dnsmasq forwards requests to home network

J

jb82

Hi, very simple:

vm-bhyve, Linux VM, NAT via pf enabled on em0 (internet facing).

When I assign fixed 10.0.0.10/24 in the Linux VM, NAT works. But I want DHCP via dnsmasq.
My current config is:
Code: 
port=0
domain-needed
no-resolv
except-interface=lo0
bind-interfaces
local-service
dhcp-authoritative

interface=vm-public
dhcp-range=10.0.0.50,10.0.0.100

But when I boot the Linux VM (vm start rocky), dnsmasq shows (below) and VM obtains the IP 192.168.50.147 from the main home router (DHCP server), network 192.168.50.0/24.
NAT is 10.0.0.0/24.

Code: 
$ doas dnsmasq --no-daemon --log-debug --log-queries --log-dhcp -C /usr/local/etc/dnsmasq.conf
dnsmasq: started, version 2.90 DNS disabled
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect no-inotify dumpfile
dnsmasq-dhcp: DHCP, IP range 10.0.0.50 -- 10.0.0.100, lease time 1h

dnsmasq-dhcp: 3952934702 available DHCP range: 10.0.0.50 -- 10.0.0.100
dnsmasq-dhcp: 3952934702 client provides name: rocky
dnsmasq-dhcp: 3952934702 DHCPREQUEST(vm-public) 192.168.50.147...............................
dnsmasq-dhcp: 3952934702 DHCPNAK(vm-public) 192.168.50.147 ..................................... wrong network
dnsmasq-dhcp: 3952934702 broadcast response
dnsmasq-dhcp: 3952934702 sent size:  1 option: 53 message-type  6
dnsmasq-dhcp: 3952934702 sent size:  4 option: 54 server-identifier  10.0.0.1
dnsmasq-dhcp: 3952934702 sent size: 13 option: 56 message  77:72:6f:6e:67:20:6e:65:74:77:6f:72:6b
dnsmasq-dhcp: 3442499203 available DHCP range: 10.0.0.50 -- 10.0.0.100
dnsmasq-dhcp: 3442499203 client provides name: rocky
dnsmasq-dhcp: 3442499203 DHCPDISCOVER(vm-public) 192.168.50.147 ........................................
dnsmasq-dhcp: 3442499203 tags: vm-public
dnsmasq-dhcp: 3442499203 DHCPOFFER(vm-public) 10.0.0.76 .......................................
dnsmasq-dhcp: 3442499203 requested options: 1:netmask, 2:time-offset, 6:dns-server, 12:hostname,
dnsmasq-dhcp: 3442499203 requested options: 15:domain-name, 26:mtu, 28:broadcast, 121:classless-static-route,
dnsmasq-dhcp: 3442499203 requested options: 3:router, 33:static-route, 40:nis-domain,
dnsmasq-dhcp: 3442499203 requested options: 41:nis-server, 42:ntp-server, 119:domain-search,
dnsmasq-dhcp: 3442499203 requested options: 249, 252, 17:root-path
dnsmasq-dhcp: 3442499203 next server: 10.0.0.1
dnsmasq-dhcp: 3442499203 sent size:  1 option: 53 message-type  2
dnsmasq-dhcp: 3442499203 sent size:  4 option: 54 server-identifier  10.0.0.1
dnsmasq-dhcp: 3442499203 sent size:  4 option: 51 lease-time  1h
dnsmasq-dhcp: 3442499203 sent size:  4 option: 58 T1  30m
dnsmasq-dhcp: 3442499203 sent size:  4 option: 59 T2  52m30s
dnsmasq-dhcp: 3442499203 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 3442499203 sent size:  4 option: 28 broadcast  10.0.0.255
dnsmasq-dhcp: 3442499203 sent size:  4 option:  3 router  10.0.0.1
dnsmasq-dhcp: 3442499203 available DHCP range: 10.0.0.50 -- 10.0.0.100
dnsmasq-dhcp: 3442499203 client provides name: rocky
dnsmasq-dhcp: 3442499203 DHCPREQUEST(vm-public) 192.168.50.147 ...................................
dnsmasq-dhcp: 3442499203 DHCPNAK(vm-public) 192.168.50.147 ............................... wrong server-ID
dnsmasq-dhcp: 3442499203 broadcast response
dnsmasq-dhcp: 3442499203 sent size:  1 option: 53 message-type  6
dnsmasq-dhcp: 3442499203 sent size:  4 option: 54 server-identifier  10.0.0.1
dnsmasq-dhcp: 3442499203 sent size: 15 option: 56 message  77:72:6f:6e:67:20:73:65:72:76:65:72:2d:49...
 
A DHCP request is broadcast to 255.255.255.255. Broadcasts are not routed (or NAT'ed), so should never end up on your LAN. I suspect you have the vm-public switch bridged to your local network. If this vm-public 'switch' is supposed to be a different network (10.0.0.0/24) then you should not bridge(4) it to your LAN (192.168.50.0/24).

If this is supposed to go on a separate network, create a second 'virtual' switch that's not bridged to your LAN and tie the VMs to this second switch.
 
SirDice said:
I suspect you have the vm-public switch bridged to your local network.
Click to expand...
Yes, that's the case. vm-public 'switch' has associated the fixed IP 10.0.0.1 and contains em0 (internet facing) and all those tapX (dynamically added by vm start).

So, just to get it right. I should bridge bridges? The final topology should be two bridges:
  • vm-local with associated address 10.0.0.1 containing just those tapX
  • vm-public containing em0, sure, ...but how connect them so the VMs can access internet via NAT?
Also, currently I have in my /etc/pf.conf
Code: 
nat on em0 from { 10.0.0.1/24 } to any -> (em0)

How that would look after the change? Thanks so much for any support. I'm not a networking expert.
 
Simply put, if you have a real physical switch and you connect two computers to it they are on the same "network". I hope you understand that relationship. A bridge(4) works the same way. Every VM that's connected to the 'vm-public' virtual switch is also connected to the same network as em0.
 
Yes, that's clear. I guess I was blindly following some best practices for NAT where they associate an IP with the bridge which seemed totally confusing but that's what vm switch create -a does, right? I thought, that this somehow turns the bridge into router and that it creates a separate 10.0.0.0/24 subnet. I definitely need to rethink all these.
 
SirDice said:
Simply put, if you have a real physical switch and you connect two computers to it they are on the same "network". I hope you understand that relationship. A bridge(4) works the same way. Every VM that's connected to the 'vm-public' virtual switch is also connected to the same network as em0.
Click to expand...
...elaborating on my previous post, I'd say that that -a within vm switch create is the most confusing part for me. Given the level 2, I don't fully understand why a bridge should be given an IP.
 
I don't use DHCP for my NAT but mine looks like this.
Code: 
root@hale /home/yusuf # vm switch list
NAME    TYPE      IFACE      ADDRESS        PRIVATE  MTU  VLAN  PORTS
public  standard  vm-public  10.31.69.1/24  no       -    -     -
root@hale /home/yusuf # cat /etc/pf.conf
nat on wlan0 from {10.31.69.0/24} to any -> (wlan0)

There is example usage for dnsmasq on this wiki too.
 
jb82 said:
Given the level 2, I don't fully understand why a bridge should be given an IP.
Click to expand...
If you use that bridge to connect to the LAN, then no, probably not. If you create a 'standalone' bridge, i.e. not bound to any 'external' interfaces, it will be an entirely local 'network'. In that case you might want to use an IP address on the bridge to serve as a default gateway for the VMs attached to that bridge. And use the host to route (or translate/NAT) to/from any external network (like the one attached to your em0).
 
All makes sense, but how then works the bridge with IP but also containing the external interface? Is that a non-sense? Concretely something what e.g. vm switch create -a 10.0.0.1/24 creates. Last question, I promise :)
10.0.0.1 used as the default gateway for VMs.

Concretely, in my case:
Code: 
$ cat /zroot/vms/.config/system.conf
switch_list="public"
type_public="standard"
addr_public="10.0.0.1/24"
ports_public="em0"

$ doas vm switch list
NAME    TYPE      IFACE      ADDRESS      PRIVATE  MTU  VLAN  PORTS
public  standard  vm-public  10.0.0.1/24  no       -    -     em0

with PF rule:
Code: 
nat on em0 from { 10.0.0.1/24 } to any -> (em0)
 
I have just tried DHCP with dnsmasq in my debian vm and it got 10.31.69.183 IP address from 10.31.69.0/24 network. I think the only configuration difference between you and me is my vm-public interface has no adapter bridged to it.

Does your DHCP configuration have line below?
Code: 
dhcp-range=10.0.0.2,10.0.0.254
 
You must log in or register to reply here.
Back
Top