Blocking Multicast and Brodcast from TV

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
popcop
DD-WRT Novice


Joined: 08 May 2017
Posts: 7
PostPosted: Fri Sep 22, 2017 18:20    Post subject: Blocking Multicast and Brodcast from TV Reply with quote
Hello! Very Happy
I just got a Samsung smart tv and i noticed it sends every 3 sec a multicast/brodcast packets on port 15600. I think it have something to do with Samsung remote smartphone application.
I looked on the TV settings and i can't turn it off.
I'm trying to block these packets.


I tried this with iptables:

Quote:
iptables -A INPUT -s 192.168.1.50 -p udp --dport 15600 -j DROP


and after that my INPUT chain looks like this:

Quote:
root@ShalitUP:~# iptables -nvL INPUT --line-numbers
Chain INPUT (policy ACCEPT 2071 packets, 149K bytes)
num pkts bytes target prot opt in out source destination
1 7 441 DROP udp -- * * 192.168.1.50 0.0.0.0/0 udp dpt:15600


As you can see, these multicast packets are captured, but i can still see them in wireshark.
Am i doing something worng?
Using DD-WRT v3.0-r31277 std (02/07/17) on TL-WR841N, so i cant use mac filtering. That's why i'm using static ip.
Back to top View user's profile Send private message
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6436
Location: UK, London, just across the river..
PostPosted: Sat Sep 23, 2017 16:19    Post subject: Reply with quote
The bad thing is all firewall rules work only WAN to LAN, but not LAN to LAN the only way to isolate IP over LAN to LAN is if you use IP isolation under advanced WIFI settings,
this crate a rules that do not permit different WIFI clients to communicate each other based on their MAC address, sadly this couldn't solve my issue too, than my idea was as i have Broadcom based router to create a different VLAN via CLI and than to use separate subnet to isolate one SmTV as i had UDP flood like yours, well i couldn't make it with VLAN got lost into the settings an wasted a bit of time, at the end it worked for a moment and i messed up the settings badly and left the game with VLAN's...finally i got a small managed switch to isolate all dodge SmTV's and Smart flooding devices Smile
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6866
Location: Romerike, Norway
PostPosted: Sun Sep 24, 2017 8:58    Post subject: Reply with quote
Rules in the INPUT chain does only filter packets when the router is the destination i.e accessing the GUI or another service on the router.
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6436
Location: UK, London, just across the river..
PostPosted: Sun Mar 01, 2020 7:21    Post subject: Reply with quote
RochelleAlbino wrote:
Did it come with instructions? There may be information about this


nope...but you can use a smart managed switch, where you can isolate those devices...on Vlan's, otherwise you can try with router Vlan's or different bridges
create a new br or vlan with new subnet and DHCP/DNS, than
assign static IP's to those devices in the range of that br...
finally add iptables rules to isolate those br to not communicate in between...
there is no step by step guide, you have to read the wiki, get into the things and sort it by your self... Rolling Eyes

to filter multicast from wi fi there is a settings now in GUI but in the old days i used this:

in start up script:
insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype

in firewall script
ebtables -A FORWARD -o ath0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o ath0 --pkttype-type multicast -j DROP


you have to adjust those rule to your wi-fi interface if its diff than ath0
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum