Can a VLAN be used for another instance of dnsmasq?

I have an idea of setting up another instance of dnsmasq. But clearly I need another interface/device. I have zero experience with VLANs.

Can a VLAN be created and used specifically for setting up a second instance of dnsmasq?

Can this be done without a VLAN? Possibly with just another interface on br-lan?

This would be for wireless users. I want some Wi-Fi users to go to one instance of dnsmasq while others (via MAC address) be sent to the second instance of dnsmasq.

I did this many years ago with my KidSafe (KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock) setup but that used a separate Wi-Fi SSID as the interface for the second dnsmasq instance. In this case, I don’t want an extra SSID.

I was thinking about possibly using dnsmasq tags to send specific MAC addresses to the other dnsmasq instance.

Thanks.

It's not clear what you're trying to accomplish.

• You don't need another dnsmasq instance to send tags to specific MACs
• You don't need another VLAN to setup a second instance of dnsmasq
• It's not clear if you want another VLAN because you want to run 2 instances (not sure why); or because you want to segregate clients

Why?

Thank you for taking time to respond, I appreciate it.

I want to have the main dnsmasq instance to serve the majority of clients on the network with no restrictions.

I want a second dnsmasq instance to serve as a KidSafe type of DNS for child devices. This would have different upstream DNS servers (OpenDNS Family Shield and the similar servers from Cloudflare). Also, I would like to enforce SafeSearch (YouTube, Google, etc.) on this dnsmasq instance.

My initial attempts failed. I had the KidSafe interface created like I used to do years ago, but it would fail to start the interface due to missing device. This seems more like a DSA change compared to how I used to do this.

My fundamental understanding of networking and interfaces is not very good.

See thread:

Is this what you're seeking?

I don’t want to use dhcp_option 6 to push the servers out to those clients though because I want them to be able to still utilize dnsmasq for cache.

So I don’t need a VLAN, that is good. Thank you for clarifying that.

I have always had the impression that dnsmasq always had to bind to a specific interface.

Is it possible to not bind to a specific interface and simply use listen-address=<ipaddr> instead?

My apologies. My statement should have read "you do not need a second instance of dnsmasq to send different DNS servers". Given you want dnsmasq to cache, that's not gonna work.

I'm sure someone else will provide solutions.

You could create a second instance of dnsmasq listening on a different port and then intercept and redirect DNS queries originating from specific MAC addresses to that port.

# /etc/config/dhcp
config dnsmasq
        option port '5353'
        option server '1.1.1.1'
        option noresolv='1'
	    ...

# /etc/config/firewall
config redirect
        option target 'DNAT'
        option name 'Hijack_DNS_to_5353'
        option src 'lan'
        list src_mac '00:11:22:33:44:55'
	    list src_mac '11:22:33:44:55:66'
        option src_dport '53'
        option dest_port '5353'

Thank you for this information and config examples, Pavel.

I have a question about your example. Does your example require any additions to /etc/config/network?

No, unless you want to create new subnets for the second instance. By default, dnsmasq listens on all available interfaces.

You also don't need to modify the firewall for the more restricted (like guest) networks, because there are pre-defined rules accepting redirects.

Your information has been very helpful. I appreciate it greatly.

I have it set up now based on your initial suggestion of running on the same IP but under a different port. Everything is working as expected. So this is one good working option.

I would also like to explore the option of having the second dnsmasq instance run on a separate IP so that I have more possibilities, including DHCP. I also wouldn’t have to rely on the firewall redirect either.

Do you know how I would go about creating another interface so that this second dnsmasq instance can run on a separate IP such as 192.168.3.1?

I just don’t understand this aspect very much for creating a separate working interface.

Here is a script that creates for you separate dnsmasq instances / dhcp sections for the lan and guest networks.

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#multiple_dhcpdns_serverforwarder_instances

Backup the current /etc/config/dhcp file before running the commands in order to see the generated configuration.

Thank you. I followed the script and that part of the config looks good and proper. The only problem now is the network/device. I seem to be stuck at the same spot as I was stuck a few days ago and this is where I don't have much understanding of it. So I will provide as much info as I can.

Error:

#/etc/config/network

config device 'kidsafe_dev'
	option type 'bridge'
	option name 'br-kidsafe'

config interface 'kidsafe'
	option proto 'static'
	option device 'br-kidsafe'
	option ipaddr '192.168.3.1/24'

#/etc/config/firewall

config zone
	option name 'kidsafe'
	option input 'ACCEPT'
	option forward 'DROP'
	option output 'ACCEPT'
	option network 'kidsafe'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'KidSafe DNS'
	option src 'kidsafe'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'KidSafe DHCP'
	option src 'kidsafe'

config forwarding
	option dest 'wan'
	option src 'kidsafe'

EDIT: I was able to get the interface to start up and continue running. I had to check an option within LuCI to Bring up empty bridge (Bring up the bridge interface even if no ports are attached) and also create a MAC address for this device/interface.

Once my family is off the network later in the day, I will test the rest of the setup.

EDIT2: I can successfully ping the interface, so that is good news.

Just to clarify that setting the default input policy for the kidsafe zone to ACCEPT makes the 'KidSafe DNS' and 'KidSafe DHCP' rules meaningless...

So far most things are working with the second dnsmasq instance running on 192.168.3.1 bound to kidsafe interface.

Most importantly, I got tags working. So I’m using the tags per MAC address to send specific devices over to the kidsafe dnsmasq automatically. This is really nice.

I can’t get DHCP working on kidsafe, though, but I am thinking now that I do not need it.

Interestingly, I removed those firewall rules and also switch the kidsafe zone rules all to drop just out of curiosity, just to learn and understand. But the weird things is that the dnsmasq on kidsafe interface continued to accept DNS queries. Also, I could still ping 192.168.3.1 which was weird. So I don’t understand why that still worked.

EDIT: For context, I am pinging from a 192.168.1.x address to the 192.168.3.1 interface.

I was able to get the DHCP server running on kidsafe by changing the following:

config dnsmasq 'kidsafe'

config dhcp 'kidsafe'
	option instance 'kidsafe'
	option interface 'kidsafe'

To:

config dnsmasq 'kidsafe_dns'

config dhcp 'kidsafe'
	option instance 'kidsafe_dns'
	option interface 'kidsafe'

Having those values all the same kidsafe initially was causing the kidsafe dnsmasq instance to fail to start. This is fixed now.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.