I'm having the following setup here on every router with OpenWRT. - A bridge br-mesh over the interfaces bat0, eth0.4 and ath0. bat0 is the virtual mesh-interface which connects every router with another using the routing daemon/protocol batman-adv, which means, that virtually every router's bat0 is directly connected to the others. eth0.4 is a vlan over two LAN-Ports on every router, ath0 is a wlan-interface in ap-mode. - Every router is running radvd and a DHCPv4-daemon. My goal now is, to have local IPv4-addresses on every router, therefore I want to block all ARP-packages and DHCPv4-traffic over the bat0 interface. As every router is announcing the same IPv6 unique local prefix, I also want to get rid of the radvd-announcements over bat0 to save traffic created by multicasts/broadcasts. Also the announcing of "evil" IPv6 default gateways shall be reduced this way. So finally I would also like to block DHCPv6-servers over bat0. So far I've found out the following rules for ebtables to block DHCPv4+ARP (would be nice, if someone could confirm that they would work the way I want to). ---------------- #Block DHCPv4 over the Mesh-network ebtables -A INPUT --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP ebtables -A INPUT --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP ebtables -A FORWARD --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP ebtables -A FORWARD --in-interface ath0 --out-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP #Block ARP over the Mesh-network ebtables -A INPUT --in-interface bat0 --protocol ARP -j DROP ebtables -A FORWARD --in-interface bat0 --protocol ARP -j DROP ebtables -A FORWARD --in-interface ath0 --out-interface bat0 --protocol ARP -j DROP ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0 --protocol ARP -j DROP ---------------- So now I'm having more trouble to find the right rules to block DHCPv6 and radvd over bat0. Thanks for the help in advance. PS: I'm aware of the fact, that people can make a manuel arp-entries and that IPv4-traffic is (therefore) not blocked entirely. But this is not a problem, in fact it's intended like this.
Attachment:
signature.asc
Description: Digital signature
