Complex dnsmasq configuration

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,
I'm setting up a complex dnsmasq configuration.

Let me explain:
I have a Tp-Link TL-WR1043ND v3, with OpenWRT 23.05.0.
I have 2 interfaces.
1 is called lan, assigned to VLAN1 ports (the 4 LAN ports in the switch).
The other is called mgmt, assigned to VLAN2 (the WAN port in the switch).
lan is configured with IP address to be set as a dhcp client, and with dhcp server disabled.
mgmt is configured with static IP address, and dhcp server enabled.

I want to configure dhcp/dnsmasq to still serve normal DHCP in mgmt interface, and act as proxyDHCP in lan interface. I have been configuring another ProxyDHCP server in a Ubuntu server, so I am familiarized with dnsmasq configurations. (if you want to see my previous investigation with dnsmasq, see AskUbuntu post).

It may seem strange why I want these configurations but I do have a reason for wanting to do this. I will likely expand my target setup in a later message, so you understand why I need these things.

I had already talked with @pavelgl in another post in this forum - openwrt - other post. Hi pavel! - and he told me how to configure dnsmasq to act as DHCP/PXE server (complete functionality, not just ProxyDHCP). Following this thread I could configure a normal DHCP server like that, but in this case I want two different configurations, one for each interface and this gets complex. So for example, if I clear up /etc/config/dhcp and edit /etc/dnsmasq.d/client_arch.conf, I wouldn't know how to configure for 2 different interfaces... it's far complex.

Let me show you the configuration I have in /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'

And the configuration at /etc/dnsmasq:

#enable TFTP server and set its root path
enable-tftp
tftp-root=/pxe

#enable ProxyDHCP server. The address 192.168.1.0 corresponds to the subnet in which the ProxyDHCP server will act
dhcp-range=192.168.1.0,proxy,255.255.255.0

# bios
pxe-service=x86PC,"Network Boot BIOS",firmware/ipxe.pxe

# uefi
pxe-service=X86-64_EFI,"Network Boot UEFI x86_64",firmware/ipxe.efi

This configuration should only apply to the lan interface.

Can anybody guide me on how to do this configuration?
Thanks.

2

Hi again,
This post is to explain my setup and why.

I'm working on a router who is like a magic tunnel to connect to my Ubuntu server at home, where i have a big ZFS pool of 8TB with SMB shares. So wherever I go with my laptop / router, I can activate my tunnel to connect to my samba shares at home. I do this with a SSH command with a SSH local tunnel.

First I connect my router's lan interface to the LAN of the place I'm in (for example, my uncle's or friend's home), and then I have to run a command to activate the tunnel, and then I can access my SMB shares from any Windows/Linux/MacOS host in that LAN.

To make the router adapt to the LAN of where I go, I decided to set it as DHCP client (in lan interface). But then another problem arise: how do I know the DHCP leased address? that's why there's a mgmt (management) interface. So when I connect the lan to the LAN, and I connect my laptop to the mgmt interface, I SSH to the router in the static address of mgmt, and then I can see the DHCP leased address. Then I can connect my laptop to the LAN and I can manage the router from the lan interface.

This is the first part. I tested it and it is cool, I can access my personal 8TB dropbox anywhere!

Now, I'm more ambitious, and I'm thinking of running a PXE server from my router, and also with some tunnels to the server at home. I have been studying the setup and I have already prepared 4 tunnels which run at the same time, from the same ssh command. one for port 80 TCP (HTTP, and this has a special characteristic), another for port 445 TCP (SMB), and 2049 TCP and 111 TCP (NFS). The only part that's left to configure is the dnsmasq part, and it is what I'm working on now.

So that's it! I hope you understood it and if you have any questions regarding it, feel free to ask.

Thanks.

3

Just my two cents:

  • You can configure two DNSMASQ instances, using two "config dnsmasq" sections.
  • You setup looks like the typical road warrior setup, but with some extra layers of complexity.
1 Like
4

Hi all!
I was very busy and couldn't continue the conversation these days
@eduperez , would this be ok as content of /etc/config/dhcp?:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.d'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'mgmt'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.mgmt'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'

I copied the entire config dnsmasq original section, and only edited the option domain and option confdir lines.

I want to configure 2 distinct dhcp instances.

  • For the lan one, I want to disable normal dhcp service. I only want to do ProxyDHCP service, and enable TFTP server service on the lan interface.
  • For the mgmt instance, I want to enable normal dhcp service, without any ProxyDHCP or PXE server, also not TFTP.

I would need to configure the lan side DHCP service from normal dnsmasq config file inside the confdir - /etc/dnsmasq.d

I would thank any advice, thanks

5

Now you have two instances, but both of them will try to listen on all interfaces; you need to tell the first instance to not listen on the MGMT interface, and the second instance to only listen on MGMT.

6

Change

into this:

config dnsmasq 'lan' etc

7

Hi @eduperez,

I have been working on this. I discovered how to make the first interface just listen on 'lan', and the second one just listen on 'mgmt'. I also configured the /etc/dnsmasq.d/pxe.conf, but I'm still having issues. Let me show you the configurations I made:

Contents of /etc/config/dhcp:

config dnsmasq
        option interface 'lan'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.d'

config dnsmasq
        option interface 'mgmt'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'


config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'

Contents of /etc/dnsmasq.d/pxe.conf (only file in directory /etc/dnsmasq.d/):

#enable TFTP server and set its root path
enable-tftp
tftp-root=/pxe

#enable ProxyDHCP server. The address 192.168.1.0 corresponds to the subnet in which the ProxyDHCP server will act
dhcp-range=192.168.1.0,proxy,255.255.255.0

# bios
pxe-service=x86PC,"Network Boot BIOS",firmware/ipxe.pxe

# uefi
pxe-service=X86-64_EFI,"Network Boot UEFI x86_64",firmware/ipxe.efi

Note: There is /pxe directory, with /pxe/firmware subdirectory and both files in it.

Then I restarted /etc/init.d/dnsmasq and saw that the DHCP server is working on mgmt interface, but I tried testing the TFTP server from lan interface and it is not working. Also tried to PXE boot and I think the BOOTP server is not working. It gets stuck on the screen that is always shown when there is no PXE server at all, or anything (I don't remember what it is displayed, only remember the rotating bar).

Also, I tried to comment out from pxe.conf the lines:

enable-tftp
tftp-root=/pxe

... and add the following lines to the config dnsmasq section of 'lan':

        option enable_tftp '1'
        option tftp_root '/pxe'

And the TFTP server is still not working, and also PXE is the same as before.

I'm a bit confused about how I can configure dnsmasq to serve as ProxyDHCP server. Should the options provided in pxe.conf work? or do them interfere with the /etc/config/dhcp configuration?

Note: I have already configured another PXE server (now it's powered off), and that's why I already know the options I need to make PXE work. I mean, I know the building blocks of my PXE setting, and I'm just trying to set them the same way, but in OpenWRT, which is different than the previous setting which had Ubuntu server as TFTP/BOOTP/etc..

I also saw that there are plenty of options to configure dnsmasq from /etc/config/dhcp, using the config boot section, and the dhcp_option option. I also searched man dnsmasq and RFC 2132 and didn't find a substitute of the dnsmasq options in my pxe.conf to configure from /etc/config/dhcp.

Can you @eduperez or anybody help me on how to make this work?

Note: If it is not possible to use two distinct pxe-service options, I would try to configure only bios-type. I know it would simplify the thing, but there's still the Proxy-DHCP option, that I don't know how to do in OpenWRT without the pxe.conf file. I know it is possible to run full DHCP/BOOTP service without the need for pxe.conf, but I need to set my OpenWRT host as ProxyDHCP server, since it is thought to operate on networks already with DHCP server present.

Note:
@qunvureze, I did what you said about writing config dnsmasq 'lan' / config dnsmasq 'mgmt', but I had problems, the mgmt didn't work, so I took out the 'mgmt' 'lan' strings, and it solved the problem. Thanks anyway.

Thanks everybody

8

Hi everyone,

I don't want to sound annoying, but since I didn't get any response, I want to ask you, did I do any error in my question, like for example putting too much information, or anything else?

I'm not very used to technical forums like this, and also I'm not native english speaker, so I'm a bit lost and don't know how to post and write correctly.

I'm very interested in this technical challenge and would really appreciate a lot any kind of help

Thanks for your attention

9

The kinds of services you want to export (SMB, PXE) rely partly on broadcast for discovery. Typically it's easier to get things like this working if you make them accessible over layer 2 (Ethernet or WLAN) instead of the approach you have taken so far, using application level gateways (dnsmasq in DHCP proxy mode).

Additionally, in such a setup, when it's possible to just plug in the router to the local network's wired side (so no WLAN client to configure), you wouldn't even need to access the management interface. No need to even take your laptop with you.

Here's the rough outline I had in mind. Note I haven't attempted this, it's more of a list of things to research/experiment with. Anyone reading, please point out errors/omissions.

  • Ubuntu server side:

    • Runs OpenVPN server in bridge (tap) mode.

    • Define a DHCP client interface on top of the OpenVPN tap device, but do not let OpenVPN give it addresses. We want it to attempt to configure itself as "just another regular DHCP client" on the remote LAN whenever the tunnel goes up.

      • You'll probably want to use the "ignore default route" and possibly disable using this connection for DNS too. The remote LAN's DHCP will offer these, we probably don't want them here though. NetworkManager / nmcli has options for this.

    • I assume you're running NetworkManager on your Ubuntu machine, so use either the UI or nmcli to define a DHCP client on top of that tap interface that represents the tunnel.

    • If NetworkManager doesn't automatically do the right thing (start asking for configuration over DHCP) when the tap interface comes up (tunnel is established), you might have to provide some help via hooks here:

      The --up/--down OpenVPN hooks can do what's needed to bring that interface up/down. Key commands will probably be things like nmcli c u <connection name> / nmcli c d <connection name>.

    • Not done yet: I'm not sure how resilient e.g. smbd is to the interface it's supposed to be serving out of going up/down and changing addresses. If it is, great, you're done. If not, dhcpd hooks are your friend. In there you can (re)start smbd etc. safely knowing that the interface is now up all the way to layer 3 (IP connectivity with the remote LAN) and with that information available to the script via env variables.

  • Router:

    • I'm assuming the router has the usual/default br-lan WLAN/LAN bridge still defined, and that it's set up as a DHCP client.

    • Do not run a DHCP server on the router's LAN/br-lan interface.

    • Set up the OpenVPN bridge mode client and make sure the tap interface is being created.

    • Add that router-side tap interface to br-lan.

  • I think that at this point, when you connect the router to a local LAN, you should see this sequence:

    • Router's own DHCP client configures br-lan's address from the local LAN's DHCP server.

    • OpenVPN establishes the tunnel with the Ubuntu server.

    • DHCP request from the Ubuntu server arrives at the local LAN, and that LAN's DHCP server gives it its configuration.

    • SMB etc. becomes available on the local LAN.

10

Hi @dimitris ,

Thank you a lot for your detailed message.
I have been reading your message, and I find it far more complex than the setup I'm still working on. Currently I don't have a lot of experience with VPNs yet (there are lots of things I don't understand about VPNs), and I prefer to maintain my approach, especially because I prefer to do things that I fully understand, such as the SSH tunnels which I understand very well.
So, I won't do this now, but thank you any way for your help and your time.

Regarding the dnsmasq configuration, I tried to configure differently, and this time I decided to delete the config dhcp 'lan' section, like this:

config dnsmasq
        option interface 'lan'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.d'

config dnsmasq
        option interface 'mgmt'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'

...because I thought it could be interfering with the configuration in /etc/dnsmasq.d/pxe.conf, but TFTP and BOOTP is still not working.

If anyone could help me with this, I'd thank you very much. I don't know how to continue. I even deleted all sections except config dnsmasq and config odhcpd 'odhcpd' but still the same.

Thanks

11

Hi again everyone!

I finally got to successfully configure dnsmasq for the purposes that I needed.
I'm writing down it here, just in case anyone finds it useful for his own case or whatever.

I had to restart OpenWRT to the default values, because I thought some configuration was wrong somewhere, and I didn't find the cause. Anyway, the final configuration was not the same that I was doing in previous messages.

In the /etc/config/dhcp file, I finally didn't need two dnsmasq instances. I only left the dhcp pool for mgmt interface present, and no dhcp pool for lan. This way, the lan interface doesn't have DHCP server functionality (from OpenWRT). Also the tftp server was configured from this file, while the other PXE configurations were configured from /etc/dnsmasq.d/pxe.conf. I tried to activate TFTP from /etc/dnsmasq.d/pxe.conf, but it didn't work.

Content from /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/etc/dnsmasq.d'
        option enable_tftp '1'
        option tftp_root '/pxe'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'

Content from /etc/dnsmasq.d/pxe.conf:

#enable ProxyDHCP server. The address 192.168.1.0 corresponds to the subnet in which the ProxyDHCP server will act
dhcp-range=192.168.1.0,proxy,255.255.255.0

# bios
pxe-service=x86PC,"Network Boot BIOS",firmware/ipxe.pxe

# uefi
pxe-service=X86-64_EFI,"Network Boot UEFI x86_64",firmware/ipxe.efi

Thus, I finally got the dnsmasq part of my PXE portable server to work. Now I have another issues related to iPXE configuration, but those things are out of the scope of this thread.

Thanks anybody for your help.

Greets

12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.