Results 1 to 9 of 9
  1. #1
    Newbie
    Join Date
    Jul 2020
    Posts
    3

    Default dnsmasq as DHCP relay target - ignores relay server IP

    Hi everyone,

    I'm trying to get my Untangle FW to work as a DHCP relay target for a Cisco L3 switch with multiple VLANs.

    The FW is connected to the switch using a transit VLAN, where the switch is 172.30.1.1/29 and the FW internal interface is 172.30.1.2/29.

    There are three VLANs on the switch, each with their own subnet:
    VLAN201: 172.20.1.0/24
    VLAN202: 172.20.2.0/24
    VLAN203: 172.20.3.0/24

    I have configured DHCP relay on the switch, with the FW internal interface as the destination (172.30.1.2).

    On Untangle, I've added the pools as custom dnsmasq options, since the UI doesn't allow the configuration of multiple pools on a single interface:

    #Create different dhcp scopes for all VLANs
    #VLAN201
    dhcp-range=set:vlan201,172.20.1.50,172.20.1.200,3600
    dhcp-option=tag:vlan201,3,172.20.1.1 # gateway
    dhcp-option=tag:vlan201,1,255.255.255.0 # netmask
    dhcp-option=tag:vlan201,6,77.109.128.2,213.144.129.20 # dns
    #VLAN202
    dhcp-range=set:vlan202,172.20.2.50,172.20.2.200,3600
    dhcp-option=tag:vlan202,3,172.20.2.1 # gateway
    dhcp-option=tag:vlan202,1,255.255.255.0 # netmask
    dhcp-option=tag:vlan202,6,77.109.128.2,213.144.129.20 # dns
    #VLAN203
    dhcp-range=set:vlan203,172.20.3.50,172.20.3.200,3600
    dhcp-option=tag:vlan203,3,172.20.3.1 # gateway
    dhcp-option=tag:vlan203,1,255.255.255.0 # netmask
    dhcp-option=tag:vlan203,6,77.109.128.2,213.144.129.20 # dns


    Now, on Cisco side everything seems to work fine, but it looks like dnsmasq does not take into consideration the relay agent IP address when choosing which range to attribute the IP from.

    I did a packet capture when trying to get a IP address from VLAN202 using DHCP.

    capture.png

    In the packet capture I did, we can see that the relay agent was the interface for VLAN 202, 172.20.2.1 (correct), but the offered IP is 172.20.1.87, which is in the VLAN201 subnet. This then causes the DHCP relay to discard the response.

    Has anyone had any chance configuring the Untangle as a DHCP relay target for multiple VLANs? WHat am I doing wrong?

    I would be super grateful if someone could help me figure this out, I've been stuck for a couple days trying to get this to work.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,813

    Default

    This has never worked, because it's never worked in the versions of DNSMasq available to Debian.

    I haven't had the chance to play with it under v15.1 yet. In the upgrade we change from DNSMasq v2.76 to v2.80, and in the middle there is a bunch of stuff changed to enable DHCP-Relay functionality. But, I cannot find any reference to DNSMasq actually support operating as a target.

    You need a real DHCP service, DNSMasq is designed to be light weight... I'm not sure we'll ever get this functionality.

    But to start, make sure you're testing on v15.1, at least then you're on the most recent version of DNSMasq we'll have until Untangle updates to Debian 11. And before you ask when, I haven't a clue... Debian 11 hasn't released yet either.

    http://www.thekelleys.org.uk/dnsmasq...smasq-man.html

    This option may be repeated, with different addresses, to enable DHCP service to more than one network. For directly connected networks (ie, networks on which the machine running dnsmasq has an interface) the netmask is optional: dnsmasq will determine it from the interface configuration. For networks which receive DHCP service via a relay agent, dnsmasq cannot determine the netmask itself, so it should be specified, otherwise dnsmasq will have to guess, based on the class (A, B or C) of the network address. The broadcast address is always optional. It is always allowed to have more than one --dhcp-range in a single subnet.
    So, this seems to indicate it "should" work... At least it's talking about receiving DHCP from remote networks.
    Last edited by sky-knight; 07-09-2020 at 10:11 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jul 2020
    Posts
    3

    Default

    Ok, I've *finally* managed to get this to work. The trick was to add the subnet to the range declaration, instead of as an option.

    Thanks @sky-knight for the text bubble, this made me try this

    Wrong way:
    # VLAN201
    dhcp-range=set:vlan201,172.20.1.50,172.20.1.200,3600
    dhcp-option=tag:vlan201,3,172.20.1.1 # gateway
    dhcp-option=tag:vlan201,1,255.255.255.0 # netmask
    dhcp-option=tag:vlan201,6,1.1.1.1,1.0.0.1 # dns

    Right way:
    #VLAN201
    dhcp-range=set:vlan201,172.20.1.50,172.20.1.200,255.255.255.0,3600
    dhcp-option=tag:vlan201,3,172.20.1.1 # gateway
    dhcp-option=tag:vlan201,6,77.109.128.2,213.144.129.20 # dns
    dhcp-option=tag:vlan201,28,172.20.1.255 # broadcast
    #VLAN202
    dhcp-range=set:vlan202,172.20.2.50,172.20.2.200,255.255.255.0,3600
    dhcp-option=tag:vlan202,3,172.20.2.1 # gateway
    dhcp-option=tag:vlan202,6,77.109.128.2,213.144.129.20 # dns
    dhcp-option=tag:vlan202,28,172.20.2.255 # broadcast
    #VLAN203
    dhcp-range=set:vlan203,172.20.3.50,172.20.3.200,255.255.255.0,3600
    dhcp-option=tag:vlan203,3,172.20.3.1 # gateway
    dhcp-option=tag:vlan203,6,1.1.1.1,1.0.0.1 # dns
    dhcp-option=tag:vlan203,28,172.20.3.255 # broadcast

    Weidly, if looking at the dnsmasq.conf generated by Untangle automatically when enabling DHCP on the interfaces through the GUI, they do it the "wrong" way, but if serving a single subnet per interface this doesn't cause an issue.
    Last edited by CinderMayom; 07-09-2020 at 10:33 AM.
    Jim.Alles likes this.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,306

    Default

    Perfect!
    (you beat me to it)

    Quote Originally Posted by CinderMayom View Post
    Weidly, if looking at the dnsmasq.conf generated by Untangle automatically when enabling DHCP on the interfaces through the GUI, they do it the "wrong" way, but if serving a single subnet per interface this doesn't cause an issue.
    -It is just that dnsmasqs' 'guessing' is pretty good. I will assume your 'single subnet per interface' is in the 192.168.n.n range?
    It is easy to guess the 'Class C' subnet there.

    So NGFW isn't doing it wrong, just a little sloppy, IMHO.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,306

    Default

    Oh, and I would do both, because I like to be more explicit.
    Code:
    # VLAN201
    dhcp-range=set:vlan201,172.20.1.50,172.20.1.200,255.255.255.0,3600
    dhcp-option=tag:vlan201,3,172.20.1.1 # gateway
    dhcp-option=tag:vlan201,1,255.255.255.0 # netmask
    dhcp-option=tag:vlan201,6,1.1.1.1,1.0.0.1 # dns
    dhcp-range is a directive to dnsmasq.
    dhcp-option is configuration for the clients.

    don't leave anybody guessing.
    Last edited by Jim.Alles; 07-09-2020 at 11:08 AM.

  6. #6
    Newbie
    Join Date
    Jul 2020
    Posts
    3

    Default

    Quote Originally Posted by Jim.Alles View Post
    dhcp-range is a directive to dnsmasq.
    dhcp-option is configuration for the clients.
    That was the part I was missing So yeah, I shouldn't say NGFW does it wrong, just relying on the good guessing of dnsmask.

    And I'll add the netmask option too then, don't wanna leave anything to chance.

    Thanks!

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,813

    Default

    This is awesome! Can we get some of the details here stuffed in the wiki because this is one of those things that isn't needed often, but when you need it... you NEED it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,306

    Default

    Quote Originally Posted by sky-knight View Post
    I haven't had the chance to play with it under v15.1 yet. In the upgrade we change from DNSMasq v2.76 to v2.80, and in the middle there is a bunch of stuff changed to enable DHCP-Relay functionality. But, I cannot find any reference to DNSMasq actually support operating as a target.
    Rob, you may have already seen this - I just stumbled on the changelog:
    "Fix: DHCP relay fixed in dnsmasq 2.80-1"
    http://wiki.untangle.com/index.php/15.1.0_Changelog

    So it appears that Untangle is paying attention to this, as well.
    If you think I got Grumpy

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,813

    Default

    Quote Originally Posted by Jim.Alles View Post
    Rob, you may have already seen this - I just stumbled on the changelog:
    "Fix: DHCP relay fixed in dnsmasq 2.80-1"
    http://wiki.untangle.com/index.php/15.1.0_Changelog

    So it appears that Untangle is paying attention to this, as well.
    My memory is crap for this job anymore... but yes now that I've got my brain screwed in that makes sense. Because there was a bug in DNSMasq that broke it's relay functionality, but that was addressed in the version of DNSMasq that shipped with Debian 10 at launch. So now that we're actually past that point yeah, all this should be working.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2