What Layer 2 NetFilter/Filter tools exist for Non-Bridges?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Thu Nov 11, 2021 12:00    Post subject: What Layer 2 NetFilter/Filter tools exist for Non-Bridges? Reply with quote
IPTables = Layer 3 filtering
ARPTables = ARP filtering
EBTables = Layer 2 filtering (including ARP), but only for Bridge interfaces

What NetFilter tools exist for Layer 2 filtering on Non-Bridge interfaces?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5009
Location: UK, London, just across the river..

PostPosted: Thu Nov 11, 2021 14:48    Post subject: Re: What Layer 2 NetFilter/Filter tools exist for Non-Bridge Reply with quote
MonarchX wrote:
IPTables = Layer 3 filtering
ARPTables = ARP filtering
EBTables = Layer 2 filtering (including ARP), but only for Bridge interfaces

What NetFilter tools exist for Layer 2 filtering on Non-Bridge interfaces?



good to add what you need that for...??

you cannot do LAN to LAN filtering with DDWRT...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 48646 WAP
TP-Link WR1043NDv2 -DD-WRT 48865 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 48886 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 48886 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 48886 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 48886 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Thu Nov 11, 2021 16:55; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Thu Nov 11, 2021 16:51    Post subject: Reply with quote
MAC address filtering (layer 2) can be done with ebtables or iptables. It's like whack-a-mole, you're dancing around a topic trying to find a solution for something that may not have one that is clear to you.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Thu Nov 11, 2021 20:51    Post subject: Reply with quote
kernel-panic69 wrote:
MAC address filtering (layer 2) can be done with ebtables or iptables. It's like whack-a-mole, you're dancing around a topic trying to find a solution for something that may not have one that is clear to you.


I think we're circling around the question "Why do you/I want to filter Layer 2 frames?" That question is as good/bad as asking why someone would want to filter Layer 3 packets or filter anything... There are countless reasons...

This question isn't specific to DD-WRT. It is a generic and an objective question about Netfilter tools. Is there a Netfilter tool that can filter specific Layer 2 protocols (EtherTypes) on non-bridge interfaces? EBTables tool only works on bridge interfaces and has no effect on frames that originate on other interfaces. Some router force LLDP packets on eth0-eth4 interfaces and EBTables doesn't filter them. LLDP packets provide way too much information about a router, but I am not interested in discussing why that is my concern.

The idea behind Netfilter tools is that they are generic and function (mostly) the same way on most Linux, Debian, or UNIX devices that support it. If I understand them on one device, I can understand them on another. There are new Netfilter tools that, supposedly, try to become the new standards and replace older tools (such as IPTables). Perhaps one of such tools can control non-bridge Layer 2 filtering?

If there are no such Netfilter tools, then how does one filter Layer 2 EtherType frames on non-bridge interfaces? ARP and IPv4 are just 2 of many EtherTypes...
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6399
Location: Romerike, Norway

PostPosted: Thu Nov 11, 2021 21:16    Post subject: Reply with quote
LAN Port to LAN Port is handled by the switch. The router does not see these packets and cannot filter them. As far as I have seen, no switch in dd-wrt supports filtering.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Thu Nov 11, 2021 22:47    Post subject: Reply with quote
Whack-a-mole. How many ways to ask the same question or find the same solution.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330647

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330561

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330535

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330519

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330518

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330336

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri Nov 12, 2021 10:28    Post subject: Reply with quote
Per Yngve Berg wrote:
LAN Port to LAN Port is handled by the switch. The router does not see these packets and cannot filter them. As far as I have seen, no switch in dd-wrt supports filtering.


So is it DD-WRT firmware limitation or Netfilter limitation? Which Netfilter tools can filter switch ports?

In some routers, such as UniFi Security Gateway, LLDP frames and other Layer 2 frames come from running services which can be disabled router-wide and as such, remove the need to filter LLD packets.

I assume some kind of enterprise managed switches can filter Layer 2 frames...

BTW, if there is a better place/forum to ask such questions, please let know about it! I use this section to ask generic non-DD-WRT networking questions because I can't find a better forum for such questions...
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5009
Location: UK, London, just across the river..

PostPosted: Fri Nov 12, 2021 19:22    Post subject: Reply with quote
MonarchX wrote:
BTW, if there is a better place/forum to ask such questions, please let know about it! I use this section to ask generic non-DD-WRT networking questions because I can't find a better forum for such questions...


There are certain limitations in DDWRT routers, so they are meant to do a routing job only..all the rest comes as an extra/complimentary stuff, to make it all in one device...

If you seek more advanced functionality, then you'd need a high grade enterprise hardware... sophisticated firewall, managed switch and ect., moreover questions not related to DDWRT would be difficult to be answered, as they cover a different subject, not in the range of DDWRT architecture...
if you ask google you'd find more answers...or try to refer directly to the hardware manufacturers...as you need very specific hardware...

To be honest, your questions rise a curiosity mistrust and concern so far, as you are definitely taring to obscure something…what is that you need all that for...if all that is just a paranoia and desperate will to hide...its fine, for better output try the darknet...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 48646 WAP
TP-Link WR1043NDv2 -DD-WRT 48865 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 48886 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 48886 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 48886 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 48886 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri Nov 26, 2021 11:12    Post subject: Reply with quote
Just to summarize what I wanted from initial thread was to find an answer on how isolate 2 LAN clients on the same subnet and same VLAN (or no VLAN) via EBTables, but it doesn't appear to be possible, just like it isn't possible to do so via IPTables. It is strange because both LAN clients connect to switch0 interface, which connects to br0 interface. LAN is br0. That means those 2 devices are bridged.

To isolate those 2 devices, the following commands should work, but they don't, even though the syntax iv valid:
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.A --ip-dst X.X.X.B -j DROP
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.B --ip-dst X.X.X.A -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:AA -d XX:XX:XX:XX:XX:BB -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:BB -d XX:XX:XX:XX:XX:AA -j DROP
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 775
Location: All over YOUR webs

PostPosted: Fri Nov 26, 2021 13:10    Post subject: Reply with quote
MonarchX wrote:
To isolate those 2 devices, the following commands should work, but they don't, even though the syntax iv valid:
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.A X.X.X.B -j DROP
ebtables -I FORWARD -p 0x0800 --ip-src X.X.X.B --ip-dst X.X.X.A -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:AA -d XX:XX:XX:XX:XX:BB -j DROP
ebtables -I FORWARD -s XX:XX:XX:XX:XX:BB -d XX:XX:XX:XX:XX:AA -j DROP

Syntax does not seem correct the --ip-src --ip-dst is not supported apparently on the DD-WRT version of ebtables.

Code:
~# ebtables
ebtables v2.0.10-4 (December 2011)
Usage:
ebtables -[ADI] chain rule-specification [options]
ebtables -P chain target
ebtables -[LFZ] [chain]
ebtables -[NX] [chain]
ebtables -E old-chain-name new-chain-name

Commands:
--append -A chain             : append to chain
--delete -D chain             : delete matching rule from chain
--delete -D chain rulenum     : delete rule at position rulenum from chain
--change-counters -C chain
          [rulenum] pcnt bcnt : change counters of existing rule
--insert -I chain rulenum     : insert rule at position rulenum in chain
--list   -L [chain]           : list the rules in a chain or in all chains
--flush  -F [chain]           : delete all rules in chain or in all chains
--init-table                  : replace the kernel table with the initial table
--zero   -Z [chain]           : put counters on zero in chain or in all chains
--policy -P chain target      : change policy on chain to target
--new-chain -N chain          : create a user defined chain
--rename-chain -E old new     : rename a chain
--delete-chain -X [chain]     : delete a user defined chain
--atomic-commit               : update the kernel w/t table contained in <FILE>
--atomic-init                 : put the initial kernel table into <FILE>
--atomic-save                 : put the current kernel table into <FILE>
--atomic-file file            : set <FILE> to file

Options:
--proto  -p [!] proto         : protocol hexadecimal, by name or LENGTH
--src    -s [!] address[/mask]: source mac address
--dst    -d [!] address[/mask]: destination mac address
--in-if  -i [!] name[+]       : network input interface name
--out-if -o [!] name[+]       : network output interface name
--logical-in  [!] name[+]     : logical bridge input interface name
--logical-out [!] name[+]     : logical bridge output interface name
--set-counters -c chain
          pcnt bcnt           : set the counters of the to be added rule
--modprobe -M program         : try to insert modules using this program
--concurrent                  : use a file lock to support concurrent scripts
--version -V                  : print package version

Environment variable:
EBTABLES_ATOMIC_FILE          : if set <FILE> (see above) will equal its value


Further info related to your original post maybe see https://www.netfilter.org/downloads.html

EDIT: so looking around https://github.com/mirror/dd-wrt/tree/master/src/router/ebtables the ebtables.8 shows your commands to be valid, yet idk what is going on with that source that makes it different from the current source available on http://git.netfilter.org/ebtables/tree/

Seems dd-wrt version is modded so who knows. The right thing here would be to open a ticket upstream ebtables side with https://www.netfilter.org and see what they say.

No idea whats going on there.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5009
Location: UK, London, just across the river..

PostPosted: Fri Nov 26, 2021 16:38    Post subject: Reply with quote
I think somewhere here around, it was explained very much in details, what is the reason, why layer 2 filtering is not going to happen...
DDWRT SPI firewall works on WAN to LAN and LAN to WAN traffic...so, connections go trough the kernel networking stack/CPU and get inspected than routed/dropped/rejected/accepted...so, there could be applied some filtering...
While, regarding switch frames they do not go to the CPU/kernel and do not get any options to be processed, they are processed by the switch CPU and not have a chance of switch level filtering...in order to do so, DDWRT will need all new level of firewall and kernel...

That's why those commands are stripped of ebtables as they will not be usable...with the current architecture of DDWRT firmware...

get a smart/managed enterprise switch or high grade firewall...and ect. and sort your issues... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 48646 WAP
TP-Link WR1043NDv2 -DD-WRT 48865 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 48886 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 48886 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 48886 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 48886 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 775
Location: All over YOUR webs

PostPosted: Fri Nov 26, 2021 17:10    Post subject: Reply with quote
SO, OK, the ebtables command is just a front end to the kernel modules.
iptables/ebtables syntax is same.

the help text printed/pasted is an issue upstream also.

I agree a managed switch would likely be a good alternative though (it is what I use for more specific usage scenarios on my net).

Take care.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6399
Location: Romerike, Norway

PostPosted: Fri Nov 26, 2021 17:56    Post subject: Reply with quote
To make this work, you have to Split out the ports into separate vlans so the packets are send through to the CPU to cross vlans.
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri Nov 26, 2021 18:58    Post subject: Reply with quote
Alozaros wrote:
I think somewhere here around, it was explained very much in details, what is the reason, why layer 2 filtering is not going to happen...
DDWRT SPI firewall works on WAN to LAN and LAN to WAN traffic...so, connections go trough the kernel networking stack/CPU and get inspected than routed/dropped/rejected/accepted...so, there could be applied some filtering...
While, regarding switch frames they do not go to the CPU/kernel and do not get any options to be processed, they are processed by the switch CPU and not have a chance of switch level filtering...in order to do so, DDWRT will need all new level of firewall and kernel...

That's why those commands are stripped of ebtables as they will not be usable...with the current architecture of DDWRT firmware...

get a smart/managed enterprise switch or high grade firewall...and ect. and sort your issues... Cool


Some commands most definitely work. For example, if I drop Broadcast packet type or ff:ff:ff:ff:ff:ff MAC address using EBTables, then perform ARP cleaning commands, I get locked out of SSH and router GUI. That's normal behavior because ARP uses Broadcast frames.

I can also block specific local IP addresses with EBTables, but blocking MAC addresses for the same local IP addresses has no effect.

The worst part is that there no counters to show whether packets are dropped or not for whichever rules. Blind trial-and-error is the only way to go about it. Making counters work should be #1 priority, but I think that's a general EBTables bug, not something related to DD-WRT.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 775
Location: All over YOUR webs

PostPosted: Sun Nov 28, 2021 5:28    Post subject: Reply with quote
in dd-wrt ebtables is implemented kernel side in any case like I said previously the ebtables implementation in dd-wrt is a frontend to the kernel implementation, as I found out.

So do report such issues upstream where applicable reporting it to dd-wrt will get nowhere imo.

Take care.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum