I have a LXC guests connected to a bridge created using
networking.bridges.lxcbr0.interfaces = [];
networking.interfaces.lxcbr0.ipv4.addresses = [{ address = "192.168.123.1"; prefixLength = 24; }];
My goal is to have dnsmasq perform DHCP for that subnet. However, when I configure it with
services.dnsmasq.enable = true;
services.dnsmasq.extraConfig = ''
domain-needed
bogus-priv
interface = lxcbr0
dhcp-range = 192.168.123.2,192.168.123.254,24h
'';
services.dnsmasq.resolveLocalQueries = false;
it does not raise any errors and responds to DNS requests. However, it does not respond to DHCP requests from the guests. On Wireshark, I can see the guest issue a request followed by silence.
Furthermore, when replacing dnsmasq with dhcp4, everything else being equal, guests receive leases without issues.
services.dhcpd4.enable = true;
services.dhcpd4.interfaces = [ "lxcbr0" ];
services.dhcpd4.extraConfig = ''
option subnet-mask 255.255.255.0;
subnet 192.168.123.0 netmask 255.255.255.0 {
range 192.168.123.2 192.168.123.254;
}
'';
What is wrong with my dnsmasq setup? I am using 21.05, the full context of these snippets can be found here .
you got any logs from from dnsmasq?
Mic92
August 10, 2021, 7:20pm
3
Do you allow incoming DHCP packets in your firewall?
Journal logs, couldn’t find anything in /var/log, from the dnsmasq command-line or the configuration file
journalctl -u dnsmasq
-- Journal begins at Tue 2021-08-10 21:08:16 CEST, ends at Tue 2021-08-10 21:13:44 CEST. --
aoû 10 21:08:31 hadronsson systemd[1]: Starting Dnsmasq Daemon...
aoû 10 21:08:32 hadronsson dnsmasq-pre-start[1435]: dnsmasq: syntax check OK.
aoû 10 21:08:32 hadronsson systemd[1]: Started Dnsmasq Daemon.
aoû 10 21:08:32 hadronsson dnsmasq[1451]: started, version 2.85 cachesize 150
aoû 10 21:08:32 hadronsson dnsmasq[1451]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
aoû 10 21:08:32 hadronsson dnsmasq[1451]: DBus support enabled: connected to system bus
aoû 10 21:08:32 hadronsson dnsmasq-dhcp[1451]: DHCP, IP range 192.168.123.2 -- 192.168.123.254, lease time 1d
aoû 10 21:08:32 hadronsson dnsmasq[1451]: no servers found in /etc/resolv.conf, will retry
aoû 10 21:08:32 hadronsson dnsmasq[1451]: read /etc/hosts - 4 addresses
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53
Mic92
August 10, 2021, 7:22pm
5
systemctl stop firewall
fixes it. I’ll add an allowedPort rule. Thank you! Didn’t think of that.
networking.firewall.allowedUDPPorts = [
67 # DHCP
];
1 Like
I’m interested why
services.dhcpd4.enable = true;
does need an explicit firewall setting, but dnsmasq does?
a mystery… maybe line 123 here nixpkgs/firewall.nix at 3936313b1f13c198ee1ae56009db55fd6a87ab02 · NixOS/nixpkgs · GitHub
${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
i wonder if this is it?