[Dnsmasq-discuss] dnsmasq DHCP behind a DHCP relay, without directly-connected addresses

James Brown jbrown at easypost.com
Fri Aug 12 01:13:52 BST 2016


Since I'm using static addresses, it seems like dnsmasq doesn't actually
need to know what subnet the client is in, though. Is there any possibility
of, for static address configuration, just trusting the configuration and
ignoring giaddr?

On Thu, Aug 11, 2016 at 3:51 PM, Simon Kelley <simon at thekelleys.org.uk>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> In this sort of setup, the only way any DHCP server can determine
> which subnet  the client is on, and therefore what address is assign
> to it, is via the giaddr field set by the relay. That's the function
> of the relay: to tell the DHCP server where the DHCP client is,
> otherwise simple ip-layer routing would do.
>
> You could start playing with agent-id options (which dnsmasq does
> support) but is shouldn't be necessary.
>
> If you can try using dhcp-helper, which is a relay agent I wrote: it's
> generally easier to get the configuration right with that than with
> dhcrelay.
>
> Cheers,
>
> Simon.
>
>
>
> On 11/08/16 21:01, James Brown wrote:
> > The relay is just dhcrelay3 running with default options.
> > 10.90.95.121 is the address of the machine running dnsmasq.
> >
> > /usr/sbin/dhcrelay3 -d -i bond0.1274 -i bond0.1215 -c 12 -A 576 -m
> > discard 10.90.95.121
> >
> > Looking at the dhcrelay source code, it looks like it just sets
> > giaddr to the first ip address assigned on the system running the
> > relay:
> >
> > 741     if (!packet->giaddr.s_addr) 742         packet->giaddr =
> > ip->addresses[0]
> >
> > If dnsmasq really does rely on giaddr being set to an address in
> > the correct subnet, it looks like I may have to replace dhcrelay3.
> > Unfortunately, it's running on Brocade vRouter (a routing platform
> > with a Linux control plane based on the earlier Vyatta product and
> > related to the open-source VyOS product), so that might be tricky.
> >
> > On Thu, Aug 11, 2016 at 12:06 PM, Simon Kelley
> > <simon at thekelleys.org.uk> wrote:
> >
> > OK, so the "ignored" thing was a red-herring, now we have the
> > actual log s.
> >
> > You're ASCII art got mangled, so I can't work out exactly what the
> > network topology is, but the logs show why no address is being
> > allocated :
> >
> > dnsmasq-dhcp: 529627704 available DHCP subnet:
> > 10.90.95.65/255.255.255.1 92 dnsmasq-dhcp: 529627704
> > DHCPDISCOVER(bond0) 0c:c4:7a:8e:1d:62 no address available
> >
> > As  0c:c4:7a:8e:1d:62 only has a dhcp-host address on
> > 10.88.177.0/255.255.255.128 but dnsmasq thinks it's on
> > 10.90.95.65/255.255.255.192.
> >
> > What needs to happen is that the DHCP relay forwards the DHCP
> > discover packet to dnsmasq, and before it does that, it sets the
> > "giaddr" field to the relay's address
> > _on_the_subnet_where_the_host_is.
> >
> > So in this case, giaddr should be set to 10.88.177.1, which would
> > enable dnsmasq to allocate it an address on that subnet, and not
> > the subnet where the request arrives at the dnsmasq server.
> >
> > How is the DHCP relay configured?
> >
> > Simon.
> >
> >
> > On 10/08/16 02:25, James Brown wrote:
> >>>> Hi Simon:
> >>>>
> >>>> The string "ignore" does not occur in my config. Below is
> >>>> the current entire config that I'm running on while I test
> >>>> this, without the networks re-written into the clearer forms
> >>>> above:
> >>>>
> >>>> no-resolv server=8.8.8.8 no-daemon no-hosts
> >>>> log-facility=/dev/null log-dhcp log-queries enable-tftp
> >>>> tftp-root=/srv/install/tftp port=0
> >>>> dhcp-option=6,10.90.95.113
> >>>> dhcp-range=10.88.81.65,static,255.255.255.192
> >>>> dhcp-range=10.90.95.65,static,255.255.255.192
> >>>> dhcp-range=10.91.78.0,static,255.255.255.192
> >>>> dhcp-range=10.88.177.0,static,255.255.255.128
> >>>> dhcp-host=0c:c4:7a:8e:1d:62,10.88.177.107
> >>>> dhcp-option=3,10.88.177.1
> >>>>
> >>>> And the output when trying to boot the machine listed under
> >>>> dhcp-host:
> >>>>
> >>>> dnsmasq: started, version 2.76 DNS disabled dnsmasq: compile
> >>>> time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
> >>>> DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
> >>>> loop-detect inotify dnsmasq-dhcp: DHCP, static leases only on
> >>>> 10.88.177.0, lease time 1h dnsmasq-dhcp: DHCP, static leases
> >>>> only on 10.91.78.0, lease time 1h dnsmasq-dhcp: DHCP, static
> >>>> leases only on 10.90.95.65, lease time 1h dnsmasq-dhcp: DHCP,
> >>>> static leases only on 10.88.81.65, lease time 1h
> >>>> dnsmasq-tftp: TFTP root is /srv/install/tftp dnsmasq-dhcp:
> >>>> 529627704 available DHCP subnet: 10.90.95.65/255.255.255.192
> >>>> dnsmasq-dhcp: 529627704 DHCPDISCOVER(bond0) 0c:c4:7a:8e:1d:62
> >>>> no address available dnsmasq-dhcp: 529627704 available DHCP
> >>>> subnet: 10.90.95.65/255.255.255.192 dnsmasq-dhcp: 529627704
> >>>> DHCPDISCOVER(bond0) 0c:c4:7a:8e:1d:62 no address available
> >>>> dnsmasq-dhcp: 4100833080 available DHCP subnet:
> >>>> 10.90.95.65/255.255.255.192 dnsmasq-dhcp: 4100833080
> >>>> DHCPDISCOVER(bond0) 0c:c4:7a:8e:1d:62 no address available
> >>>> dnsmasq-dhcp: 4100833080 available DHCP subnet:
> >>>> 10.90.95.65/255.255.255.192 dnsmasq-dhcp: 4100833080
> >>>> DHCPDISCOVER(bond0) 0c:c4:7a:8e:1d:62 no address available
> >>>>
> >>>> On Wed, Aug 3, 2016 at 2:57 PM, Simon Kelley
> >>>> <simon at thekelleys.org.uk> wrote: "dnsmasq-dhcp: 1302931552
> >>>> DHCPDISCOVER(bond0) 00:aa:bb:cc:dd:ee ignored"
> >>>>
> >>>> Implies that you've somehow configured dnsmasq to ignore
> >>>> this client, either with
> >>>>
> >>>> dhcp-host=<stuff to id client>,ignore
> >>>>
> >>>> or
> >>>>
> >>>> dhcp-ignore=<some tags>
> >>>>
> >>>>
> >>>> Maybe take a look at the rest of the config you didn't post
> >>>> or post it here? Fixing this problem is necessary before
> >>>> looking at the subnet address selection stuff, which should
> >>>> be possible using a DHCP relay.
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Simon.
> >>>>
> >>>>
> >>>>
> >>>> On 02/08/16 23:43, James Brown wrote:
> >>>>>>> I have a setup roughly like the following ASCII-art
> >>>>>>> diagram (numbers and number of VLANs simplified
> >>>>>>> greatly):
> >>>>>>>
> >>>>>>>
> >>>>>>> |===== VLAN 1 : 10.0.1.0/24  ======|    |==============
> >>>>>>> VLAN 2: 10.0.2.0/24 ==============| | | | | |
> >>>>>>> |------------------|        |-------------| | | | admin
> >>>>>>> host   |        |  gateway    | | |   | 10.0.1.2/24   |
> >>>>>>> | 10.0.1.1/24 | |----------------------------|      | |
> >>>>>>> |------------------| | 10.0.2.1/24 |       |   client
> >>>>>>> host | | | | etc         |       | should get static
> >>>>>>> lease of |      | | |-------------|       | 10.0.2.x |
> >>>>>>> | | |    | |----------------------------|      |
> >>>>>>> |==================================|
> >>>>>>> |=================================================|
> >>>>>>>
> >>>>>>> ?We have multiple VLANs each of which has its own
> >>>>>>> subnet. They're bridged by a single multi-homed gateway
> >>>>>>> (actually, an HA pair of them, but whatever). The
> >>>>>>> gateway is running dhrelay3 and forwarding DHCP
> >>>>>>> requests to the admin host in the administrative VLAN,
> >>>>>>> which is running dnsmasq with a database of addresses
> >>>>>>> to hand out.? I would prefer to be able to avoid having
> >>>>>>> to put that database on the gateway and have a bunch of
> >>>>>>> dynamic host configuration on a router. The admin host
> >>>>>>> is single-homed.
> >>>>>>>
> >>>>>>> The dnsmasq config looks like the following (I've
> >>>>>>> removed most of the entries and config to simplify the
> >>>>>>> question):
> >>>>>>>
> >>>>>>> port = 0 dhcp-range=10.0.1.0,static,255.255.255.0
> >>>>>>> dhcp-range=10.0.2.0,static,255.255.255.0
> >>>>>>> dhcp-option=6,10.0.2.3 dhcp-option=3,10.0.2.1
> >>>>>>> dhcp-host=00:aa:bb:cc:dd:ee,10.2.0.86
> >>>>>>>
> >>>>>>> Unfortunately, dnsmasq seems to refuse to hand out
> >>>>>>> addresses from a non-directly-connected subnet. When
> >>>>>>> the requests come in from 00:aa:bb:cc:dd:ee, I just get
> >>>>>>> the following logged:
> >>>>>>>
> >>>>>>> dnsmasq: started, version 2.76 DNS disabled dnsmasq:
> >>>>>>> compile time options: IPv6 GNU-getopt no-DBus no-i18n
> >>>>>>> no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
> >>>>>>> no-DNSSEC loop-detect inotify dnsmasq-dhcp: DHCP,
> >>>>>>> static leases only on 10.0.1.0, lease time 1h
> >>>>>>> dnsmasq-dhcp: DHCP, static leases only on 10.0.2.0,
> >>>>>>> lease time 1h dnsmasq-dhcp: DHCP, static leases only on
> >>>>>>> 10.0.3.0, lease time 1h dnsmasq-dhcp: 1302931552
> >>>>>>> available DHCP subnet: 10.0.1.0/255.255.255.0
> >>>>>>> dnsmasq-dhcp: 1302931552 DHCPDISCOVER(bond0)
> >>>>>>> 00:aa:bb:cc:dd:ee ignored dnsmasq-dhcp: 1302931552
> >>>>>>> available DHCP subnet: 10.0.1.0/255.255.255.0
> >>>>>>> dnsmasq-dhcp: 1302931552 DHCPDISCOVER(bond0)
> >>>>>>> 00:aa:bb:cc:dd:ee ignored dnsmasq-dhcp: 4279941416
> >>>>>>> available DHCP subnet: 10.0.1.0/255.255.255.0
> >>>>>>> dnsmasq-dhcp: 4279941416 DHCPDISCOVER(bond0)
> >>>>>>> 00:aa:bb:cc:dd:ee ignored
> >>>>>>>
> >>>>>>> ?Tcpdump of the packets being received by ?the host
> >>>>>>> look roughly like the following:
> >>>>>>>
> >>>>>>> 22:23:57.987953 IP (tos 0x0, ttl 64, id 48608, offset
> >>>>>>> 0, flags [DF], proto UDP (17), length 328)
> >>>>>>> 10.0.1.1.bootps > admin.bootps: BOOTP/DHCP, Request
> >>>>>>> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300, hops
> >>>>>>> 1, xid 0x4ec4ba20, secs 24, Flags [none] Gateway-IP
> >>>>>>> 10.0.1.1 Client-Ethernet-Address 00:aa:bb:cc:dd:ee (oui
> >>>>>>> Unknown) Vendor-rfc1048 Extensions Magic Cookie
> >>>>>>> 0x63825363 DHCP-Message Option 53, length 1: Discover
> >>>>>>> Parameter-Request Option 55, length 13: Subnet-Mask,
> >>>>>>> BR, Time-Zone, Classless-Static-Route Domain-Name,
> >>>>>>> Domain-Name-Server, Hostname, YD YS, NTP, MTU, Option
> >>>>>>> 119 Default-Gateway
> >>>>>>>
> >>>>>>> ?I would like for the admin host (10.0.1.1/24) to be
> >>>>>>> able to hand out IP addresses to hosts in any VLAN
> >>>>>>> without having to multi-home it. Is this just
> >>>>>>> impossible in dnsmasq, or is there some magic option
> >>>>>>> that will tell it to hand out IP addresses on a
> >>>>>>> non-connected subnet when the request goes through a
> >>>>>>> relay?
> >>>>>>>
> >>>>>>> I've attempted to go through the source code, but even
> >>>>>>> once I figured out the idiosyncratic indentation style
> >>>>>>> of rfc2131.c, I still can't figure out precisely where
> >>>>>>> the logic to generate this message lives.
> >>>>>>>
> >>>>>>> ?Thanks for any help y'all can provide.?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Dnsmasq-discuss mailing list
> >>>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>>>>
> >>>>>
> >>>>>
> >>>>>>>
> >
> >>>>>>>
> _______________________________________________
> >>>>> Dnsmasq-discuss mailing list
> >>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>>
> >>>>
> >>>>
> >>
> >
> >>>>>
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJXrQGEAAoJEBXN2mrhkTWig8kP/1t2SdrDxfYGMRSv646wm0CA
> U+glD/7ASlHjmQIzEBDqdIVvVMqxKFEqiAbs6N+Mx/qjyTd6eBrhb2yVhg4pYdA3
> e5HcmwMz3WwIbpN5JaAIdThQh/2KJGwegasZt40XzTHs8N5L6IyhTGr/IFJygrY1
> fgBI7NCTLUgT8S1zVQg8ziE94IdFMTc1meOPJeqmTZMqkAJkrmShezioBQDb94Ab
> uO/aoovQ2BLASBdaaGV0ZdHm4LJGmsI/qwg4JmzbZUhIk+UDXZ6VFY8LPUa4qmtE
> vHgIVTg4MQEbqV+nDmiLRMDsJWdTeFem0qWi3TqiEhFfbO7aC1LtgEgtcxud2vi8
> wYBU5BlAwMmQzbXofw5A35Gp/DO6d4AklZWQz0U+U+7q8G6taxgDjBJWpPdlLCKY
> equBTECbLANn3hrCFGiOFzqpP0eEgbrzUbUumwAbwY6FnnTTQgylZqJY+YgvW6rH
> WQhpogwWR0ZxaXddnmc3MhMPfQZF5Q2vlSuXAYqj/6JFKWAGOKx975shqwx5oWj2
> WsY3v9692ivFRBvZkb1mftCesySG/JcFf9n4se0stAq4EoJXBHfhkvn59Wlhye9v
> rsTUPYdHVMoyoga7WRvMdplylvaSZwBWHr4ajsCUA5jWjR8sEgLNI24tj+kaZsPR
> SoyPB8vi8OBRvFfUGYiy
> =bsx+
> -----END PGP SIGNATURE-----
>



-- 
James Brown
Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160811/820159fa/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list