<br><br><div class="gmail_quote">On Sun, Feb 14, 2010 at 4:56 PM, <span dir="ltr"><<a href="mailto:Ignacio.Bravo@belden.com">Ignacio.Bravo@belden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">
<br><tt><font size="2"><br>
>>ebtables or iptables can be used to match the source MAC address
and<br>
>>only accept inbound DHCP requests from the relay(s). No change
needed<br>
>>to dnsmasq.<br>
</font></tt>
<br></div><font size="2" face="sans-serif">I did that also with Iptables and it
works. But there is a drawback: Not all ports really need option 82 (you
can activate this switch function per port so that some ports have a fixed
IP and some others not)</font>
<br><font size="2" face="sans-serif">In that general case dnsmasq should
receive broadcasts and unicasts. Only some broadcasts should be discarded!</font>
<br></blockquote><div><br></div><div>I should think you'd want to do that configuration -- assign some ports fixed IPs and let others draw from the pool -- in the dnsmasq configuration instead of at the switch.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br><font size="2" face="sans-serif">I feel a good idea not checking circuit-remote
ID tags on DHCP requests (not only renewals), what do you think? doing
this no problem with renewals nor L2 relays. L3 relays would filter the
broadcasts and this change would not disturb (i may be wrong...)</font>
<br>
<br><font size="2" face="sans-serif">Should you be interested in captures
from hanewin dhcp server in the same scenario please let me know</font>
<br>
<br><font size="2" face="sans-serif">by the way, ISC also loops in this situation</font>
<br>
<br><font size="2" face="sans-serif">Simon: Of course I am eager to check
any new code you could provide. I am a newbie in linux, may you please
(if possible) detail commands/tools I should do/have to make&install
any possible code? I am on ubuntu</font>
<br></blockquote><div><br></div><div>With ubuntu it should be very easy to try code changes. Dnsmasq is also used on lots of small routers where it is included in the firmware, requires a cross-compiler to update, and is generally more of a pain.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br><font size="2" face="sans-serif">Thanks again</font>
<br><font size="2" face="sans-serif">Ignacio</font>
<br><font size="2" face="sans-serif"><br>
</font>
<br>
<br>
<table width="100%">
<tbody><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">From:</font>
</td><td><div class="im"><font size="1" face="sans-serif">"<a href="mailto:richardvoigt@gmail.com" target="_blank">richardvoigt@gmail.com</a>" <<a href="mailto:richardvoigt@gmail.com" target="_blank">richardvoigt@gmail.com</a>></font>
</div></td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">To:</font>
</td><td><div class="im"><font size="1" face="sans-serif">Simon Kelley <<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>></font>
</div></td></tr><tr>
<td valign="top"><font size="1" color="#5f5f5f" face="sans-serif">Cc:</font>
</td><td><font size="1" face="sans-serif"><a href="mailto:Ignacio.Bravo@belden.com" target="_blank">Ignacio.Bravo@belden.com</a>, <a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">dnsmasq-discuss@lists.thekelleys.org.uk</a></font>
</td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">Date:</font>
</td><td><font size="1" face="sans-serif">14/02/2010 21:02</font><div class="im">
</div></td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">Subject:</font>
</td><td><font size="1" face="sans-serif">Re: [Dnsmasq-discuss] IP address based
on switch port number (option 82)</font></td></tr></tbody></table>
<br>
<hr noshade>
<br>
<br><div><div></div><div class="h5">
<br><tt><font size="2">On Sun, Feb 14, 2010 at 1:53 PM, Simon Kelley <<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>>
wrote:<br>
> <a href="mailto:Ignacio.Bravo@belden.com" target="_blank">Ignacio.Bravo@belden.com</a> wrote:<br>
>> Hello Simon, Thanks fo such a quick answer! Yes I detected that
a bit<br>
>> later and the tag is set now.<br>
>> dhcp-range=net:ignacio,10.10.35.60,10.10.35.65<br>
>> dhcp-circuitid=ignacio,b9:06:00:00:01:01:01:03,<br>
>> dhcp-remoteid=ignacio,00:06:00:80:63:60:e1:64<br>
>><br>
>> BUT IT STILL DOESNT WORK. the tag is set but i detected sort of
a<br>
>> loop of discovers, NAKs and ACKs so that client does never get
its IP<br>
>> Please find enclosed log output (dnsmasq shows loop.txt)
Every<br>
>> "dnsmasq: etiquetas: ignacio, eth0" tag is set (Spanish
log, sorry)<br>
>><br>
>> Please find enclosed capture file showing the loop (dhcp loop
from<br>
>> wireshark at the server side): Relay: .251 server: .200<br>
>><br>
>> Please take into account I have a layer2 network (client----L2switch<br>
>> acting as dhcp relay op82---dhcp server)<br>
>><br>
>> I feel the problem is dnsmasq receives two requests at almost
the<br>
>> same time (the broadcasted one which is Naked and the unicasted
one<br>
>> Acked) Of course the NACk message restarts the process at the
client<br>
>> side<br>
><br>
>><br>
>> Two questions: - Do you have any dnsmasq config solution for that<br>
>> (what´s the reason for the first request to be NAKed?)? I have<br>
>> experience with Hanewin and works ok in this topology without<br>
>> 'external help' I got one solution using iptables -A INPUT -i
eth0 -p<br>
>> udp -s <a href="http://0.0.0.0/32" target="_blank">0.0.0.0/32</a> -d <a href="http://255.255.255.255/32" target="_blank">255.255.255.255/32</a> --dport 67 -j DROP (i
do<br>
>> filter any broadcasted request or discover)<br>
> You are right. It's getting one request direct (without going through<br>
> the relay in the switch) and one request from the relay. Only the<br>
> request that goes throught switch has the circuit-id and sets the
tag.<br>
> Without the tag, the dhcp-range is not avilable, so it causes an error.<br>
><br>
> Part of this problem is the strange setup you have where the clients
are<br>
> in the same broadcast domain as the server, _and_ you have the DHCP<br>
> relay. Even without that there's still a problem because clients will
do<br>
> DHCP renewals direct/unicast without using the relay - that will fail.<br>
><br>
> Some switches can be configured to do transparent option-82 addition
to<br>
> _all_ DHCP packets without doing the relay function. That would fix
the<br>
> problem if your switch can do it.<br>
><br>
> I'm going to have to think about code changes to fix this in the general<br>
> case. Are you able to compile and test new versions of dnsmasq?<br>
<br>
ebtables or iptables can be used to match the source MAC address and<br>
only accept inbound DHCP requests from the relay(s). No change needed<br>
to dnsmasq.<br>
<br>
><br>
>> - does dnsmasq.conf do an AND with dhcp-circuitid<br>
> dhcp-remoteid values?, I mean,<br>
>> should I have more than one switch could dnsmasq sort the first
port<br>
>> of the first switch and the first port at the second switch?<br>
><br>
> Yes, you can do that: The AND function is in dhcp-range: set tags
for<br>
> each switch and port and use a switch tag and a port tag in dhcp-range<br>
><br>
> dhcp-range=net:switch-1,net:port-1,192.168.7.1,192.168.7.4,255.255.255.0<br>
><br>
> Cheers,<br>
><br>
> Simon.<br>
><br>
> _______________________________________________<br>
> Dnsmasq-discuss mailing list<br>
> <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> </font></tt><a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank"><tt><font size="2">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</font></tt></a><tt><font size="2"><br>
><br>
</font></tt>
<br>
<br>
</div></div><div><div></div><div class="h5"><p>DISCLAIMER:
Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.
Thank You.
</p>
</div></div></blockquote></div><br>