Posted: Fri Sep 22, 2017 18:20 Post subject: Blocking Multicast and Brodcast from TV
Hello!
I just got a Samsung smart tv and i noticed it sends every 3 sec a multicast/brodcast packets on port 15600. I think it have something to do with Samsung remote smartphone application.
I looked on the TV settings and i can't turn it off.
I'm trying to block these packets.
I tried this with iptables:
Quote:
iptables -A INPUT -s 192.168.1.50 -p udp --dport 15600 -j DROP
and after that my INPUT chain looks like this:
Quote:
root@ShalitUP:~# iptables -nvL INPUT --line-numbers
Chain INPUT (policy ACCEPT 2071 packets, 149K bytes)
num pkts bytes target prot opt in out source destination
1 7 441 DROP udp -- * * 192.168.1.50 0.0.0.0/0 udp dpt:15600
As you can see, these multicast packets are captured, but i can still see them in wireshark.
Am i doing something worng?
Using DD-WRT v3.0-r31277 std (02/07/17) on TL-WR841N, so i cant use mac filtering. That's why i'm using static ip.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sat Sep 23, 2017 16:19 Post subject:
The bad thing is all firewall rules work only WAN to LAN, but not LAN to LAN the only way to isolate IP over LAN to LAN is if you use IP isolation under advanced WIFI settings,
this crate a rules that do not permit different WIFI clients to communicate each other based on their MAC address, sadly this couldn't solve my issue too, than my idea was as i have Broadcom based router to create a different VLAN via CLI and than to use separate subnet to isolate one SmTV as i had UDP flood like yours, well i couldn't make it with VLAN got lost into the settings an wasted a bit of time, at the end it worked for a moment and i messed up the settings badly and left the game with VLAN's...finally i got a small managed switch to isolate all dodge SmTV's and Smart flooding devices _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sun Mar 01, 2020 7:21 Post subject:
RochelleAlbino wrote:
Did it come with instructions? There may be information about this
nope...but you can use a smart managed switch, where you can isolate those devices...on Vlan's, otherwise you can try with router Vlan's or different bridges
create a new br or vlan with new subnet and DHCP/DNS, than
assign static IP's to those devices in the range of that br...
finally add iptables rules to isolate those br to not communicate in between...
there is no step by step guide, you have to read the wiki, get into the things and sort it by your self...
to filter multicast from wi fi there is a settings now in GUI but in the old days i used this:
in start up script:
insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype
in firewall script
ebtables -A FORWARD -o ath0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o ath0 --pkttype-type multicast -j DROP
you have to adjust those rule to your wi-fi interface if its diff than ath0 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913