Re: [Dnsmasq-discuss] IPv6 setup for internal network
Right now is it working (seems) client get 2 address 1 in /64 range og 1 in /128 were the last gets regstirered in dns Knud On 06/08/2019 18.47, Knud wrote: Hi Michal Thanks for replying Sorry for late response...some how I have problems sending til the list..takes forever before my mails arrives See my replies below Knud On 05/08/2019 22.40, Michal Zatloukal wrote: Hi there. On Fri, 2 Aug 2019 at 18:21, Knud wrote: Hi I have tried to get IPv6 setup running for my internal LAN (at home) With a lot of tries and no really luck. What do I want: Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS with local names. Where is the DHCPv4 server running? ra-names assumes the same instance of dnsmasq is running both DHCPv4 and v6. Personally, I haven't been able to get local names to work with IPv6 even in that configuration. The assumption of hosts using EUI-64 is not met too often these days. On a local server Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE tunnelbrooker. Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs must be sent by the host acting as the gateway, there's no way around this in IPv6 AFAIK. You must configure the gateways's RAs to enable clients to look for DHCPv6 server (M, O bits set to 1). yes dnsmasq on one machine router is a physical other box doing only IPv4 routing/NAT and IPv6 tunnel 6rd4 Right now I how made a test setup consisting of 2 Vbox guest (Fedora F30) running in internal network on the Vbox host just to get things working and learn. So first step is get dnsmasq hand out a IP address and register it in the DNS. Hold it - Do you have an address from the specified range (fd17:...) manually assigned to the interface on the DHCP server? (Not sure if it's necessary, but that's what I did) - if you don't, I could see how dnsmasq would consider the range non-local (see below) Yes fixed address with /64 1st problem: Client get correct address from dnsmasq but not the right mask eg. it get's an IP /128 enable-ra is there IIRC "/128" happens when the prefix is not flagged as on-link in its options. Check the advertisements with tcpdump/wireshark/rdisc6. As for cause, you config doesn't specify prefix length so the correct length must be set on the interface. 2nd problem: Client get DNS ip from the fe80:: adress range If you mean "the DNS server address the client gets is in the fe80::/10 range", then this is normal. 3th problem: the adress which registered in the dns is the fe80:: adress Not sure where this comes from (are you sure this is provided by dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual correctly - ra-name only intended for SLAAC-enabled networks, and even then only works with hosts that don't do private interface identifiers. So you won't get name resolution to your fd17... range regardless. Just to check - set loq-query and see if it's actually dnsmasq responding to the query. The leases file might also be helpful. I could write a long story about what I have tried Please advise.. OK. From your config: dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names According to the manual, omitting the prefix length will cause dnsmasq to use prefixlen of the interface. As noted above - is this set? yes As for me - I'm still on debian with ifupdown, so I do it this way (my HE tunnel endpoint is on a host behind NAT, rather than on the v4 router, but that host also does DHCPv4 so I can do ra-names; 6in4 requires that router is configured to treat this host as DMZ): 1. /e/n/i for eth0: iface eth0 inet static ... # Private IPv4 config up ifup 6in4 down ifdown 6in4 iface eth0 inet6 manual 2. /e/n/i for the tunnel: iface 6in4 inet6 v4tunnel ... # Endpoint addresses up ip route add ::/0 dev 6in4 up ip add add 2001:.../64 dev eth0 # internal ip6 range down ip route del ::/0 dev 6in4 down ip add del 2001:../64 dev eth0 3. dnsmasq for v6: dhcp-range=::,constructor:eth0,ra-names ra-param=eth0,mtu:6in4,0 I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google search results suggest a range like this should get you going: dhcp-range=::1, :::, constructor:br*, 64, 12h I would suggest you start with the easier SLAAC setup, then tweak it once you have that running. In my test environment I start with DHCP and DNS registre names Otherwise is everything else use less. On my "production LAN I can get the 6rd4 tunnel working with I guess SLAAC (the router does advertising) and get the clients to connect to IPv6 host on internet...but I am missing the my local DNS registration. I shifted to the test environment due to the impact of playing around with "production" LAN MZ Knud ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 setup for internal network
Hi Michal Thanks for replying Sorry for late response...some how I have problems sending til the list..takes forever before my mails arrives See my replies below Knud On 05/08/2019 22.40, Michal Zatloukal wrote: Hi there. On Fri, 2 Aug 2019 at 18:21, Knud wrote: Hi I have tried to get IPv6 setup running for my internal LAN (at home) With a lot of tries and no really luck. What do I want: Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS with local names. Where is the DHCPv4 server running? ra-names assumes the same instance of dnsmasq is running both DHCPv4 and v6. Personally, I haven't been able to get local names to work with IPv6 even in that configuration. The assumption of hosts using EUI-64 is not met too often these days. On a local server Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE tunnelbrooker. Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs must be sent by the host acting as the gateway, there's no way around this in IPv6 AFAIK. You must configure the gateways's RAs to enable clients to look for DHCPv6 server (M, O bits set to 1). yes dnsmasq on one machine router is a physical other box doing only IPv4 routing/NAT and IPv6 tunnel 6rd4 Right now I how made a test setup consisting of 2 Vbox guest (Fedora F30) running in internal network on the Vbox host just to get things working and learn. So first step is get dnsmasq hand out a IP address and register it in the DNS. Hold it - Do you have an address from the specified range (fd17:...) manually assigned to the interface on the DHCP server? (Not sure if it's necessary, but that's what I did) - if you don't, I could see how dnsmasq would consider the range non-local (see below) Yes fixed address with /64 1st problem: Client get correct address from dnsmasq but not the right mask eg. it get's an IP /128 enable-ra is there IIRC "/128" happens when the prefix is not flagged as on-link in its options. Check the advertisements with tcpdump/wireshark/rdisc6. As for cause, you config doesn't specify prefix length so the correct length must be set on the interface. 2nd problem: Client get DNS ip from the fe80:: adress range If you mean "the DNS server address the client gets is in the fe80::/10 range", then this is normal. 3th problem: the adress which registered in the dns is the fe80:: adress Not sure where this comes from (are you sure this is provided by dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual correctly - ra-name only intended for SLAAC-enabled networks, and even then only works with hosts that don't do private interface identifiers. So you won't get name resolution to your fd17... range regardless. Just to check - set loq-query and see if it's actually dnsmasq responding to the query. The leases file might also be helpful. I could write a long story about what I have tried Please advise.. OK. From your config: dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names According to the manual, omitting the prefix length will cause dnsmasq to use prefixlen of the interface. As noted above - is this set? yes As for me - I'm still on debian with ifupdown, so I do it this way (my HE tunnel endpoint is on a host behind NAT, rather than on the v4 router, but that host also does DHCPv4 so I can do ra-names; 6in4 requires that router is configured to treat this host as DMZ): 1. /e/n/i for eth0: iface eth0 inet static ... # Private IPv4 config up ifup 6in4 down ifdown 6in4 iface eth0 inet6 manual 2. /e/n/i for the tunnel: iface 6in4 inet6 v4tunnel ... # Endpoint addresses up ip route add ::/0 dev 6in4 up ip add add 2001:.../64 dev eth0 # internal ip6 range down ip route del ::/0 dev 6in4 down ip add del 2001:../64 dev eth0 3. dnsmasq for v6: dhcp-range=::,constructor:eth0,ra-names ra-param=eth0,mtu:6in4,0 I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google search results suggest a range like this should get you going: dhcp-range=::1, :::, constructor:br*, 64, 12h I would suggest you start with the easier SLAAC setup, then tweak it once you have that running. In my test environment I start with DHCP and DNS registre names Otherwise is everything else use less. On my "production LAN I can get the 6rd4 tunnel working with I guess SLAAC (the router does advertising) and get the clients to connect to IPv6 host on internet...but I am missing the my local DNS registration. I shifted to the test environment due to the impact of playing around with "production" LAN MZ Knud ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
Re: [Dnsmasq-discuss] IPv6 setup for internal network
Whoops, some of my example config was wrong. ra-param=eth0,mtu:6in4,60 # "0" would disable periodic sending, and Apple's OSes would drop the address without soliciting for the router again. MZ On Mon, 5 Aug 2019 at 22:40, Michal Zatloukal wrote: > > Hi there. > > On Fri, 2 Aug 2019 at 18:21, Knud wrote: > > > > Hi > > > > I have tried to get IPv6 setup running for my internal LAN (at home) > > > > With a lot of tries and no really luck. > > > > What do I want: > > > > Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS > > with local names. > > Where is the DHCPv4 server running? ra-names assumes the same instance > of dnsmasq is running both DHCPv4 and v6. > Personally, I haven't been able to get local names to work with IPv6 > even in that configuration. The assumption of hosts using EUI-64 is > not met too often these days. > > > Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE > > tunnelbrooker. > > Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs > must be sent by the host acting as the gateway, there's no way around > this in IPv6 AFAIK. You must configure the gateways's RAs to enable > clients to look for DHCPv6 server (M, O bits set to 1). > > > > > Right now I how made a test setup consisting of 2 Vbox guest (Fedora > > F30) running in internal network on the Vbox host just to get things > > working and learn. > > > > So first step is get dnsmasq hand out a IP address and register it in > > the DNS. > > Hold it - Do you have an address from the specified range (fd17:...) > manually assigned to the interface on the DHCP server? (Not sure if > it's necessary, but that's what I did) - if you don't, I could see how > dnsmasq would consider the range non-local (see below) > > > 1st problem: Client get correct address from dnsmasq but not the right > > mask eg. it get's an IP /128 > > enable-ra is there > > IIRC "/128" happens when the prefix is not flagged as on-link in its > options. Check the advertisements with tcpdump/wireshark/rdisc6. As > for cause, you config doesn't specify prefix length so the correct > length must be set on the interface. > > > 2nd problem: Client get DNS ip from the fe80:: adress range > > If you mean "the DNS server address the client gets is in the > fe80::/10 range", then this is normal. > > > 3th problem: the adress which registered in the dns is the fe80:: adress > > Not sure where this comes from (are you sure this is provided by > dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual > correctly - ra-name only intended for SLAAC-enabled networks, and even > then only works with hosts that don't do private interface > identifiers. So you won't get name resolution to your fd17... range > regardless. Just to check - set loq-query and see if it's actually > dnsmasq responding to the query. The leases file might also be > helpful. > > > I could write a long story about what I have tried > > > > Please advise.. > > OK. From your config: > > > dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names > > According to the manual, omitting the prefix length will cause dnsmasq > to use prefixlen of the interface. As noted above - is this set? > > As for me - I'm still on debian with ifupdown, so I do it this way (my > HE tunnel endpoint is on a host behind NAT, rather than on the v4 > router, but that host also does DHCPv4 so I can do ra-names; 6in4 > requires that router is configured to treat this host as DMZ): > > 1. /e/n/i for eth0: > iface eth0 inet static > ... # Private IPv4 config > up ifup 6in4 > down ifdown 6in4 > iface eth0 inet6 manual > > 2. /e/n/i for the tunnel: > iface 6in4 inet6 v4tunnel > ... # Endpoint addresses > up ip route add ::/0 dev 6in4 > up ip add add 2001:.../64 dev eth0 # internal ip6 range > down ip route del ::/0 dev 6in4 > down ip add del 2001:../64 dev eth0 > > 3. dnsmasq for v6: > dhcp-range=::,constructor:eth0,ra-names > ra-param=eth0,mtu:6in4,0 > > I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google > search results suggest a range like this should get you going: > dhcp-range=::1, :::, constructor:br*, 64, 12h > > I would suggest you start with the easier SLAAC setup, then tweak it > once you have that running. > > MZ > > > Knud > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 setup for internal network
Hi there. On Fri, 2 Aug 2019 at 18:21, Knud wrote: > > Hi > > I have tried to get IPv6 setup running for my internal LAN (at home) > > With a lot of tries and no really luck. > > What do I want: > > Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS > with local names. Where is the DHCPv4 server running? ra-names assumes the same instance of dnsmasq is running both DHCPv4 and v6. Personally, I haven't been able to get local names to work with IPv6 even in that configuration. The assumption of hosts using EUI-64 is not met too often these days. > Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE > tunnelbrooker. Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs must be sent by the host acting as the gateway, there's no way around this in IPv6 AFAIK. You must configure the gateways's RAs to enable clients to look for DHCPv6 server (M, O bits set to 1). > > Right now I how made a test setup consisting of 2 Vbox guest (Fedora > F30) running in internal network on the Vbox host just to get things > working and learn. > > So first step is get dnsmasq hand out a IP address and register it in > the DNS. Hold it - Do you have an address from the specified range (fd17:...) manually assigned to the interface on the DHCP server? (Not sure if it's necessary, but that's what I did) - if you don't, I could see how dnsmasq would consider the range non-local (see below) > 1st problem: Client get correct address from dnsmasq but not the right > mask eg. it get's an IP /128 > enable-ra is there IIRC "/128" happens when the prefix is not flagged as on-link in its options. Check the advertisements with tcpdump/wireshark/rdisc6. As for cause, you config doesn't specify prefix length so the correct length must be set on the interface. > 2nd problem: Client get DNS ip from the fe80:: adress range If you mean "the DNS server address the client gets is in the fe80::/10 range", then this is normal. > 3th problem: the adress which registered in the dns is the fe80:: adress Not sure where this comes from (are you sure this is provided by dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual correctly - ra-name only intended for SLAAC-enabled networks, and even then only works with hosts that don't do private interface identifiers. So you won't get name resolution to your fd17... range regardless. Just to check - set loq-query and see if it's actually dnsmasq responding to the query. The leases file might also be helpful. > I could write a long story about what I have tried > > Please advise.. OK. From your config: > dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names According to the manual, omitting the prefix length will cause dnsmasq to use prefixlen of the interface. As noted above - is this set? As for me - I'm still on debian with ifupdown, so I do it this way (my HE tunnel endpoint is on a host behind NAT, rather than on the v4 router, but that host also does DHCPv4 so I can do ra-names; 6in4 requires that router is configured to treat this host as DMZ): 1. /e/n/i for eth0: iface eth0 inet static ... # Private IPv4 config up ifup 6in4 down ifdown 6in4 iface eth0 inet6 manual 2. /e/n/i for the tunnel: iface 6in4 inet6 v4tunnel ... # Endpoint addresses up ip route add ::/0 dev 6in4 up ip add add 2001:.../64 dev eth0 # internal ip6 range down ip route del ::/0 dev 6in4 down ip add del 2001:../64 dev eth0 3. dnsmasq for v6: dhcp-range=::,constructor:eth0,ra-names ra-param=eth0,mtu:6in4,0 I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google search results suggest a range like this should get you going: dhcp-range=::1, :::, constructor:br*, 64, 12h I would suggest you start with the easier SLAAC setup, then tweak it once you have that running. MZ > Knud > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] IPv6 setup for internal network
Hi I have tried to get IPv6 setup running for my internal LAN (at home) With a lot of tries and no really luck. What do I want: Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS with local names. Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE tunnelbrooker. Right now I how made a test setup consisting of 2 Vbox guest (Fedora F30) running in internal network on the Vbox host just to get things working and learn. So first step is get dnsmasq hand out a IP address and register it in the DNS. 1st problem: Client get correct address from dnsmasq but not the right mask eg. it get's an IP /128 enable-ra is there 2nd problem: Client get DNS ip from the fe80:: adress range 3th problem: the adress which registered in the dns is the fe80:: adress I could write a long story about what I have tried Please advise.. Knud # Configuration file for dnsmasq. # # Format is one option per line, legal options are the same # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. # Listen on this specific port instead of the standard DNS port # (53). Setting this to zero completely disables DNS function, # leaving only DHCP and/or TFTP. #port=5353 # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot # answer, and which load the servers (especially the root servers) # unnecessarily. If you have a dial-on-demand link they also stop # these requests from bringing up the link unnecessarily. # Never forward plain names (without a dot or domain part) #domain-needed # Never forward addresses in the non-routed address spaces. #bogus-priv # Uncomment these to enable DNSSEC validation and caching: # (Requires dnsmasq to be built with DNSSEC option.) #conf-file=/usr/share/dnsmasq/trust-anchors.conf #dnssec # Replies which are not DNSSEC signed may be legitimate, because the domain # is unsigned, or may be forgeries. Setting this option tells dnsmasq to # check that an unsigned reply is OK, by finding a secure proof that a DS # record somewhere between the root and the domain does not exist. # The cost of setting this is that even queries in unsigned domains will need # one or more extra DNS queries to verify. #dnssec-check-unsigned # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. # Note that (amongst other things) this blocks all SRV requests, # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. # This option only affects forwarding, SRV records originating for # dnsmasq (via srv-host= lines) are not suppressed by it. #filterwin2k # Change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf #resolv-file= # By default, dnsmasq will send queries to any of the upstream # servers it knows about and tries to favour servers to are known # to be up. Uncommenting this forces dnsmasq to try each query # with each server strictly in the order they appear in # /etc/resolv.conf #strict-order # If you don't want dnsmasq to read /etc/resolv.conf or any other # file, getting its servers from this file instead (see below), then # uncomment this. #no-resolv # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. #no-poll # Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 # Example of routing PTR queries to nameservers: this will send all # address->name queries for 192.168.3/24 to nameserver 10.1.2.3 #server=/3.168.192.in-addr.arpa/10.1.2.3 server=10.2.1.7 # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. #local=/localnet/ # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 # and this sets the source (ie local) address used to talk to # 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that # IP on the machine, obviously). # server=10.1.2.3@192.168.1.1#55 # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. user=dnsmasq group=dnsmasq # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than