Advise on best approach to deal with local networks

kitus · October 31, 2020, 9:38pm

Hello,

I currently have my main lan and wlan network and a guest wlan. I'm considering adding another network in the future for IoT devices, and while I want to keep the guest wlan as isolated as possible, I foresee I will need some sort of communication between my main lan and the one I create for IoT equipment. Enough context and back now to my current scenario

In light of keeping the guest wlan and my main lan as isolated as possible, I came across this today while familiarising myself with dnsmasq:

Multiple DHCP/DNS server/forwarder instances
If you need multiple DNS forwarders with different configurations or DHCP server with different sets of lease files.
Running multiple dnsmasq instances as DNS forwarder and/or DHCPv4 server, each having their own configuration and lease list can be configured by creating multiple dnsmasq sections. Typically in such configs each dnsmasq section will be bound to a specific interface by using the interface list; assigning sections like dhcp, host, etc. to a specific dnsmasq instance is done by the instance option. By default dnsmasq adds the loopback interface to the interface list to listen when the --interface option is used; therefore the loopback interface needs to be excluded in one of the dnsmasq instances by using the notinterface list.
These are example settings for multiple dnsmasq instances each having their own dhcp section. dnsmasq instance lan_dns is bound to the lan interface while the dnsmasq instance guest_dns is bound to the guest interface.

Could anybody help me understand what is the default configuration one ends up with in terms of DHCP and DNS scopes when following this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap and how could the option above further help openwrt admins keep the two networks as independent as possible? and also, how does this option above compare with what I currently have configured (mainly as a result of following the guide above)?

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option limit '250'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '2'
	list dhcp_option '42,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'kitusguest'
	option leasetime '12h'
	option interface 'kitusguest'
	option start '2'
	option limit '250'

Today it is my first day using OpenWRT and I have already successfully managed to setup my lan, openvpn and guest wlan (this latter thanks to the support that I promptly got from this forum). Please forgive me if I drag my feet when trying to make out what the different orders in the documentation represent

# Remove default instances
while uci -q delete dhcp.@dnsmasq[0]; do :; done
while uci -q delete dhcp.@dhcp[0]; do :; done
 
# Use network interface names for DHCP/DNS instance names
for INST in lan guest
do
uci set dhcp.${INST}_dns="dnsmasq"
uci set dhcp.${INST}_dns.domainneeded="1"
uci set dhcp.${INST}_dns.boguspriv="1"
uci set dhcp.${INST}_dns.filterwin2k="0"
uci set dhcp.${INST}_dns.localise_queries="1"
uci set dhcp.${INST}_dns.rebind_protection="1"
uci set dhcp.${INST}_dns.rebind_localhost="1"
uci set dhcp.${INST}_dns.local="/${INST}/"
uci set dhcp.${INST}_dns.domain="${INST}"
uci set dhcp.${INST}_dns.expandhosts="1"
uci set dhcp.${INST}_dns.nonegcache="0"
uci set dhcp.${INST}_dns.authoritative="1"
uci set dhcp.${INST}_dns.readethers="1"
uci set dhcp.${INST}_dns.leasefile="/tmp/dhcp.leases.${INST}"
uci set dhcp.${INST}_dns.resolvfile="/etc/resolv.conf.${INST}"
uci set dhcp.${INST}_dns.nonwildcard="1"
uci add_list dhcp.${INST}_dns.interface="${INST}"
uci add_list dhcp.${INST}_dns.notinterface="loopback"
uci set dhcp.${INST}="dhcp"
uci set dhcp.${INST}.instance="${INST}_dns"
uci set dhcp.${INST}.interface="${INST}"
uci set dhcp.${INST}.start="100"
uci set dhcp.${INST}.limit="150"
uci set dhcp.${INST}.leasetime="12h"
ln -f -s /tmp/resolv.conf.auto /etc/resolv.conf.${INST}
done
uci -q delete dhcp.@dnsmasq[0].notinterface
uci commit dhcp
/etc/init.d/dnsmasq restart

Many thanks in advance everyone!

I love this project!

trendy · October 31, 2020, 10:15pm

If you want to customize the config dnsmasq section for the guest or iot interfaces, then you may want to create another instance.
Personally I am running one instance only for lan, guest, and iot. The isolation between the networks is done from firewall at the end of the day.

kitus · November 1, 2020, 7:04am

You seem to be quite an advanced users so my approach may be a bit of an overblow then

May I ask if you happen to know the pros and cons of running one single instance instead versus running one instance for lan and one other instance for Guest WLAN and/or any additional network that one desires to include in the future?

thanks

trendy · November 1, 2020, 7:55pm

There are not exactly pros and cons, it all depends what you are trying to achieve. If you can do it with one instance, fine, it will be simpler. If not you'll have to add a second instance.