[Dnsmasq-discuss] New here, and looking for some help
Hi all. I won't post configs etc yet this message, want to get the basic system up and running first - just trying a reinstall after some suggestions from Simon - basically because I'm building a server at home for another network I kinda screwed some things up. Reinstall might help fix that :) Anyways, what I want to achieve is a network with the basic following layout : eth0 - talks to the outside world. eth1 (10.0.1.1) - 10.0.1.10 - 10.0.1.254 - Limited internet access, some sites not available to machines connected to this eth2 (10.0.2.1) - 10.0.2.10 - 10.0.2.254 - full access to the few machines connected here. Could also have eth1 do up to .100 and eth2 do .101-254. I'm certain that DNSMasq should be capable of doing this, but am not quite sure how to do it. I'd rather have pointers in the right direction than a full guide, and only get extra help if I need it. I retain the information better by having to learn to do it myself :) One thing that might be important early on - eventually this box will be running a website, and of course I want the URL to point back to the machine, however if I have 10.0.1.x and 10.0.2.x addresses, I can see I might run into issues with getting each branch to point to the right place. In this case, would it be better to keep everything under the .1.x range? After all, we''ll never have more than 30 machines connected at any one time, and most of the time only 10 on an extreme day. Thanks for any suggestions. Configs etc (or parts thereof) will follow as requested/needed. Thanks all, Mike
[Dnsmasq-discuss] Further to last message
Hi again all... Forgot to ask... I mentioned that I might have issues with the local web server if I'm using the .1.x and .2.x address ranges. Could I run 2 instances of DNSMasq to get around this using seperate .conf files, and of course the second instance also reading a separate hosts file? Thanks, M
Re: [Dnsmasq-discuss] New here, and looking for some help
On Thu, Dec 29, 2011 at 12:42 AM, M kiwirider...@gmail.com wrote: Hi all. I won't post configs etc yet this message, want to get the basic system up and running first - just trying a reinstall after some suggestions from Simon - basically because I'm building a server at home for another network I kinda screwed some things up. Reinstall might help fix that :) Anyways, what I want to achieve is a network with the basic following layout : eth0 - talks to the outside world. eth1 (10.0.1.1) - 10.0.1.10 - 10.0.1.254 - Limited internet access, some sites not available to machines connected to this eth2 (10.0.2.1) - 10.0.2.10 - 10.0.2.254 - full access to the few machines connected here. Could also have eth1 do up to .100 and eth2 do .101-254. I'm certain that DNSMasq should be capable of doing this, but am not quite sure how to do it. I'd rather have pointers in the right direction than a full guide, and only get extra help if I need it. I retain the information better by having to learn to do it myself :) It would be easier IMO to run one instance of dnsmasq and setup dhcp pools for each physical address that needs one. I don't think your idea of having eth1 do up to .100 and eth2 for the rest has merit. Your original idea that eth1 would be 10.0.1.1 and support a dhcp pool in the 10.0.1 network. eth2 then can have 10.0.2.1 and a seperate dhcp pool for the 10.0.2 network. One thing that might be important early on - eventually this box will be running a website, and of course I want the URL to point back to the machine, however if I have 10.0.1.x and 10.0.2.x addresses, I can see I might run into issues with getting each branch to point to the right place. In this case, would it be better to keep everything under the .1.x range? After all, we''ll never have more than 30 machines connected at any one time, and most of the time only 10 on an extreme day. Getting the branches to point to the right place doesnt have anything to do with dnsmasq in my view. Its easy to put up a internal web server on 10.0.1.5 (for example) The 10.0.2 network machines can access the web server on 10.0.1.5 provided two things are true. dnsmasq running on the server must tell the 10.0.2 net that the hostnames ip address is 10.0.1.5. Then your firewall/routing/gateway setup must allow the 10.0.2 network access to the 10.0.1 network. dnsmasq has little to do with this, its network design/routing tables stuff that you need to be aware of. As to your need to have one of the networks not have full internet access, exactly how you do that depends on your needs. A forced network proxy server that blocks certain web sites is the classic solution for this type of thing. you could do this with dnsmasq also and sort of poison the dns results, but one thing you have to worry about is the ease of maintenance over the long term. Have fun, and good luck.
Re: [Dnsmasq-discuss] DNSMasq and Windows 7
Brielle, thanks very much Adding dhcp-option=252,\n\000 Has fixed it - Windows 7 is now accepting the IP. Flamin' M$! Perhaps Simon could add this to the FAQ? Thanks again I had this odd behavior at one point - are you able to run a tcpdump/tshark of the LAN interface on the machine hosting DNSmasq? If so, have it monitor port 67/68: tshark -i eth1 port 67 or port 68 I have two ideas - first, you may have an iptables rule affecting this. These are the iptables rules I use to make sure DHCP works correctly: iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT the second could be remotely related to what I talk about here: http://brielle.sosdg.org/**archives/522-Windows-7-** flooding-DHCP-server-with-**DHCPINFORM-messages.htmlhttp://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org -- Forwarded message -- From: Brielle Bruns br...@2mbit.com To: dnsmasq-discuss@lists.thekelleys.org.uk Cc: Date: Wed, 28 Dec 2011 16:19:25 -0700 Subject: Re: [Dnsmasq-discuss] DNSMasq and Windows 7 oops, meant to send this to the list! On 12/28/11 3:52 PM, Didster wrote: Hello, I have been running DNSMasq for some time now on a network consisting mainly of Windows XP and Linux machines, with no problems at all. I brought my daughter a new laptop for Christmas and it came with Windows 7. Sadly, this is what she uses at school so I have to stick with it. For some reason, it refuses to accept IP addresses handed out by DNSMasq. Logs are full of: Dec 28 21:29:21 gateway dnsmasq-dhcp[27812]: DHCPREQUEST(eth0) 192.168.0.190 ac:72:89:11:44:32 Dec 28 21:29:21 gateway dnsmasq-dhcp[27812]: DHCPACK(eth0) 192.168.0.190 ac:72:89:11:44:32 millsy-PC Dec 28 21:29:26 gateway dnsmasq-dhcp[27812]: DHCPREQUEST(eth0) 192.168.0.190 ac:72:89:11:44:32 Dec 28 21:29:26 gateway dnsmasq-dhcp[27812]: DHCPACK(eth0) 192.168.0.190 ac:72:89:11:44:32 millsy-PC Dec 28 21:29:40 gateway dnsmasq-dhcp[27812]: DHCPREQUEST(eth0) 192.168.0.190 ac:72:89:11:44:32 Dec 28 21:29:40 gateway dnsmasq-dhcp[27812]: DHCPACK(eth0) 192.168.0.190 ac:72:89:11:44:32 millsy-PC Dec 28 21:29:50 gateway dnsmasq-dhcp[27812]: DHCPREQUEST(eth0) 192.168.0.190 ac:72:89:11:44:32 Dec 28 21:29:50 gateway dnsmasq-dhcp[27812]: DHCPACK(eth0) 192.168.0.190 ac:72:89:11:44:32 millsy-PC Over and over. But Windows 7 just refuses to accept the IP. Turing off DNSMasq and enabling the DHCP server on my router works just fine on the W7 machine. I am running the version of DNSMasq currently in Debian Sid - 2.59. I had this odd behavior at one point - are you able to run a tcpdump/tshark of the LAN interface on the machine hosting DNSmasq? If so, have it monitor port 67/68: tshark -i eth1 port 67 or port 68 I have two ideas - first, you may have an iptables rule affecting this. These are the iptables rules I use to make sure DHCP works correctly: iptables -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT the second could be remotely related to what I talk about here: http://brielle.sosdg.org/**archives/522-Windows-7-** flooding-DHCP-server-with-**DHCPINFORM-messages.htmlhttp://brielle.sosdg.org/archives/522-Windows-7-flooding-DHCP-server-with-DHCPINFORM-messages.html -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: [Dnsmasq-discuss] dnsmasq responding to DHCPINFORM only
Hello. We've recently noticed a problem with our setup, that was based on the information in this (old) thread. Essentially, we used Simon's instructions (below) to configure dnsmasq to not reply to DHCP requests for leases, but to only respond to DHCP INFORM requests. We also had option 66 parameters configued for a specific MAC address range. This worked great in our scenario, where we had devices getting IP/DNS/etc. from the primary DHCP server, and subsequently getting DHCP option 66 info from the dnsmasq instance replying to a DHCP INFORM request. However, we've noticed some Windows PCs also request DHCP INFORM, and it appears dnsmasq replies to those requests and provides DNS server information - those PCs then start to use the DNS servers supplied by dnsmasq instead of the DNS servers supplied by the primary DHCP server. A few questions: 1. How can I cause dnsmasq to only reply to DHCP INFORM requests from a certain MAC range? I already have the MAC range configured, and have dnsmasq configured to provide specific option 66 information to that MAC range only. 2. If not possible, how can I cause DNS server information to not be included in the reply to DHCP INFORM? 3. If both not possible, where do I specify the specific DNS servers which dnsmasq uses in the aforementioned reply? Perhaps I can just replicate the information that the primary DHCP server sends. Any help would be sincerely appreciated. -- Nabeel Jafferali Director - Product Mgmt. Jazinga Inc. 416.548.4755 x103 On Wed, Aug 18, 2010 at 5:30 PM, Nabeel Jafferali nab...@jazinga.comwrote: Thank you Simon. That worked perfectly, I have the client devices getting their boot parameters from dnsmasq but still getting their IP addresses from the primary DHCP server (a Linksys router, in my test case). -- Nabeel Jafferali Director - Product Mgmt. Jazinga Inc. 416.548.4755 x103 -Original Message- From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley Sent: August-18-10 5:19 PM To: dnsmasq discussion list Subject: Re: [Dnsmasq-discuss] dnsmasq responding to DHCPINFORM only Nabeel Jafferali wrote: Is it possible to have dnsmasq run alongside an existing DHCP server on the network, but only respond to DHCP INFORM requests with the appropriate option #. Essentially, I want to have my existing DHCP server hand out IPs, but when the client device doesn't receive option 66 information, it send a DHCP INFORM request, which I want dnsmasq to reply to. I tried to set up dnsmasq.conf to listen on the appropriate interface, did not set it as authoritative, did not include any IP address range, but did specify dhcp-mac and dhcp-option entries. If you enable dnsmasq with a dhcp-range that looks something like dhcp-range=192.168.0.1,static then it will not hand out leases, but it will reply to DHCPINFORM. BUT, most clients, once they have a DHCP lease, will unicast DHCPINFORM requests directly to the DHCP server which supplied the lease, so in those circumstances dnsmasq would never see the request and therefore not reply. Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSMasq and Windows 7
On 12/29/11 8:22 AM, Didster wrote: Brielle, thanks very much Adding dhcp-option=252,\n\000 Has fixed it - Windows 7 is now accepting the IP. Flamin' M$! Perhaps Simon could add this to the FAQ? Awesome, glad to hear that made it happy. Win7 is awfully OCD over certain things, and the proxy settings for whatever reason is one of its obsessions. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: [Dnsmasq-discuss] dnsmasq responding to DHCPINFORM only
On 29/12/11 16:30, Nabeel Jafferali wrote: Hello. We've recently noticed a problem with our setup, that was based on the information in this (old) thread. Essentially, we used Simon's instructions (below) to configure dnsmasq to not reply to DHCP requests for leases, but to only respond to DHCP INFORM requests. We also had option 66 parameters configued for a specific MAC address range. This worked great in our scenario, where we had devices getting IP/DNS/etc. from the primary DHCP server, and subsequently getting DHCP option 66 info from the dnsmasq instance replying to a DHCP INFORM request. However, we've noticed some Windows PCs also request DHCP INFORM, and it appears dnsmasq replies to those requests and provides DNS server information - those PCs then start to use the DNS servers supplied by dnsmasq instead of the DNS servers supplied by the primary DHCP server. A few questions: 1. How can I cause dnsmasq to only reply to DHCP INFORM requests from a certain MAC range? I already have the MAC range configured, and have dnsmasq configured to provide specific option 66 information to that MAC range only. dhcp-ignore = !tag will stop all replies except when the tag is set. Use the same tag you set on the MAC range, and it will work fine. 2. If not possible, how can I cause DNS server information to not be included in the reply to DHCP INFORM? dhcp-option = option:dns-server (Dnsmasq uses itself as the default DNS server, the above overrides the default and sets no DNS server option. 3. If both not possible, where do I specify the specific DNS servers which dnsmasq uses in the aforementioned reply? Perhaps I can just replicate the information that the primary DHCP server sends. Some variation on the example above will work for this. HTH Simon.
Re: [Dnsmasq-discuss] DNSMasq and Windows 7
On 29/12/11 15:22, Didster wrote: Brielle, thanks very much Adding dhcp-option=252,\n\000 Has fixed it - Windows 7 is now accepting the IP. Flamin' M$! Perhaps Simon could add this to the FAQ? Will do. Cheers, Simon.