[Freedombox-discuss] UPDATE: Dnsmasq starts reliably on both interfaces, but...

Sunil Mohan Adapa sunil at medhas.org
Thu Oct 21 20:59:41 BST 2021 

On 10/21/21 12:12, A. F. Cano wrote:
[...]
> 
> So now internal machines get assigned addresses from the ranges
> specified.  However, from the first paragraph in the dnsmasq man page:
> 
>         Dnsmasq  accepts  DNS queries and either answers them from a small, lo‐
>         cal, cache or forwards them to a real, recursive, DNS server. It  loads
>         the  contents of /etc/hosts so that local hostnames which do not appear
>         in the global DNS can be resolved and also answers DNS queries for DHCP
>         configured  hosts.  It can also act as the authoritative DNS server for
>         one or more domains, allowing local names to appear in the global  DNS.
>         It can be configured to do DNSSEC validation.
> 
> "It loads the contents of /etc/hosts so that local hostnames which do
> not appear in the global DNS..."
> 
> This is exactly what I wanted.  In fact I have added all my local hosts
> to the FreedomBox /etc/hosts file, in the form of:
> 
> 192.168.224.19  <local-machine-name>.local    <local-machine-name>
> 
> but those IP numbers are ignored and local machines are assigned high
> numbers (178 in the case of the machine above), even after I changed the
> 19 to 39, so it would be inside the range of 36-254 as specified in the
> command line arguments, and rebooted.  Something is not working as the
> manual says it should.

I think this is a misunderstanding. When client sends a DNS query to 
dnsmasq, it will look into /etc/hosts for answers. If you have an entry 
such as `1.2.3.4 foo.example.org` in /etc/hosts. When machine in the 
network try to resolve 'foo.example.org' dnsmasq will respond with 1.2.3.4.

This does not apply to the DCHP server functionality. DHCP server will 
not look into the /etc/hosts when allocating IP addresses to the clients 
on the network.

There is, however, an option for dnsmasq's DHCP server functionality 
that can make this happen. If you pass:

--dhcp-host=foo,192.168.224.19

then, a machine on the local network with hostname set to 'foo' (this is 
passed in a DHCP request, typically) will be allotted this particular IP 
address. There is also `--dhcp-hostsfile=` to put all these allocations 
in a single file. First create the file with all the mappings you want. 
Then pass the --dhcp-hostsfile option to dnsmasq instance spawned by 
Network Manager using the trick I mentioned earlier. That should take 
care of all the static IP address allocations that you need to do.

Also note that .local TLD is special. Most hosts when they see .local 
domain to resolved, they will not perform a DNS query and instead 
perform an mDNS query on the local network.

[...]
> 
> Also, the "no route to host" issue remains.  I have to turn off the
> firewall for anything to get out/in.  I've noticed the problem with imap
> and fetchmail, matrix/Element and Quassel.  Web traffic works ok but
> only because it goes through privoxy on the FreedomBox.

I could not spend time on this issue yet.

> 
> There is also the issue of communicating between the 2 internal
> interfaces.  Nothing seems to get through between them and turning off
> the firewall doesn't affect this.  I can't do unison syncs or ssh
> between machines on the 2 sub-nets, not even ping.
> 

I haven't tried doing this before but here are two possible way to 
handle this.

Solution 1) You can merge the two internal interfaces into a bridge 
interface and allocate IP addresses to all clients from a single IP range.

The way bridging works is, you create a new bridge interface, say 'br0'. 
Then you de-configure the two LAN interfaces and add them to the bridge. 
After that configure the bridge interface 'br0' as if this is a regular 
network interface (shared mode, dnsmasq, etc.).

This configuration be done with Network Manager (although not from 
FreedomBox interface). Cockpit might provide a GUI for it. Otherwise, 
use nmtui.

Solution 2) You can add masquerade=true "internal" zone in firewalld. 
Like this:

firewall-cmd --zone=internal --add-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent

I don't know if there are any security implications to this.

-- 
Sunil

More information about the Freedombox-discuss mailing list