1
In may case I have two openwrt routers connected with openvpn bridge.
Traffic can stoped by iptables with iptables-mod-extra:
iptables -I FORWARD -m physdev --physdev-out tap0 -p udp --dport 67:68 -j DROP
iptables -I FORWARD -m physdev --physdev-in tap0 -p udp --dport 67:68 -j DROP
iptables -I INPUT -m physdev --physdev-in tap0 -p udp --dport 67:68 -j DROP
Also traffic can be stoped by ebtables:
ebtables -I FORWARD -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
If I understand correctly, you're trying to have two DHCP servers in one broadcast domain with a VPN bridge connecting two parts of it. You want to block DHCP traffic through the bridge. Can you explain why you want two DHCP servers and not just one - perhaps with a backup on the other side? And why to use a bridge and not routing (tun)? Did you try to inspect what is going on with tcpdump or similar? – Zrin – 2016-11-03T14:06:26.533
check the routing table on the Macbook after "1)", "2)" and "3)", try to ping 10.0.0.1, 10.0.0.5 and other devices from the Macbook while watching tcpdump output on both routers - check tcpdump man page... This should help you find the cause. – Zrin – 2016-11-03T15:43:25.750
good, now you have the cause - the answer to ARP "Who has 10.0.0.5?" doesn't get back to the Mac. Perhaps due to some cache? What happens if you try few minutes later? Also check if the same happens with other devices, besides that Macbook. – Zrin – 2016-11-07T07:21:46.623
Good, you've found that the ARP reply from 10.0.0.5 does not get back to 10.0.0.1. That is the probable cause of the problem. 10.0.0.5 is sending that ARP replies to a wrong interface, probably because it "learned" before that the device (the Macbook) was connected to the other interface (Wi-Fi) before - and hasn't forget it (yet), nor has it updated internal tables when the ARP request with the Macbook's MAC address arrived through the VPN tunnel / through the associated TAP interface. I suggest that you edit your question and add your observations gained with tcpdump and ARP packets. – Zrin – 2016-11-08T09:07:44.770