Hello tinc folks, I?m new at Tinc networking, so if you only show me a link to a solution of my problem, I?ll be very happy. My problem is, I use a Tinc bridged network with 5 Fritz!Boxes routers to connect my whole family together. But I can?t use a DHCP service in the Tinc VPN, because if someone use DHCP request on a fare away location, he probability get my gateway for internet traffic, although he has is own local DHCP service in his own router. I know that a briged network is not separated, but I only want to block the DHCP ports 67/68. My question is: How can I block DHCP traffic in Tinc service? I tried to use IPTables in Fritz!Boxes, but it won?t work, because of the bridge service which connects the local LAN ports width the Tinc virtual port. Thanks, Dennis
On Fri, Apr 06, 2012 at 10:33:57AM +0200, Dennis Wichmann wrote:> My problem is, I use a Tinc bridged network with 5 Fritz!Boxes > routers to connect my whole family together. But I can?t use a DHCP > service in the Tinc VPN, because if someone use DHCP request on a > fare away location, he probability get my gateway for internet > traffic, although he has is own local DHCP service in his own > router. I know that a briged network is not separated, but I only > want to block the DHCP ports 67/68.For this you need to use ebtables to block DHCP traffic crossing the bridge. You can find an example here: http://serverfault.com/questions/284290/two-dhcp-servers-block-clients-for-one-of-them/284401#284401 This does require that ebtables support is compiled into your Fritz!Box's kernel though. Another option might be to use proxy-ARP instead of a bridge to connect the VPN to your LANs. This will prevent broadcast traffic, including DHCP discovery packets, from crossing the VPN. Have a look at this example: http://tinc-vpn.org/examples/proxy-arp/ -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20120406/c25f2cac/attachment.pgp>