Why do we need to ignore interfaces in DHCP configurations?

Can someone explain why we need this? It is part of the default DHCP configurations:

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

I mean we can simply not writing a config dhcp section for wan interface. Isn't the effect the same?

Probably because by default your DHCP server listens on all interfaces. See the running process (I'm using odhcpd instead of dnsmasq myself).

# netstat -puntal|grep odhcpd|uniq
udp        0      0    *                           1883/odhcpd
udp        0      0 :::547                  :::*                                1883/odhcpd

Your ISP would rain down fire and brimstone on you, if you'd dare to provide a DHCP-server on your wan interface (nor would they tolerate you to operate a DNS server on wan).

that's why smart ISP have dhcp snooping and port towards CPE set as untrusted..

Those are set up by humans, and humans make mistakes...

That's still no reason to serve dnsmasq on wan.

1 Like

I think you guys all missed my point. I know that we should not run a DHCP server on WAN interface. What I wanted to ask is why we had to explicitly configure dnsmasq to ignore the interface? What if we delete the uci section config dhcp 'wan'. Shouldn't it be the same as ignoring?

Probably, but if it's explicitly disabled then you know that's the case. Is having it in the config file a particular issue?

A form of clutter?

Yes, having such things in my configuration file is an issue. I am using OpenWrt in an enterprise environment, with a lot of VLANs/subnets/interfaces defined in /etc/config/network. And in enterprise environment, I do not use DHCP for most subnets except for Wi-Fi.

If it is a requirement to explicitly instruct dnsmasq to ignore the interfaces, I have to write that a lot to match those defined in /etc/config/network. When the interfaces changes, I have to update /etc/config/dhcp too, and it is inconvenient.

Have you tried not adding a section in /etc/config/dhcp or deleting one that is already defined?

1 Like

Apparently dnsmasq accepts DHCP requests on all interfaces by default, unless explicitly configured otherwise:

> grep -e ^no-dhcp-interface= /tmp/etc/dnsmasq.conf.*

It may serve as an additional protection when the firewall is disabled, or it is temporarily non-operational due to restarting the service/system, or configured with permissive upstream policy, and this is also required to create/resolve WAN FQDN:

BTW, odhcpd should ignore interfaces by default:

In theory, you can safely remove the DHCP WAN section when not using dnsmasq.