Post subject: Reply with quote
https://linux.die.net/man/8/ebtables

I dont know how efficient are ebtables for doing so, but i know they are resource eaters....you didn't stater router model/ build running and this matters...

on my routers to add ebtables i needed to run
insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype

but i tended to use those for a single thing only..

ebtables -A FORWARD -o wlan0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o wlan0 --pkttype-type multicast -j DROP

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 47528 AP,NAT
TP-Link WR1043NDv2 -DD-WRT 47720 AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 47692 AP,NAT,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,NAT,QoS,Quotas
Qualcomm Atheros/
Netgear R7800 --DD-WRT 47692 AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT,Vanilla
Netgear R9000 --DD-WRT 47692 AP,NAT,AD-Block,AP Isolation,Firewall,Local DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 47692 AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Thu Oct 28, 2021 0:05    Post subject: Reply with quote
Isn't EBTables supposed to work only for bridge interfaces? If such is the the case, then EBTables rules for my Raspberry Pi (which has only one interface) should have no effect, but they do...
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11249
Location: Texas, USA

PostPosted: Thu Oct 28, 2021 1:40    Post subject: Reply with quote
The "ebtables issue" in DD-WRT is not an issue as far as I know of regarding the whole cpu loading because of using them. Sometimes, things do change and people need to keep up with development and use better instead of holding onto old, outdated, and useless information. For instance, because the "disable webUI access" on wireless is broken all to hell on Broadcom, I've always used ebtables to block webUI access, which is what you're *supposed* to do. Every time I have even bothered trying iptables, it balked and did not work, whatsoever - and this is something I constantly test as I am constantly setting up devices so that there is *not* webUI access from wifi.

Anyhow, to answer your question, yes ebtables *is* usually only for bridged interfaces. Are you sure there aren't any interfaces bridged together on your rPi?

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Thu Oct 28, 2021 9:53    Post subject: Reply with quote
My RP has only 1 loopback interface and 1 Ethernet interface. It does not have any bridge (br0) interfaces. It connects to one of my router's Ethernet ports and shows up in my router's ARP table as a device connected to my router's bridge (br0) interface. My RP is my LAN DNS server. Should EBTables crated on RP itself have an effect on it?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11249
Location: Texas, USA

PostPosted: Thu Oct 28, 2021 15:38    Post subject: Reply with quote
I could be wrong here, but it sounds like what you're wanting to do may kill your DNS resolution and break internet connectivity. DNS doesn't use ARP. Not sure exactly what you're looking to employ as far as protecting the RPi or what.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8810

PostPosted: Thu Oct 28, 2021 16:57    Post subject: Re: Bridge ARP isolation via EBTables Reply with quote
MonarchX wrote:
If VLAN is not possible for whichever setup, then is it possible to use EBTables to isolate certain devices from each other?

At the moment anyone with access to bridge (br0) interface can see all local client ARP requests for all interfaces via "tcpdump -ni br0 arp" command. I need to make sure that any client can only see ARP frames to router and local DNS server, but local DNS server (and of course router) must see all frames.

How can I do that via EBTables?


Not sure how DNS fits into all this, but regarding ARP, this makes no sense. ARP is done using a broadcast, since the device making the ARP request doesn't know the MAC address of the device w/ the IP in question. IOW, by it's very nature, ARP is a public process. You can no more deny access to ARP than DHCP, or any other broadcasts.

Or else I'm just not getting what's at issue here.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh * ddwrt-ovpn-watchdog.sh (updated) * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Thu Oct 28, 2021 17:10    Post subject: Reply with quote
I don't use DHCP for LAN and assign static IP to each LAN device. I also assign and apply static ARP on-boot for each LAN devices in router and in LAN DNS server. My EBTables rules do not allow for ARP broadcast (ff:ff:ff:ff:ff:ff). It works out, but I can lock myself out if I use
Code:
sudo arp -d <MyLocalIP>


At the moment anyone who can access br0 interface can see ARP requests for all devices on LAN. What I want is to isolate devices on my network to make sure they can only contact LAN DNS server and not see each other (aside from LAN DNS server) on br0 interface. That is what VLAN is supposed to do, but I can't create one in this case.

I think port isolation can partially do the trick, but I don't know the commands for it...
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11249
Location: Texas, USA

PostPosted: Thu Oct 28, 2021 17:46    Post subject: Reply with quote
Are you allowing public access to your wi-fi? I'm failing to see the paranoia requirement here. (And some folks have alluded to me being paranoid!). Sounds like you're over-engineering things to me. Just my $0.02.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4717
Location: UK, London, just across the river..

PostPosted: Thu Oct 28, 2021 18:29    Post subject: Reply with quote
yep as KP-69 noted above, using ebtables is more likely to overcomplicate your set up, as well if you don't go in promiscuous/sniffing mode on WAN side nothing to bother about ISP ARP ff:ff:ff:ff:ff:ff broadcast/reply's ... Razz indeed...
If your WAN is not responding to pings that's all you need and the best you can do in terms of security (its not the best thing and has its own caveats too)
ff:ff:ff:ff:ff:ff frames that come from your ISP are unevadable and in some cases necessary..they do those for a reason...

Speaking of ebtables, those are very CPU intensive and isolating ports/VLAN's could be your best approach...I can send you a simple how to step by step guide for Broadcom using GUI, but im not sure how it will work on nowadays builds...in my case its is working, but i haven't done reset for ages..
Anyway you can try it and if its not working you can always reset...and start all over...on the new Broadcom builds VLAN's via CLI are using swconfig command same like in Atheros...i can send you a guide for it too..if so... or look here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1122223
although its quite a messy thread the wisdom about swconfig isolated ports/Vlans is there...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 47528 AP,NAT
TP-Link WR1043NDv2 -DD-WRT 47720 AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 47692 AP,NAT,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,NAT,QoS,Quotas
Qualcomm Atheros/
Netgear R7800 --DD-WRT 47692 AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT,Vanilla
Netgear R9000 --DD-WRT 47692 AP,NAT,AD-Block,AP Isolation,Firewall,Local DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 47692 AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Fri Oct 29, 2021 17:44; edited 2 times in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 11249
Location: Texas, USA

PostPosted: Thu Oct 28, 2021 19:21    Post subject: Reply with quote
The only known issue with ebtables giving an abnormal cpu load, if it still exists, relates to openvpn, not to general use. I am going to make a list of all the tickets and forward them to @egc to review for applicability since they're all years old.

EDIT: It's probably fixed per this ticket (which needs review and closure).

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Fri Oct 29, 2021 15:43    Post subject: Reply with quote
I spent half a day figuring out why EBTables were killing off my WiFi - 0x888E (EAP over LAN) had to be accepted for WiFi to work.
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 118

PostPosted: Sun Nov 21, 2021 21:26    Post subject: Reply with quote
I don't want to make yet another EBTables thread, but I'd like to know how to view EBTables counters. Command from EBTables manpages doesn't work. In fact, several guides state that EBTables is bugged in regards to viewing counters.
testimap
DD-WRT Novice


Joined: 01 Aug 2021
Posts: 8

PostPosted: Thu Nov 25, 2021 8:00    Post subject: Reply with quote
You have several options to resolve the L2 issues. Not DD-WRT issue, more like user error.

A. Use a supernet (bridged VLANs reqd): Assign subnets as a subset of a larger subnet. They can then occupy the same logical address space, or an overlappng address space, as long as the netmask is unique.

B. Use static DHCP leases instead of VLANs to assign the required subnets to specific individual clients.

C. Use 802.1q to tag a VLAN instead? Other NIC must support 802.1q tags.

ie: Router supernet x.x.x.1/24; subnets x.x.x.x/28 incrementally in DNSmasq using bridged VLANs.

Note: This will break network broadcasts between clients in different subnets, and connectivity, since they are on different logical segments. Since broadcast traffic is never relayed to clients in another VLAN, they will not be able to discover their L2 addresses. This should ease routing requirements, but routed VLANs would still be the correct method, to physically segment the network.

Caveat: If you attempt to connect to a host on the supernet subnet which doesn't exist, or which the switch (br0) doesn't have the MAC address for, it's possible to expose your L2 address, since the switch (br0) will flood it on all ports. There may be several other edge scenarios.

Actually, a supernet isn't even required, just several bridged and/or tagged VLANs.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum