Dnsmasq not responding to DHCP requests

I have a LXC guests connected to a bridge created using

  networking.bridges.lxcbr0.interfaces = [];
  networking.interfaces.lxcbr0.ipv4.addresses = [{ address = "192.168.123.1"; prefixLength = 24; }];

My goal is to have dnsmasq perform DHCP for that subnet. However, when I configure it with

  services.dnsmasq.enable = true;
  services.dnsmasq.extraConfig = ''
  domain-needed
  bogus-priv

  interface = lxcbr0
  dhcp-range = 192.168.123.2,192.168.123.254,24h
  '';
  services.dnsmasq.resolveLocalQueries = false;

it does not raise any errors and responds to DNS requests. However, it does not respond to DHCP requests from the guests. On Wireshark, I can see the guest issue a request followed by silence.

Furthermore, when replacing dnsmasq with dhcp4, everything else being equal, guests receive leases without issues.

  services.dhcpd4.enable = true;
  services.dhcpd4.interfaces = [ "lxcbr0" ];
  services.dhcpd4.extraConfig = ''
    option subnet-mask 255.255.255.0;
    subnet 192.168.123.0 netmask 255.255.255.0 {
      range 192.168.123.2 192.168.123.254;
    }
  '';

What is wrong with my dnsmasq setup? I am using 21.05, the full context of these snippets can be found here.

you got any logs from from dnsmasq?

Do you allow incoming DHCP packets in your firewall?

Journal logs, couldn’t find anything in /var/log, from the dnsmasq command-line or the configuration file

journalctl -u dnsmasq
-- Journal begins at Tue 2021-08-10 21:08:16 CEST, ends at Tue 2021-08-10 21:13:44 CEST. --
aoû 10 21:08:31 hadronsson systemd[1]: Starting Dnsmasq Daemon...
aoû 10 21:08:32 hadronsson dnsmasq-pre-start[1435]: dnsmasq: syntax check OK.
aoû 10 21:08:32 hadronsson systemd[1]: Started Dnsmasq Daemon.
aoû 10 21:08:32 hadronsson dnsmasq[1451]: started, version 2.85 cachesize 150
aoû 10 21:08:32 hadronsson dnsmasq[1451]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
aoû 10 21:08:32 hadronsson dnsmasq[1451]: DBus support enabled: connected to system bus
aoû 10 21:08:32 hadronsson dnsmasq-dhcp[1451]: DHCP, IP range 192.168.123.2 -- 192.168.123.254, lease time 1d
aoû 10 21:08:32 hadronsson dnsmasq[1451]: no servers found in /etc/resolv.conf, will retry
aoû 10 21:08:32 hadronsson dnsmasq[1451]: read /etc/hosts - 4 addresses
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53
aoû 10 21:08:33 hadronsson dnsmasq[1451]: reading /etc/resolv.conf
aoû 10 21:08:33 hadronsson dnsmasq[1451]: using nameserver 192.168.1.2#53

This is usually what I use for dhcp/pxe boot: dotfiles/dnsmasq.nix at 3a6dff69179d89aacb4e628ef009ec82ac9d8d2f · Mic92/dotfiles · GitHub

systemctl stop firewall fixes it. I’ll add an allowedPort rule. Thank you! Didn’t think of that.

networking.firewall.allowedUDPPorts = [
  67 # DHCP
];
1 Like

I’m interested why

 services.dhcpd4.enable = true;

does need an explicit firewall setting, but dnsmasq does?

a mystery… maybe line 123 here nixpkgs/firewall.nix at 3936313b1f13c198ee1ae56009db55fd6a87ab02 · NixOS/nixpkgs · GitHub

    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''

i wonder if this is it?