This is an old revision of the document!
We have a pair of WRT54GL's running DD-WRT as a WDS bridge. It works great, except we both have our own cable modem and routers. Each router functions as a DHCP server. Because we're bridged, this means that we have two competing DHCP servers on the same LAN, so sometimes a machine will pick the other router as it's gateway. This means that Internet traffic would be crammed through our tenuous bridge, making much sadness.
The correct solution is to have separate subnets with routing and blah blah blah.
Screw that. The quick and dirty solution is just to ban DHCP traffic from the bridge. After some trial and error, I found the iptables rules that would do that:
iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP
The only question then is how to make these rules get applied automatically at bootup. This article covers that: just use the 'rc_firewall' value in the nvram. At the router's command prompt:
nvram set rc_firewall="iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP" nvram commit
Reboot, and presto, the bridge is eating all DHCP traffic:
# iptables -t mangle -vL Chain PREROUTING (policy ACCEPT 262 packets, 50464 bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp -- any any anywhere anywhere udp dpt:bootpc 37 14776 DROP udp -- any any anywhere anywhere udp dpt:bootps <=== Counter shows 37 DHCP packets have been eaten! 0 0 DROP udp -- any any anywhere anywhere udp spt:bootpc 0 0 DROP udp -- any any anywhere anywhere udp spt:bootps