<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Jochen,</p>
<p>I think it would need to be more complex change I think.<br>
</p>
<div class="moz-cite-prefix">On 10/4/21 13:04, Jochen Demmer via
Dnsmasq-discuss wrote:<br>
</div>
<blockquote type="cite" cite="mid:7f-615adf80-13-11b3e060@236114989">Hi,<br>
<br>
I'm sorry for being unclear.<br>
There is a cluster of two firewalls (active passive).<br>
The clients use the link local address as their default gateway. I
want to initialize a manual switch:<br>
The primary becomes secondary, the old secondary becomes primary.<br>
</blockquote>
I think dnsmasq does not implement DHCP failover in any sort of
ways. It expects it is the only one DHCP server and maintains just
its own lease database, right? Wouldn't more complex support be
required? It seems to me such scenario might be better suited for
enterprise grade DHCP implementations, such as ISC Kea. It seems to
me dnsmasq targets less resourceful machines without router
duplication environment.<br>
<blockquote type="cite" cite="mid:7f-615adf80-13-11b3e060@236114989"><br>
As the router advertisements for the clients contain a default
route I would like to make adjustments. The default route is being
published by providing clients with the link-local address of the
firewall (whichever is primary).<br>
When there is such a controlled switch I would like to let the old
primary send a router advertisement package to the clients with a
lifetime of 0. This will signal the clients to not use this device
any more.<br>
Next the new primary (formerly secondary) will start to advertise
itself as the new default router.<br>
</blockquote>
I think it should also switch dhcp-authoritative flag. It is not
only about routes, but it should stop managing IP addresses, when
different instance is primary server, right? I think dnsmasq may
receive signal to switch state over d-bus for example. Then it
should deactivate its own dhcp-range and start sending lifetime 0 to
indicate it is no longer the preferred one. It would be much easier
if dnsmasq would restart on such change and configuration would
change, correct?<br>
<blockquote type="cite" cite="mid:7f-615adf80-13-11b3e060@236114989"><br>
In this event I would like to have a trigger so that the
designated primary sends such a 0 lifetime package. If I'm not
mistaken such a feature is missing.<br>
</blockquote>
Dnsmasq seems to be able to send 0 lifetime. It does so in cases
when address range disappears on the router. I admit it is too
radical to remove address range to send it, if there might be other
server better suited for it. We could add
dhcp-range=...,ra-inactive, which would send lifetime==0
announcement for the duration of a lease, then stop it. Similar to
src/dhcp6.c:793 handling of removed addresses. May that work? It
would require dnsmasq restart after configuration change.<br>
<blockquote type="cite" cite="mid:7f-615adf80-13-11b3e060@236114989"><br>
AFAIK this is how pfSense handles such setups. They do use CARP
but at that point it doesn't differ from a VRRP scenario.<br>
<br>
Regards<br>
Jochen<br>
<br>
Am Samstag, Oktober 02, 2021 13:17 CEST, schrieb Geert Stappers
via Dnsmasq-discuss
<a class="moz-txt-link-rfc2396E" href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk"><dnsmasq-discuss@lists.thekelleys.org.uk></a>:<br>
<blockquote type="cite">On Sat, Oct 02, 2021 at 10:28:16AM +0200,
Jochen Demmer via Dnsmasq-discuss wrote:<br>
><br>
> Hi,<br>
<br>
Welcome,<br>
<br>
<br>
> I've been trying to develop my own kind of firewall
solution named<br>
> nftwall which uses nftables as packet filter and is being
managed<br>
> centrally by Ansible - no webGUI.<br>
><br>
> My first attempt was to use dnsmasq but then I found out of
this<br>
> obstacle. I've been thinking about switching to KEA + radvd
but actually<br>
> I would like to keep using dnsmasq.<br>
> I manage my VRRP IPs with keepalived. There are small
scripts<br>
> for an event of a primary - secondary change. Especially in
an<br>
> event of controlled switch of primary - secondary I would
like the<br>
> primary dnsmasq to send a lifetime of 0 in the router
advertisement<br>
> package. That way the clients know that this router shall
not be used<br>
> any more.<br>
<br>
What?<br>
<br>
<br>
> Please confirm my findings that this is currently not
possible with<br>
> dnsmasq.<br>
><br>
> If so please accept my feature request to implement that.<br>
<br>
Patches to this mailinglist do get noticed.<br>
<br>
<br>
<br>
Groeten<br>
Geert Stappers<br>
--<br>
Silence is hard to parse<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a></blockquote>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Dnsmasq-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>