[Dnsmasq-discuss] How to achieve multiple DHCP pools within a single broadcast domain?

Sat Jun 8 20:12:32 UTC 2024

Hello,

I have multiple access points with multiple SSIDs which convey different 
network privileges. I’ve mapped out the 10.x.x.x private address range using 
bit fields. I would like to be able to inspect an IP address and determine 
how the client connected. If I use separate VLANs/subnets and rely on 
routing, then I face broadcast issues for DLNA, Samba, mDNS, and whatever 
Windows uses for network discovery. From a security standpoint, I can 
enforce the subnet (bit fields) per interface using firewall rules. 
Incompatible manual IP assignment would be blocked. I could then route off 
the fields in the IP rather than a long list of VLAN interfaces.

I’m currently experimenting with nftables bridge filters. Each SSID is 
associated with a VLAN. Each VLAN is slave to a unique bridge. Each VLAN 
bridge also contains one end of a unique veth interface. The other end of 
the veth interface is slave to an umbrella LAN bridge which defines the 
composite broadcast domain. I can use each VLAN bridge interface as the 
anchor for the associated DHCP pool. Assuming I override the subnet supplied 
via DHCP, I effectively have a single broadcast domain. Granted, I have to 
create some bridge filter rules to restrict the DHCP traffic, but at least 
these are well-documented and narrow in scope.

I’m concerned about overhead. I’d like to simplify. What I’m really looking 
for is some way to pass a ‘hint’ (aka tag) to dnsmasq for DHCP pool 
selection. dnsmasq cannot distinguish a VLAN once it’s been absorbed into a 
bridge, but the bridge filter still has visibility. I see that there’s a 
mechanism for a DHCP-proxy to manipulate the subnet and giaddr fields in the 
DHCP request. That seems like an equally messy trade-off.

Normally, a DHCP request has SIP=0.0.0.0. It looks like I could use ‘packet 
mangling’ to modify SIP based on the VLAN. Does dnsmasq ever consider SIP 
when selecting a pool?

Can anyone recommend a simpler solution? DHCP reservation is not an option 
because the same device could connect to a different AP with a different 
SSID and even a different password.