>>ebtables or iptables can be used to match the source MAC address and
>>only accept inbound DHCP requests from the relay(s). No change needed
>>to dnsmasq.
I did that also with Iptables and it works. But there is a drawback: Not all ports really need option 82 (you can activate this switch function per port so that some ports have a fixed IP and some others not)
In that general case dnsmasq should receive broadcasts and unicasts. Only some broadcasts should be discarded!
I feel a good idea not checking circuit-remote ID tags on DHCP requests (not only renewals), what do you think? doing this no problem with renewals nor L2 relays. L3 relays would filter the broadcasts and this change would not disturb (i may be wrong...)
Should you be interested in captures from hanewin dhcp server in the same scenario please let me know
by the way, ISC also loops in this situation
Simon: Of course I am eager to check any new code you could provide. I am a newbie in linux, may you please (if possible) detail commands/tools I should do/have to make&install any possible code? I am on ubuntu
Thanks again
Ignacio
| From: | "richardvo...@gmail.com" <richardvo...@gmail.com> |
| To: | Simon Kelley <si...@thekelleys.org.uk> |
| Cc: | ignacio.br...@belden.com, dnsmasq-discuss@lists.thekelleys.org.uk |
| Date: | 14/02/2010 21:02 |
| Subject: | Re: [Dnsmasq-discuss] IP address based on switch port number (option 82) |
On Sun, Feb 14, 2010 at 1:53 PM, Simon Kelley <si...@thekelleys.org.uk> wrote:
> ignacio.br...@belden.com wrote:
>> Hello Simon, Thanks fo such a quick answer! Yes I detected that a bit
>> later and the tag is set now.
>> dhcp-range=net:ignacio,10.10.35.60,10.10.35.65
>> dhcp-circuitid=ignacio,b9:06:00:00:01:01:01:03,
>> dhcp-remoteid=ignacio,00:06:00:80:63:60:e1:64
>>
>> BUT IT STILL DOESNT WORK. the tag is set but i detected sort of a
>> loop of discovers, NAKs and ACKs so that client does never get its IP
>> Please find enclosed log output (dnsmasq shows loop.txt) Every
>> "dnsmasq: etiquetas: ignacio, eth0" tag is set (Spanish log, sorry)
>>
>> Please find enclosed capture file showing the loop (dhcp loop from
>> wireshark at the server side): Relay: .251 server: .200
>>
>> Please take into account I have a layer2 network (client----L2switch
>> acting as dhcp relay op82---dhcp server)
>>
>> I feel the problem is dnsmasq receives two requests at almost the
>> same time (the broadcasted one which is Naked and the unicasted one
>> Acked) Of course the NACk message restarts the process at the client
>> side
>
>>
>> Two questions: - Do you have any dnsmasq config solution for that
>> (what´s the reason for the first request to be NAKed?)? I have
>> experience with Hanewin and works ok in this topology without
>> 'external help' I got one solution using iptables -A INPUT -i eth0 -p
>> udp -s 0.0.0.0/32 -d 255.255.255.255/32 --dport 67 -j DROP (i do
>> filter any broadcasted request or discover)
> You are right. It's getting one request direct (without going through
> the relay in the switch) and one request from the relay. Only the
> request that goes throught switch has the circuit-id and sets the tag.
> Without the tag, the dhcp-range is not avilable, so it causes an error.
>
> Part of this problem is the strange setup you have where the clients are
> in the same broadcast domain as the server, _and_ you have the DHCP
> relay. Even without that there's still a problem because clients will do
> DHCP renewals direct/unicast without using the relay - that will fail.
>
> Some switches can be configured to do transparent option-82 addition to
> _all_ DHCP packets without doing the relay function. That would fix the
> problem if your switch can do it.
>
> I'm going to have to think about code changes to fix this in the general
> case. Are you able to compile and test new versions of dnsmasq?
ebtables or iptables can be used to match the source MAC address and
only accept inbound DHCP requests from the relay(s). No change needed
to dnsmasq.
>
>> - does dnsmasq.conf do an AND with dhcp-circuitid
> dhcp-remoteid values?, I mean,
>> should I have more than one switch could dnsmasq sort the first port
>> of the first switch and the first port at the second switch?
>
> Yes, you can do that: The AND function is in dhcp-range: set tags for
> each switch and port and use a switch tag and a port tag in dhcp-range
>
> dhcp-range=net:switch-1,net:port-1,192.168.7.1,192.168.7.4,255.255.255.0
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.
