Dnsmasq not responding to DHCP requests

lourkeur · August 10, 2021, 5:09pm

I have a LXC guests connected to a bridge created using

  networking.bridges.lxcbr0.interfaces = [];
  networking.interfaces.lxcbr0.ipv4.addresses = [{ address = "192.168.123.1"; prefixLength = 24; }];

My goal is to have dnsmasq perform DHCP for that subnet. However, when I configure it with

  services.dnsmasq.enable = true;
  services.dnsmasq.extraConfig = ''
  domain-needed
  bogus-priv

  interface = lxcbr0
  dhcp-range = 192.168.123.2,192.168.123.254,24h
  '';
  services.dnsmasq.resolveLocalQueries = false;

it does not raise any errors and responds to DNS requests. However, it does not respond to DHCP requests from the guests. On Wireshark, I can see the guest issue a request followed by silence.

Furthermore, when replacing dnsmasq with dhcp4, everything else being equal, guests receive leases without issues.

  services.dhcpd4.enable = true;
  services.dhcpd4.interfaces = [ "lxcbr0" ];
  services.dhcpd4.extraConfig = ''
    option subnet-mask 255.255.255.0;
    subnet 192.168.123.0 netmask 255.255.255.0 {
      range 192.168.123.2 192.168.123.254;
    }
  '';

What is wrong with my dnsmasq setup? I am using 21.05, the full context of these snippets can be found here.

nixinator · August 10, 2021, 6:57pm

you got any logs from from dnsmasq?

Mic92 · August 10, 2021, 7:20pm

Do you allow incoming DHCP packets in your firewall?

lourkeur · August 10, 2021, 7:21pm

Journal logs, couldn’t find anything in /var/log, from the dnsmasq command-line or the configuration file

journalctl -u dnsmasq
-- Journal begins at Tue 2021-08-10 21:08:16 CEST, ends at Tue 2021-08-10 21:13:44 CEST. --
aoû 10 21:08:31 hadronsson systemd[1]: Starting Dnsmasq Daemon...
aoû 10 21:08:32 hadronsson dnsmasq-pre-start[1435]: dnsmasq: syntax check OK.
aoû 10 21:08:32 hadronsson systemd[1]: Started Dnsmasq Daemon.
aoû 10 21:08:32 hadronsson dnsmasq[1451]: started, version 2.85 cachesize 150
aoû 10 21:08:32 hadronsson dnsmasq[1451]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
aoû 10 21:08:32 hadronsson dnsmasq[1451]: DBus support enabled: connected to system bus
aoû 10 21:08:32 hadronsson dnsmasq-dhcp[1451]: DHCP, IP range 192.168.123.2 -- 192.168.123.254, lease time 1d
aoû 10 21:08:32 hadronsson dnsmasq[1451]: no servers found in /etc/resolv.conf, will retry
aoû 10 21:08:32 hadronsson dnsmasq[1451]: read /etc/hosts - 4 addresses
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53

Mic92 · August 10, 2021, 7:22pm

This is usually what I use for dhcp/pxe boot: dotfiles/dnsmasq.nix at 3a6dff69179d89aacb4e628ef009ec82ac9d8d2f · Mic92/dotfiles · GitHub

lourkeur · August 10, 2021, 7:23pm

systemctl stop firewall fixes it. I’ll add an allowedPort rule. Thank you! Didn’t think of that.

networking.firewall.allowedUDPPorts = [
  67 # DHCP
];

nixinator · August 11, 2021, 1:05am

I’m interested why

 services.dhcpd4.enable = true;

does need an explicit firewall setting, but dnsmasq does?

a mystery… maybe line 123 here nixpkgs/firewall.nix at 3936313b1f13c198ee1ae56009db55fd6a87ab02 · NixOS/nixpkgs · GitHub

    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''

i wonder if this is it?