[Dnsmasq-discuss] DNSMasq, DHCP, Shorewall, and Proxy Arp

richardvoigt at gmail.com richardvoigt at gmail.com
Tue Feb 5 05:04:22 GMT 2008


On Feb 4, 2008 10:49 PM, Steve H. <steve at csquaredtech.com> wrote:
> On Monday 04 February 2008 05:41:35 am richardvoigt at gmail.com wrote:
> >
> > You haven't done anything different in the dnsmasq configuration from
> > someone using relay agents, which is by far the more common scenario,
> > and which requires that same validation.
> >
> Again, I just don't understand _why_ that validation is _required_.  At a
> certain point, isn't 'because the user took a number of steps to make me do
> this' a good enough reason (ie 'give the user enough rope to hang
> themselves').  I have explicitly allowed dhcp on an interface, I have
> explicitly configured a range I'd like DNSMasq to serve, and I have
> explicitly set an i.p. address for the client (via /etc/hosts).  It just
> seems like that should be enough to convince dnsmasq that I really _want_
> this.

The thing is that you've done exactly the right steps to enable
responding to a DHCP relay.

Dnsmasq has no reason whatsoever to think those hosts are directly connected.

>
>
>
> >
> > Most people in your situation (wanting some nodes on internal networks
> > to not use up public addresses) choose to use static 1:1 NAT, which
> > dnsmasq, iptables, routing would support out of the box.  You've
> > already played so many tricks with the routing that it'd hard to see
> > how you're going to make things work without either more and more
> > tricks, or else ripping up the entire configuration and using a
> > straightforward, well-supported networking design in its place.
> >
>
> Actually, I'm doing the opposite.  Internal nodes _ARE_ using up public
> addresses (which is what I want).  From what I've read, static nat would
> require more network voodoo in this scenario then proxy arp.  For instance,
> my _internal_ network is a perfectly normal routed network with 1 i.p. per

It isn't normal in any sense.  The local gateway is not in the local
subnet.  That's highly unusual to say the least.

> machine.   The i.p. on the machine matches the 'public' i.p. address the rest
> of the world sees.  I don't have to maintain 'internal' and 'external' names,
> nor do I have worry about keeping 2 sets of zone files in sync.  DnsMasq,
> iptables, and routing work 'out of the box' - heck, thats what the network is
> built on (and has been for over a year).  I don't see how my existing setup
> can be anymore 'straight forward' or 'well supported' - each client gets 1
> route to the gateway network, and a default route thru the firewall.  Thats
> pretty simple to me..  Static nat just seems to require more housekeeping.
>
> Finally, the issues I'm have with DNSMasq, are _due_ to DNSMAsq.  They are
> a 'feature' - it's not a problem with my routing or my network.
> DNSMasq 'sees' the dhcp requests from all the clients - it just decides it
> shouldn't touch them.  This is a perfectly valid design decision, but it is
> _not_ due to 'tricks' or 'problems' with my network setup.  Mr. Kelley simply
> decided DNSMasq should be conservative, and provide as many safeguards as
> possible.

It's not a safeguard.  It is *necessary* to ensure correct handling of relays.

Consider the following example.  A corporate office building has two
subnets, one physically secure, one used for wireless.  There may be a
firewall in between, restrictions on which addresses can touch
internal servers, or any number of other motivations.  An executive
has a laptop as his primary computer.  When plugged into the docking
bay in his office, it is connected to the secure network and receives
a static IP address.  However, sometimes the owner takes the laptop
with him to a presentation in a conference room elsewhere in the
building, and still wants internet access, although due to the lack of
security over the wireless link, an encrypted VPN is now required to
access sensitive servers.  When the laptop roams wirelessly, it *must*
not receive the static IP address configured for use when it is
plugged in directly.  Dnsmasq must ignore the matching dhcp-host
entry, and the only way to do that is to detect that the static
address is used on a different subnet than the wireless network the
laptop is now joined to.

>
> Anyway, trying to bring this conversation back on topic.  If I have 4 sub-nets
> configured to relay dhcp requests to 1 interface with DNSMAsq bound to it,
> does that interface require an I.P. address from all 4 subnets ? (i.e. will I
> have the same problem with dhcp relays? )

Of course that will work.  DHCP relays are always used to serve nodes
beyond the next-hop, never from the same subnet (in the same subnet no
relay is needed).

>
>
> Steve
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>



More information about the Dnsmasq-discuss mailing list