On Monday 04 February 2008 05:41:35 am richardvo...@gmail.com wrote: > > You haven't done anything different in the dnsmasq configuration from > someone using relay agents, which is by far the more common scenario, > and which requires that same validation. > Again, I just don't understand _why_ that validation is _required_. At a certain point, isn't 'because the user took a number of steps to make me do this' a good enough reason (ie 'give the user enough rope to hang themselves'). I have explicitly allowed dhcp on an interface, I have explicitly configured a range I'd like DNSMasq to serve, and I have explicitly set an i.p. address for the client (via /etc/hosts). It just seems like that should be enough to convince dnsmasq that I really _want_ this.
> > Most people in your situation (wanting some nodes on internal networks > to not use up public addresses) choose to use static 1:1 NAT, which > dnsmasq, iptables, routing would support out of the box. You've > already played so many tricks with the routing that it'd hard to see > how you're going to make things work without either more and more > tricks, or else ripping up the entire configuration and using a > straightforward, well-supported networking design in its place. > Actually, I'm doing the opposite. Internal nodes _ARE_ using up public addresses (which is what I want). From what I've read, static nat would require more network voodoo in this scenario then proxy arp. For instance, my _internal_ network is a perfectly normal routed network with 1 i.p. per machine. The i.p. on the machine matches the 'public' i.p. address the rest of the world sees. I don't have to maintain 'internal' and 'external' names, nor do I have worry about keeping 2 sets of zone files in sync. DnsMasq, iptables, and routing work 'out of the box' - heck, thats what the network is built on (and has been for over a year). I don't see how my existing setup can be anymore 'straight forward' or 'well supported' - each client gets 1 route to the gateway network, and a default route thru the firewall. Thats pretty simple to me.. Static nat just seems to require more housekeeping. Finally, the issues I'm have with DNSMasq, are _due_ to DNSMAsq. They are a 'feature' - it's not a problem with my routing or my network. DNSMasq 'sees' the dhcp requests from all the clients - it just decides it shouldn't touch them. This is a perfectly valid design decision, but it is _not_ due to 'tricks' or 'problems' with my network setup. Mr. Kelley simply decided DNSMasq should be conservative, and provide as many safeguards as possible. Anyway, trying to bring this conversation back on topic. If I have 4 sub-nets configured to relay dhcp requests to 1 interface with DNSMAsq bound to it, does that interface require an I.P. address from all 4 subnets ? (i.e. will I have the same problem with dhcp relays? ) Steve
