One Bad Pixel
One bad pixel can't be wrong!

DD-WRT: Blocking DHCP over OpenVPN Bridge

So, by default, iptables on dd-wrt is unable to look at the traffic from a bridged interface, since it operates at OSI Layer 2. Adding ebtables allows for this.

This took quite some time to figure out, as the documentation out and about on the Interwebs had some unclear pieces that appeared to apply specifically to much older versions of DD-WRT. The following was tested and working on build v24sp2 Build 16994.

#---startup script
#add ebtables modules
insmod ebtables
insmod ebtable_filter
insmod ebt_ip

ebtables -A FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

Leave a comment!