[Dnsmasq-discuss] dnsmasq and dhcp relaying

Jon Nelson jnelson+dnsmasq at jamponi.net
Thu Oct 22 15:27:48 BST 2009

I've got a setup (working) that looks like this:

workstations <-> server <-> firewall <-> internet

firewall is running dnsmasq, server is using dhcrelay
Both firewall and server have iptables-based firewalls

The setup is working fine, except

1. I don't like dhcrelay
2. I get lots of deny lines in server's firewall logs, *even though
the requests work*.

Pertinent to item 2, this is what tcpdump shows (on the 'firewall'
interface of 'server').

- a workstation will broadcast or unicast for an address
- the server receives it on eth1, iptables allows it in, dhcrelay
grabs it, and sends out a new packet on eth0 (the 'firewall' side of
- dnsmasq (on 'firewall') receives it (through iptables), generates a
response, and sends it.

Here's where it gets sticky. dhcrelay receives the request on eth1,
and sends out a request on eth0. The "Relay agent IP address" in the
payload is eth1's IP address. dnsmasq sends the reply *to this
address* (eth1), rather than the address it was received from (eth0).
The dnsmasq payload appears correct, with the "Next server IP address"
and "Relay agent IP address" properly set (eth1).

This seems to be a bug in dnsmasq - shouldn't it reply using address
that the packet was received on? The payload is correct, the UDP
destination is wrong (it seems to me).

That's the reason for the deny lines in the firewall logs, btw -
iptables sees a request go out eth0 and come back in eth0 /destined
for eth1/. Should dhcrelay be putting eth0 into the "Relay agent IP
address" field?


More information about the Dnsmasq-discuss mailing list