Hello,
I have multiple access points with multiple SSIDs which convey different
network privileges. I’ve mapped out the 10.x.x.x private address range using
bit fields. I would like to be able to inspect an IP address and determine
how the client connected. If I use separate VLANs/subnets and rely on
routing, then I face broadcast issues for DLNA, Samba, mDNS, and whatever
Windows uses for network discovery. From a security standpoint, I can
enforce the subnet (bit fields) per interface using firewall rules.
Incompatible manual IP assignment would be blocked. I could then route off
the fields in the IP rather than a long list of VLAN interfaces.
I’m currently experimenting with nftables bridge filters. Each SSID is
associated with a VLAN. Each VLAN is slave to a unique bridge. Each VLAN
bridge also contains one end of a unique veth interface. The other end of
the veth interface is slave to an umbrella LAN bridge which defines the
composite broadcast domain. I can use each VLAN bridge interface as the
anchor for the associated DHCP pool. Assuming I override the subnet supplied
via DHCP, I effectively have a single broadcast domain. Granted, I have to
create some bridge filter rules to restrict the DHCP traffic, but at least
these are well-documented and narrow in scope.
I’m concerned about overhead. I’d like to simplify. What I’m really looking
for is some way to pass a ‘hint’ (aka tag) to dnsmasq for DHCP pool
selection. dnsmasq cannot distinguish a VLAN once it’s been absorbed into a
bridge, but the bridge filter still has visibility. I see that there’s a
mechanism for a DHCP-proxy to manipulate the subnet and giaddr fields in the
DHCP request. That seems like an equally messy trade-off.
Normally, a DHCP request has SIP=0.0.0.0. It looks like I could use ‘packet
mangling’ to modify SIP based on the VLAN. Does dnsmasq ever consider SIP
when selecting a pool?
Can anyone recommend a simpler solution? DHCP reservation is not an option
because the same device could connect to a different AP with a different
SSID and even a different password.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss