[Dnsmasq-discuss] Re: Re: DCHP server not assign IP addresses

Rune Kock rune.kock at gmail.com
Tue Nov 18 11:05:31 GMT 2008

On Tue, Nov 18, 2008 at 07:09, Troy Piggins <troy at piggo.com> wrote:
> * Rune Kock wrote :
>>* Troy Piggins wrote:
>>> * Rune Kock wrote :
>>>>* Troy Piggins wrote:
>>>>> My dnsmasq 2.41 doesn't seem to be assigning DHCP IP addresses.
>>>>> Been running the server for some time, but mainly for the DNS
>>>>> side of things.  The IP addresses for most machines on my network
>>>>> are static, so hasn't been a problem.  But I'm trying to connect
>>>>> to a NAS (WD My Book World Edition) which I believe needs a DHCP
>>>>> server to get an IP address, and I can't interface with it to set
>>>>> it up without one.
>>> [...]
>>>> 2) Check your firewall settings.  The following is from dnsmasq's FAQ:
>>>>    The second potential problem relates to firewall rules: since the ISC
>>>>    daemon in some configurations bypasses the kernel firewall rules
>>>>    entirely, the ability to run the ISC daemon does not indicate
>>>>    that the current configuration is OK for the dnsmasq daemon.
>>>>    For the dnsmasq daemon to operate it's vital that UDP packets to
>>>>    and from ports 67 and 68 and broadcast packets with source
>>>>    address and destination address are not
>>>>    dropped by iptables/ipchains.
>>> Both ports allow UDP:
>>> $ sudo iptables-save | grep 67
>>> -A udpincoming_packets -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
>> I'm not entirely fluent in iptables syntax, but to me this sounds like
>> "accept packets with source port 67/68 AND dest port 67/68".
> I see.  You're interpretation is correct.  I thought the requests
> only came and went on those ports.
>> I believe that you need "accept source port 67/68 OR dest port
>> 67/68".
> I split the rules up as you suggested.
> It still is not assigning addresses.

I still think that the firewall is the most likely problem.  Or is
there some kind of router/wireless between the NAS and your dnsmasq

Try running without any firewall, if that is possible.

Try posting your complete firewall setup; someone on the list may be
able to spot something.

BTW, as Richard pointed out, my suggestion of accepting source or
destination port 67/68, is probably opening more than necessary, thus
creating a small hole in the security of the firewall.  I guess that
the correct thing is to allow destination port 67&68, and not fiddle
with source ports at all.

More information about the Dnsmasq-discuss mailing list