Re: [Dnsmasq-discuss] pxe-service line for UEFI system?
On Wed, 22 Jan 2020 at 21:43, Geert Stappers wrote: >... > > FWIW > Over here is "PXE service" not used. I have no idea what I might be > missing. My reason for involvement in this thread is finding what use > case O.P. has for dnsmasq. Finding out if it can improve my use case, > finding out if it can improve dnsmasq (which also benefits me). > At this point its mostly curiosity - I am migrating from an older pxelinux, BIOS-only setup to iPXE for BIOS and UEFI, with possible expansion into direct-booting specific clients like a Raspberry Pi. I wanted to keep the option of booting into the old setup. Also, having read the documentation, it should be possible to use dnsmasq to provide PXE boot service independently of the DHCP server in the network, which would be particularly useful for making an appliance-like setup that is dropped into the network and provides tools like clonezilla, memtest, etc. I haven't tried that mode yet. > > > The idea of it is getting a "shared problem". And from > > > a shared problem to get to a shared solution. > > > > A shared problem: Make UEFI PXE client display 2 boot options - one > > for an existing boot image, and one to exit PXE (boot from disk, > > etc.). > > My approach is default boot from disk and netbooting for a (re)install. > > Back to "pxe service". It is a server-client-combo-issue. > Here on this mailinglist is dnsmasq the only common factor. > Dnsmasq is at server side. The explain the server-client-combo-issue > needs the client side extra care. So tell about client site. > That includes the risk of losing audience here due "I don't have such > clients". Increase audience numbers by "The seen behaviour can be > reproduced with this libre virtualisation platform". Oh, so you can't induce the issue/reproduce the preconditions. Now it's clear to me :) Sorry, I'm not keeping up with libre VM solutions, so I'm not sure which, if any, can do PXE UEFI boot. I'm using vmware (Fusion, HW version 14) to test this. Google finds this article [1], which suggests it is possible to do in KVM. VirtualBox which I have installed, does not support network boot in UEFI mode. If you have UEFI hardware and don't mind using it for this, I would suggest using the three-service config and seeing if that works correctly. I can send a packet capture if needed. I _think_ you should be able to replicate at least the PXE-menu part of the issue with just a config for dhclient [2] - haven't tested this, as §it requires the normal dhclient instance to be disabled. Cheers, MZ > Groeten > Geert Stappers > -- > Leven en laten leven > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss [1] https://eatpeppershothot.blogspot.com/2016/07/enable-pxe-netboot-in-kvm-guests-for.html [2] # dhclient.conf: send vendor-class-identifier "PXEClient:Arch:7:UNDI:003016"; option client-system-architecture code 93 = unsigned integer 16; send client-system-architecture 7; ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] pxe-service line for UEFI system?
On Mon, 20 Jan 2020 at 21:38, Geert Stappers wrote: > > On Sun, Jan 19, 2020 at 10:40:28PM +0100, Michal Zatloukal wrote: > > On Sun, 19 Jan 2020 at 21:45, Geert Stappers wrote: > > > On Sun, Jan 19, 2020 at 08:33:54PM +0100, P W wrote: > > > > On Sun, Jan 19, 2020 at 07:30:44PM +0100, Michal Zatloukal wrote: > > > > > On Wed, 8 Jan 2020 at 00:16, Michal Zatloukal wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patches welcome > > > > > > > > > > Longer version: > > > * Seen the postings > > > * Seen that something needs some extra configuration > > > * What is expected from the dnsmasq project is not seen > > > > > > Please do make the extra mile > > > and express how dnsmasq could be better. > > > > > > > What is expected of dnsmasq - a DHCP offer with either a populated > > menu, or a populated boot-filename option. As mentioned in the OP, > > currently dnsmasq provides broken menu (no items present) and empty > > boot-filename, unless another "phantom" boot option is also defined > > (in which case it provides the populated menu). > > > > I looked over the dnsmasq docs again and noticed this bit in pxe-prompt: > > } If --pxe-prompt is omitted the system will wait for user input if > > } there are multiple items in the menu, but boot immediately if there > > } is only one. > > As I understand it, if pxe-prompt is defined in the config, the > > services should be sent regardless of their count. So that's a bug, > > unless... > > I also looked at the changelog and found this in the 2.76 release: > > > > > Workaround problems with UEFI PXE clients. There exist > > > in the wild PXE clients which have problems with PXE > > > boot menus. To work around this, when there's a single > > > --pxe-service which applies to client, then that target > > > will be booted directly, rather then sending a > > > single-item boot menu. > > > > It seems like these 2 parts of the code are interacting incorrectly. > > 1) the pxe-service exit item is ignored, that's why the phantom option is > > needed > > 2) if pxe-prompt is explicitly defined, what _is_ supposed to happen > > for UEFI clients? > > TBH, I don't see why this UEFI issue even requires a UEFI-specific > > code workaround - shouldn't a config like this [1] avoid the problems, > > no code workaround needed? > > > > MZ > > > > [1] > > dhcp-match=set:efi-x86_64,option:client-arch,7 > > dhcp-match=set:efi-x86_64,option:client-arch,9 > > pxe-prompt=tag:!efi-x86_64,"dnsmasq PXE menu" > > pxe-service=7,... > > pxe-service=9,... > > > Seen it. I still don't understand the OP problem. The OP was asking if their configuration of pxe-prompt/pxe-service options was correct, as the UEFI client was neither booting nor showing the menu from the provided DHCPOFFER. A packet capture revealed the problem - missing PXE menu items in the provided DHCPOFFER. (DHCP option 43, suboption 9). > For some reason I do feel my wish to improve dnsmasq > is getting in the way. I'm gonna spend my energy elsewhere. > > Advise to Original Poster: Make your problem reproducable. I'm not sure I understand - are you saying your UEFI client gets a DHCPOFFER with a valid PXE boot menu when you configure the following [1]? [1] pxe-prompt="dnsmasq menu" pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi pxe-service=7, "Exit menu" > The idea of it is getting a "shared problem". And from > a shared problem to get to a shared solution. A shared problem: Make UEFI PXE client display 2 boot options - one for an existing boot image, and one to exit PXE (boot from disk, etc.). > Groeten > Geert Stappers > -- > Leven en laten leven > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss MZ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] pxe-service line for UEFI system?
Yeah - sorry, I'm not much help when it comes to C code. I was coming in with assumption my config was somehow incorrect. What is expected of dnsmasq - a DHCP offer with either a populated menu, or a populated boot-filename option. As mentioned in the OP, currently dnsmasq provides broken menu (no items present) and empty boot-filename, unless another "phantom" boot option is also defined (in which case it provides the populated menu). I looked over the dnsmasq docs again and noticed this bit in pxe-prompt: > If --pxe-prompt is omitted the system will wait for user input if there are > multiple items in the menu, but boot immediately if there is only one. As I understand it, if pxe-prompt is defined in the config, the services should be sent regardless of their count. So that's a bug, unless... I also looked at the changelog and found this in the 2.76 release: > Workaround problems with UEFI PXE clients. There exist > in the wild PXE clients which have problems with PXE > boot menus. To work around this, when there's a single > --pxe-service which applies to client, then that target > will be booted directly, rather then sending a > single-item boot menu. It seems like these 2 parts of the code are interacting incorrectly. 1) the pxe-service exit item is ignored, that's why the phantom option is needed 2) if pxe-prompt is explicitly defined, what _is_ supposed to happen for UEFI clients? TBH, I don't see why this UEFI issue even requires a UEFI-specific code workaround - shouldn't a config like this [1] avoid the problems, no code workaround needed? MZ [1] dhcp-match=set:efi-x86_64,option:client-arch,7 dhcp-match=set:efi-x86_64,option:client-arch,9 pxe-prompt=tag:!efi-x86_64,"dnsmasq PXE menu" pxe-service=7,... pxe-service=9,... On Sun, 19 Jan 2020 at 21:45, Geert Stappers wrote: > > On Sun, Jan 19, 2020 at 08:33:54PM +0100, P W wrote: > > On Sun, Jan 19, 2020 at 07:30:44PM +0100, Michal Zatloukal wrote: > > > On Wed, 8 Jan 2020 at 00:16, Michal Zatloukal wrote: > > > > > > > > In the meantime, I tried a simpler case [1] of UEFI PXE services > > > > config, which I confirmed to work. > > > > > > > > I intended to replace my config with this and work up towards the > > > > fancier tag-operated version, but made a wrong assumption and _added_ > > > > the trivial config to existing set of config files (adding .bak to the > > > > filename didn't stop the original from being loaded). Strangely, now > > > > option 43 contained all services for CSA 7 - both conditional, and > > > > unconditional ones, which were previosly missing. This actually > > > > happens even when the new config file is reduced to a single, > > > > unconditional pxe-service line. That's not how this should work, or is > > > > it? Is there a particular order to these pxe-* config options? IMHO > > > > the fact that only the menu items are missing, but prompt is sent, > > > > should indicate that setting tags is correct. > > > > > > > > I'll do from-the-ground-up experiment soon, hopefully finding at which > > > > point dnsmasq stops sending the boot options. > > > > > > > > Cheers, > > > > MZ > > > > > > > > [1] > > > > # Commented out to use my existing config, must be included if using > > > > standalone. > > > > #dhcp-range=10.0.0.10,10.0.0.240,2h > > > > #log-dhcp > > > > #tftp-root=/tftpboot > > > > #dhcp-no-override > > > > pxe-prompt="dnsmasq menu" > > > > pxe-service=0, "Boot BIOS PXElinux", bios/pxelinux > > > > pxe-service=0, "Boot BIOS iPXE", ipxe/undionly.kpxe > > > > pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi > > > > pxe-service=7, "Other item CSA 7",etc/other.efi > > > > pxe-service=9, "Boot UEFI CSA 9", efi64/syslinux.efi > > > > pxe-service=9, "Other item CSA 9",etc/other.efi > > > > pxe-service=0, "Exit menu" > > > > pxe-service=7, "Exit menu" > > > > pxe-service=9, "Exit menu" > > > > > > > > > Finally got to troubleshoot this today... > > > The issue arises when there's only a single "proper" pxe-service > > > configured (one that actually has a boot-filename defined). Is this > > > expected? > > > > > > So this works: > > > pxe-prompt="dnsmasq menu" > > > pxe-service=7, &q
Re: [Dnsmasq-discuss] pxe-service line for UEFI system?
Finally got to troubleshoot this today... The issue arises when there's only a single "proper" pxe-service configured (one that actually has a boot-filename defined). Is this expected? So this works: pxe-prompt="dnsmasq menu" pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi pxe-service=7, "Other item CSA 7",etc/other.efi pxe-service=7, "Exit menu" But this does not: pxe-prompt="dnsmasq menu" pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi pxe-service=7, "Exit menu" Cheers, MZ On Wed, 8 Jan 2020 at 00:16, Michal Zatloukal wrote: > > In the meantime, I tried a simpler case [1] of UEFI PXE services > config, which I confirmed to work. > > I intended to replace my config with this and work up towards the > fancier tag-operated version, but made a wrong assumption and _added_ > the trivial config to existing set of config files (adding .bak to the > filename didn't stop the original from being loaded). Strangely, now > option 43 contained all services for CSA 7 - both conditional, and > unconditional ones, which were previosly missing. This actually > happens even when the new config file is reduced to a single, > unconditional pxe-service line. That's not how this should work, or is > it? Is there a particular order to these pxe-* config options? IMHO > the fact that only the menu items are missing, but prompt is sent, > should indicate that setting tags is correct. > > I'll do from-the-ground-up experiment soon, hopefully finding at which > point dnsmasq stops sending the boot options. > > Cheers, > MZ > > [1] > # Commented out to use my existing config, must be included if using > standalone. > #dhcp-range=10.0.0.10,10.0.0.240,2h > #log-dhcp > #tftp-root=/tftpboot > #dhcp-no-override > pxe-prompt="dnsmasq menu" > pxe-service=0, "Boot BIOS PXElinux", bios/pxelinux > pxe-service=0, "Boot BIOS iPXE", ipxe/undionly.kpxe > pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi > pxe-service=7, "Other item CSA 7",etc/other.efi > pxe-service=9, "Boot UEFI CSA 9", efi64/syslinux.efi > pxe-service=9, "Other item CSA 9",etc/other.efi > pxe-service=0, "Exit menu" > pxe-service=7, "Exit menu" > pxe-service=9, "Exit menu" ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] variable with value me
Not sure about dnsmasq, but if you're using iPXE, you can use ${dhcp-server} dhcp-boot=tag:ipxe,"http://${dhcp-server}/shared/scripts/main.ipxe"; MZ On Sat, 11 Jan 2020 at 11:06, Geert Stappers wrote: > > > Hi, > > In dnsmasq configuration file I have > > dhcp-boot=tag:ipxe,http://172.16.1.2/networkboot/shi/selector.ipxe > > Is there a variable like "me"? > And "me" having value of the IP-address of the interface > that is handing-out the requested DHCP information. > > It is to make > dhcp-boot=tag:ipxe,http://@me/networkboot/shi/selector.ipxe > possible > > > Groeten > Geert Stappers > -- > Leven en laten leven > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] pxe-service line for UEFI system?
In the meantime, I tried a simpler case [1] of UEFI PXE services config, which I confirmed to work. I intended to replace my config with this and work up towards the fancier tag-operated version, but made a wrong assumption and _added_ the trivial config to existing set of config files (adding .bak to the filename didn't stop the original from being loaded). Strangely, now option 43 contained all services for CSA 7 - both conditional, and unconditional ones, which were previosly missing. This actually happens even when the new config file is reduced to a single, unconditional pxe-service line. That's not how this should work, or is it? Is there a particular order to these pxe-* config options? IMHO the fact that only the menu items are missing, but prompt is sent, should indicate that setting tags is correct. I'll do from-the-ground-up experiment soon, hopefully finding at which point dnsmasq stops sending the boot options. Cheers, MZ [1] # Commented out to use my existing config, must be included if using standalone. #dhcp-range=10.0.0.10,10.0.0.240,2h #log-dhcp #tftp-root=/tftpboot #dhcp-no-override pxe-prompt="dnsmasq menu" pxe-service=0, "Boot BIOS PXElinux", bios/pxelinux pxe-service=0, "Boot BIOS iPXE", ipxe/undionly.kpxe pxe-service=7, "Boot UEFI CSA 7", efi64/syslinux.efi pxe-service=7, "Other item CSA 7",etc/other.efi pxe-service=9, "Boot UEFI CSA 9", efi64/syslinux.efi pxe-service=9, "Other item CSA 9",etc/other.efi pxe-service=0, "Exit menu" pxe-service=7, "Exit menu" pxe-service=9, "Exit menu" ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 configuration for Android clients
Last time I checked, Android doesn't do DHCP6 (at all, even if instructed with M/O bits in RA). Either way, IMHO you should first be looking for RTR-SOLICIT and RTR-ADVERT log messages. The solicitation and advertisement packets themselves should be relatively easy to find in a pcap capture with "icmp6" filter. If you don't get anything in pcap (captured at the dnsmasq end) while toggling WiFi on the android device on and off, then something is blocking/breaking multicast. MZ On Tue, 7 Jan 2020 at 11:43, Geert Stappers wrote: > > > On 07-01-2020 03:52, Juha Heinanen wrote: > > In order to support IPv6 address allocation to Android clients I have > > tried to extend default Debian NetworkManager Wifi hotspot dnsmasq > > configuration: > > > > 18240 ?S 0:00 /usr/sbin/dnsmasq --conf-file=/dev/null > > --no-hosts --keep-in-foreground --bind-interfaces --except-interface=lo > > --clear-on-reload --strict-order --listen-address=10.42.0.1 > > --dhcp-range=10.42.0.10,10.42.0.254,60m --dhcp-lease-max=50 > > --dhcp-leasefile=/var/lib/NetworkManager/dnsmasq-wlp1s0.leases > > --pid-file=/run/nm-dnsmasq-wlp1s0.pid > > --conf-dir=/etc/NetworkManager/dnsmasq-shared.d > > > > with file local.conf in /etc/NetworkManager/dnsmasq-shared.d: > > > > enable-ra > > dhcp-range=::,constructor:wlp1s0,ra-names,slaac,infinite > > dhcp-authoritative > > log-dhcp > > > > Interface wlps1s0 has these addresses: > > > > wlp1s0: flags=4163 mtu 1500 > > inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255 > > inet6 fe80::14c0:c516:36cb:8b44 prefixlen 64 scopeid 0x20 > > inet6 2001:db8:0:1::1 prefixlen 64 scopeid 0x0 > > That seems to be output of `ifconfig wlp1s0`. > > Advice: use `ip address show dev wlp1s0` or shorthand `ip a sh dev > wlp1s0`. Because `ifconfig` is not in pace with kernel development, > `ip` is. > > > > > When I start dnsmasq, I get to syslog: > > > > Jan 7 04:46:10 char NetworkManager[18816]: [1578365170.5750] > > dnsmasq-manager: starting dnsmasq... > > Jan 7 04:46:10 char dnsmasq[18847]: started, version 2.80 cachesize 150 > > Jan 7 04:46:10 char dnsmasq[18847]: compile time options: IPv6 GNU-getopt > > DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC > > loop-detect inotify dumpfile > > Jan 7 04:46:10 char dnsmasq[18847]: chown of PID file > > /run/nm-dnsmasq-wlp1s0.pid failed: Operation not permitted > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: DHCP, IP range 10.42.0.10 -- > > 10.42.0.254, lease time 1h > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: DHCPv4-derived IPv6 names on > > wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: router advertisement on wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: DHCPv4-derived IPv6 names on > > 2001:db8:0:1::, constructed for wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: router advertisement on > > 2001:db8:0:1::, constructed for wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: IPv6 router advertisement enabled > > Jan 7 04:46:10 char dnsmasq[18847]: no servers found in /etc/resolv.conf, > > will retry > > Jan 7 04:46:10 char dnsmasq[18847]: cleared cache > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: router advertisement on > > 2001:db8:0:1::, old prefix for wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: DHCPv4-derived IPv6 names on > > 2001:db8:0:1::, constructed for wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: router advertisement on > > 2001:db8:0:1::, constructed for wlp1s0 > > Jan 7 04:46:10 char dnsmasq-dhcp[18847]: router advertisement on > > 2001:db8:0:1::, old prefix for wlp1s0 > > > > When I connect my Android device to this hotspot, I get to syslog: > > > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 available DHCP range: > > 10.42.0.10 -- 10.42.0.254 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 vendor class: > > android-dhcp-9 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 DHCPDISCOVER(wlp1s0) > > a8:3e:0e:ab:65:dd > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 tags: wlp1s0 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 DHCPOFFER(wlp1s0) > > 10.42.0.214 a8:3e:0e:ab:65:dd > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 requested options: > > 1:netmask, 3:router, 6:dns-server, 15:domain-name, > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 requested options: > > 26:mtu, 28:broadcast, 51:lease-time, 58:T1, > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 requested options: > > 59:T2, 43:vendor-encap > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 next server: 10.42.0.1 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 sent size: 1 option: > > 53 message-type 2 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 sent size: 4 option: > > 54 server-identifier 10.42.0.1 > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 sent size: 4 option: > > 51 lease-time 1h > > Jan 7 04:51:11 char dnsmasq-dhcp[18847]: 4061430237 sent
[Dnsmasq-discuss] pxe-service line for UEFI system?
Hi. I'm putting together a "booting section" fo my config, where I want to provide various boot images, according to the machine architecture provided by the client. As I understand the pxe-service functionality, there are 2 ways to to netboot: - either provide bootfile-name (67), which the client downloads immediately and executes, or - provide pxe menu, (prompt, items), within option 43, client makes a selection, DHCP provides filename for the selected item, and from there it's the same as the above. The config (attached below [1]) works fine for PC-BIOS, but I just can't get dnsmasq to provide any PXE menu items to X86-64_EFI clients. Tried the CSA keyword (X86-64_EFI), integer (7), removed the skipmenu tag filter, commented out all pxe options specific to other architectures, nada. For the UEFI client (using vmware VM), the provided option 43 only contains the prompt suboption, and end character (the VM doesn't display anything and just goes back to boot menu, but that's down to their PXE ROM, I assume). Double-checked CSA provided by the client, it is indeed 7 (+ PXEClient:Arch:7:UNDI:003016 in VendorClass). What am I missing? The dnsmasq instance is a full DHCP server, not just proxy. I can private-message the full config if you need it. I'm on ubuntu-provided version 2.80-1ubuntu2. Cheers, MZ [1] # set custom tag for matching architectures - used for option that don't have implicit filtering dhcp-match=set:efi-arm64,option:client-arch,11 dhcp-match=set:efi-arm32,option:client-arch,10 dhcp-match=set:efi-x86_64,option:client-arch,7 dhcp-match=set:efi-x86_64,option:client-arch,9 dhcp-match=set:efi-x86,option:client-arch,6 dhcp-match=set:bios,option:client-arch,0 # iPXE will make a 2nd DHCP request with custom user class - this is where we provide path for script to run dhcp-userclass=set:ipxe,iPXE ## Script for iPXE dhcp-boot=tag:ipxe,"http://${dhcp-server}/shared/scripts/main.ipxe"; # Don't offer menu to ipxe- or directboot-tagged requests #tag-if=set:directboot,tag:vmware tag-if=set:skipmenu,tag:ipxe tag-if=set:skipmenu,tag:directboot # Directboot mappings dhcp-boot=tag:bios,tag:skipmenu,tag:!ipxe,ipxe/undionly.kpxe dhcp-boot=tag:efi-x86_64,tag:skipmenu,tag:!ipxe,ipxe/ipxe.efi # ...or go through a menu pxe-prompt=tag:!skipmenu,"Where do you want to go today?" # Common menu pxe-service=tag:!skipmenu,x86PC,"Boot from local disk" pxe-service=tag:!skipmenu,X86-64_EFI,"Boot from local disk" # BIOS menu pxe-service=tag:!skipmenu,x86PC,"Raspberry Pi - pxelinux",bios/pxelinux.0 pxe-service=tag:!skipmenu,x86PC,"Raspberry Pi - ipxe - kpxe",ipxe/undionly.kpxe pxe-service=tag:!skipmenu,x86PC,"Raspberry Pi - ipxe - kkpxe",ipxe/undionly.kkpxe # UEFI menu pxe-service=tag:!skipmenu,X86-64_EFI,"Raspberry Pi - ipxe - UEFI",ipxe/ipxe.efi ## Add custom DHCP option for iPXE - extra options for clonezilla cmdline dhcp-option-force=tag:nd1,tag:ipxe,129,"live-netdev=eth1" dhcp-option-force=tag:nd0,tag:ipxe,129,"live-netdev=eth0" ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq can be tricked to send invalid RAs
Hello. I recently decided to move my dnsmasq+6in4 tunnel setup from Raspbian to the latest Ubuntu. To keep a long story short, after some (mis)configuration I ended up with an interface with an IPv6 GUA, but with no LLA [0] (a bug/oversight in netplan, I guess [1]). dnsmasq does not protest this and will send RAs sourced with GUA, which will fail validation according to RFC 4861, section 6.1.2. Not really a problem for my case (AFAIK, an interface should never lose/stay without its LLA) , just thought you should know. Cheers, MZ [0] Should be reproducible by: ip addr add dev 2001:db8::1/64 ip -6 addr flush dev scope link Then for dnsmasq config, use dhcp-range=::,constructor:,ra-names [1] https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1810971 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 setup for internal network
Whoops, some of my example config was wrong. ra-param=eth0,mtu:6in4,60 # "0" would disable periodic sending, and Apple's OSes would drop the address without soliciting for the router again. MZ On Mon, 5 Aug 2019 at 22:40, Michal Zatloukal wrote: > > Hi there. > > On Fri, 2 Aug 2019 at 18:21, Knud wrote: > > > > Hi > > > > I have tried to get IPv6 setup running for my internal LAN (at home) > > > > With a lot of tries and no really luck. > > > > What do I want: > > > > Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS > > with local names. > > Where is the DHCPv4 server running? ra-names assumes the same instance > of dnsmasq is running both DHCPv4 and v6. > Personally, I haven't been able to get local names to work with IPv6 > even in that configuration. The assumption of hosts using EUI-64 is > not met too often these days. > > > Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE > > tunnelbrooker. > > Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs > must be sent by the host acting as the gateway, there's no way around > this in IPv6 AFAIK. You must configure the gateways's RAs to enable > clients to look for DHCPv6 server (M, O bits set to 1). > > > > > Right now I how made a test setup consisting of 2 Vbox guest (Fedora > > F30) running in internal network on the Vbox host just to get things > > working and learn. > > > > So first step is get dnsmasq hand out a IP address and register it in > > the DNS. > > Hold it - Do you have an address from the specified range (fd17:...) > manually assigned to the interface on the DHCP server? (Not sure if > it's necessary, but that's what I did) - if you don't, I could see how > dnsmasq would consider the range non-local (see below) > > > 1st problem: Client get correct address from dnsmasq but not the right > > mask eg. it get's an IP /128 > > enable-ra is there > > IIRC "/128" happens when the prefix is not flagged as on-link in its > options. Check the advertisements with tcpdump/wireshark/rdisc6. As > for cause, you config doesn't specify prefix length so the correct > length must be set on the interface. > > > 2nd problem: Client get DNS ip from the fe80:: adress range > > If you mean "the DNS server address the client gets is in the > fe80::/10 range", then this is normal. > > > 3th problem: the adress which registered in the dns is the fe80:: adress > > Not sure where this comes from (are you sure this is provided by > dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual > correctly - ra-name only intended for SLAAC-enabled networks, and even > then only works with hosts that don't do private interface > identifiers. So you won't get name resolution to your fd17... range > regardless. Just to check - set loq-query and see if it's actually > dnsmasq responding to the query. The leases file might also be > helpful. > > > I could write a long story about what I have tried > > > > Please advise.. > > OK. From your config: > > > dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names > > According to the manual, omitting the prefix length will cause dnsmasq > to use prefixlen of the interface. As noted above - is this set? > > As for me - I'm still on debian with ifupdown, so I do it this way (my > HE tunnel endpoint is on a host behind NAT, rather than on the v4 > router, but that host also does DHCPv4 so I can do ra-names; 6in4 > requires that router is configured to treat this host as DMZ): > > 1. /e/n/i for eth0: > iface eth0 inet static > ... # Private IPv4 config > up ifup 6in4 > down ifdown 6in4 > iface eth0 inet6 manual > > 2. /e/n/i for the tunnel: > iface 6in4 inet6 v4tunnel > ... # Endpoint addresses > up ip route add ::/0 dev 6in4 > up ip add add 2001:.../64 dev eth0 # internal ip6 range > down ip route del ::/0 dev 6in4 > down ip add del 2001:../64 dev eth0 > > 3. dnsmasq for v6: > dhcp-range=::,constructor:eth0,ra-names > ra-param=eth0,mtu:6in4,0 > > I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google > search results suggest a range like this should get you going: > dhcp-range=::1, :::, constructor:br*, 64, 12h > > I would suggest you start with the easier SLAAC setup, then tweak it > once you have that running. > > MZ > > > Knud > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 setup for internal network
Hi there. On Fri, 2 Aug 2019 at 18:21, Knud wrote: > > Hi > > I have tried to get IPv6 setup running for my internal LAN (at home) > > With a lot of tries and no really luck. > > What do I want: > > Have dnsmasq running on a server (Linux fedora f30), do Ipv6 DHCP/DNS > with local names. Where is the DHCPv4 server running? ra-names assumes the same instance of dnsmasq is running both DHCPv4 and v6. Personally, I haven't been able to get local names to work with IPv6 even in that configuration. The assumption of hosts using EUI-64 is not met too often these days. > Want to proceed that for IPv6, let my router make a IPv6 tunnel to a HE > tunnelbrooker. Are server (DHCPv6) and router (6-in-4 tunnel) 2 different hosts? RAs must be sent by the host acting as the gateway, there's no way around this in IPv6 AFAIK. You must configure the gateways's RAs to enable clients to look for DHCPv6 server (M, O bits set to 1). > > Right now I how made a test setup consisting of 2 Vbox guest (Fedora > F30) running in internal network on the Vbox host just to get things > working and learn. > > So first step is get dnsmasq hand out a IP address and register it in > the DNS. Hold it - Do you have an address from the specified range (fd17:...) manually assigned to the interface on the DHCP server? (Not sure if it's necessary, but that's what I did) - if you don't, I could see how dnsmasq would consider the range non-local (see below) > 1st problem: Client get correct address from dnsmasq but not the right > mask eg. it get's an IP /128 > enable-ra is there IIRC "/128" happens when the prefix is not flagged as on-link in its options. Check the advertisements with tcpdump/wireshark/rdisc6. As for cause, you config doesn't specify prefix length so the correct length must be set on the interface. > 2nd problem: Client get DNS ip from the fe80:: adress range If you mean "the DNS server address the client gets is in the fe80::/10 range", then this is normal. > 3th problem: the adress which registered in the dns is the fe80:: adress Not sure where this comes from (are you sure this is provided by dnsmasq, rather than avahi/mDNS/LLMNR?). If I'm reading the manual correctly - ra-name only intended for SLAAC-enabled networks, and even then only works with hosts that don't do private interface identifiers. So you won't get name resolution to your fd17... range regardless. Just to check - set loq-query and see if it's actually dnsmasq responding to the query. The leases file might also be helpful. > I could write a long story about what I have tried > > Please advise.. OK. From your config: > dhcp-range=fd17:625c:f037:a80f::10, fd17:625c:f037:a80f::, ra-names According to the manual, omitting the prefix length will cause dnsmasq to use prefixlen of the interface. As noted above - is this set? As for me - I'm still on debian with ifupdown, so I do it this way (my HE tunnel endpoint is on a host behind NAT, rather than on the v4 router, but that host also does DHCPv4 so I can do ra-names; 6in4 requires that router is configured to treat this host as DMZ): 1. /e/n/i for eth0: iface eth0 inet static ... # Private IPv4 config up ifup 6in4 down ifdown 6in4 iface eth0 inet6 manual 2. /e/n/i for the tunnel: iface 6in4 inet6 v4tunnel ... # Endpoint addresses up ip route add ::/0 dev 6in4 up ip add add 2001:.../64 dev eth0 # internal ip6 range down ip route del ::/0 dev 6in4 down ip add del 2001:../64 dev eth0 3. dnsmasq for v6: dhcp-range=::,constructor:eth0,ra-names ra-param=eth0,mtu:6in4,0 I'm not sure how/if dnsmasq can do DHCPv6-only assignment, but google search results suggest a range like this should get you going: dhcp-range=::1, :::, constructor:br*, 64, 12h I would suggest you start with the easier SLAAC setup, then tweak it once you have that running. MZ > Knud > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4
Thanks Vladislav - indeed, when I list these memberships and launch dnsmasq with enable-ra, the membership for ff02::2 appears. Still, there's no response from dnsmasq to incoming solicitation packets. If there indeed should be a response in this scenario, then perhaps I'm observing a bug? As soon as I remove the listen-address and bind-interfaces options, dnsmasq responds to solicitation correctly. Cheers, MZ On 17 July 2015 at 15:13, Vladislav Grishenko wrote: > Hi Michal > Use netstat -g to display multicast group memberships > > Best Regards, Vladislav Grishenko > >> -Original Message- >> From: Dnsmasq-discuss [mailto:dnsmasq-discuss- >> boun...@lists.thekelleys.org.uk] On Behalf Of Michal Zatloukal >> Sent: Friday, July 17, 2015 5:01 PM >> To: dnsmasq-discuss@lists.thekelleys.org.uk >> Subject: Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4 >> >> I'm not sure what you mean - what exactly should I have in the >> configuration? >> Is there a way to check, if the correct multicast address is being bound > to? >> netstat -tupan doesn't show any multicast addresses. >> >> MZ >> >> On 16 July 2015 at 19:49, Simon Kelley wrote: >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA256 >> > >> > Dnsmasq needs to advertise the global address, I think. Receiving RAs >> > shouldn't be a problem, dnsmasq binds the correct multicast address. >> > >> > Cheers, >> > >> > Simon. >> > >> > >> > On 16/07/15 16:27, Michal Zatloukal wrote: >> >> Hi all, >> >> >> >> I'm using dnsmasq (2.68-1ubuntu0.1) on a machine where the need to >> >> run tftpd-hpa along with dnsmasq's own tftp server has arisen (both >> >> on just IPv4). I decided to use the "secondary IP address" feature in >> >> Linux networking system to bind tftpd-hpa to the secondary IP >> >> address, and set up dnsmasq to bind the following: - primary IPv4 >> >> address - localhost IPv4 - For IPv6, I put in localhost, global and >> >> link-local addresses. IIUC, RA can't work in this config, since the >> >> destination on RS is multicast ff02::2 and therefore aren't delivered >> >> to any of the sockets opened by dnsmasq. >> >> >> >> Now, which IPv6 address do I enter so that IPv6 router announcements >> >> work correctly? (Is it even possible?) - adding >> >> ff02::2 doesn't work, dnsmasq reports error in syslog - cannot bind >> >> to this address. - replacing all IPv6 addresses with "::" allows >> >> dnsmasq to start and bind to wildcard IPv6, but it seems incoming RS >> >> packets are ignored - nothing appears in syslog when clients send >> >> solicitation. Is the filtering code in DSNmasq perhaps not expecting >> >> a wildcard address in the listen-address parameter and filters >> >> packets against it? >> >> >> >> Regards, >> >> >> >> MZ >> >> >> >> ___ Dnsmasq- >> discuss >> >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> >> >> > -BEGIN PGP SIGNATURE- >> > Version: GnuPG v1 >> > >> > >> iQIcBAEBCAAGBQJVp+6bAAoJEBXN2mrhkTWitrYP/i/4dcuoEBWJohhXhjMS6lI >> 7 >> > >> G9/jw80md0bSwzyddi8k+8+SM+oPqMBmnaqh9TWJ5pQT0j8rQsNd06ByJ85cf >> k4k >> > >> 2k5QKJoc1o6dfA/E6bJU9DtxMUqupBdQZdOo6c+b57nRRxwubXXmJe2qpDUF >> V1wQ >> > >> Z3INhtdVAHwNBAM1+amDGMrps1dmOv+cBKr81jpoX/ySvUL1j5nG2cMz+wi >> 4ux2Y >> > >> 0xf4RKsH2WqUOwVpVfmYMe/Mc5V2thdG6xpwdZ+qzMbrux/RWeNJ+4r/G7 >> +mSS7l >> > >> TeAKtFkT5mrhxMIbrmC49a12WQtBZBpaAHUuSwkesGAytPelpuU5e3TwgvP0 >> WCc8 >> > QXoDGRm1YntM1dlu24TOPPz5jRk9L9qrJnzpXf1lyiojxpzsvRJa+Ei8uu2IWg4q >> > >> 75eVCs1wX4hLMmf9J7L759KpBrhqPoV2vu5J15vwsfXmP4bCIcDAuQOSLDiJjG >> XV >> > >> My3oeNw9Rws6qKCFYZX8YQ7SRtNDA7ssEM/aneJKTUMB7k6O3i41z2Y7DRP2 >> m9uf >> > >> u5Yo3HUi9B+1G9fICNnicxZdAh5hLKilo4Fvswvn5dEMgo3LMkHiGUgHLebhsJW >> e >> > >> 68UwmvFmmZyStg1wd4qBJ4eUKIRpsvWgvaUA+Huv+nzfco2GOM8tZVPb2W >> Aq+XFj >> > Ct+n7zarBZQeIS0Ku/kJ >> > =Gn77 >> > -END PGP SIGNATURE- >> > >> > ___ >> > Dnsmasq-discuss mailing list >> > Dnsmasq-discuss@lists.thekelleys.org.uk >> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4
I'm not sure what you mean - what exactly should I have in the configuration? Is there a way to check, if the correct multicast address is being bound to? netstat -tupan doesn't show any multicast addresses. MZ On 16 July 2015 at 19:49, Simon Kelley wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Dnsmasq needs to advertise the global address, I think. Receiving RAs > shouldn't be a problem, dnsmasq binds the correct multicast address. > > Cheers, > > Simon. > > > On 16/07/15 16:27, Michal Zatloukal wrote: >> Hi all, >> >> I'm using dnsmasq (2.68-1ubuntu0.1) on a machine where the need to >> run tftpd-hpa along with dnsmasq's own tftp server has arisen (both >> on just IPv4). I decided to use the "secondary IP address" feature >> in Linux networking system to bind tftpd-hpa to the secondary IP >> address, and set up dnsmasq to bind the following: - primary IPv4 >> address - localhost IPv4 - For IPv6, I put in localhost, global and >> link-local addresses. IIUC, RA can't work in this config, since the >> destination on RS is multicast ff02::2 and therefore aren't >> delivered to any of the sockets opened by dnsmasq. >> >> Now, which IPv6 address do I enter so that IPv6 router >> announcements work correctly? (Is it even possible?) - adding >> ff02::2 doesn't work, dnsmasq reports error in syslog - cannot bind >> to this address. - replacing all IPv6 addresses with "::" allows >> dnsmasq to start and bind to wildcard IPv6, but it seems incoming >> RS packets are ignored - nothing appears in syslog when clients >> send solicitation. Is the filtering code in DSNmasq perhaps not >> expecting a wildcard address in the listen-address parameter and >> filters packets against it? >> >> Regards, >> >> MZ >> >> ___ Dnsmasq-discuss >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJVp+6bAAoJEBXN2mrhkTWitrYP/i/4dcuoEBWJohhXhjMS6lI7 > G9/jw80md0bSwzyddi8k+8+SM+oPqMBmnaqh9TWJ5pQT0j8rQsNd06ByJ85cfk4k > 2k5QKJoc1o6dfA/E6bJU9DtxMUqupBdQZdOo6c+b57nRRxwubXXmJe2qpDUFV1wQ > Z3INhtdVAHwNBAM1+amDGMrps1dmOv+cBKr81jpoX/ySvUL1j5nG2cMz+wi4ux2Y > 0xf4RKsH2WqUOwVpVfmYMe/Mc5V2thdG6xpwdZ+qzMbrux/RWeNJ+4r/G7+mSS7l > TeAKtFkT5mrhxMIbrmC49a12WQtBZBpaAHUuSwkesGAytPelpuU5e3TwgvP0WCc8 > QXoDGRm1YntM1dlu24TOPPz5jRk9L9qrJnzpXf1lyiojxpzsvRJa+Ei8uu2IWg4q > 75eVCs1wX4hLMmf9J7L759KpBrhqPoV2vu5J15vwsfXmP4bCIcDAuQOSLDiJjGXV > My3oeNw9Rws6qKCFYZX8YQ7SRtNDA7ssEM/aneJKTUMB7k6O3i41z2Y7DRP2m9uf > u5Yo3HUi9B+1G9fICNnicxZdAh5hLKilo4Fvswvn5dEMgo3LMkHiGUgHLebhsJWe > 68UwmvFmmZyStg1wd4qBJ4eUKIRpsvWgvaUA+Huv+nzfco2GOM8tZVPb2WAq+XFj > Ct+n7zarBZQeIS0Ku/kJ > =Gn77 > -END PGP SIGNATURE- > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] IPv6 RA issues when bound to IPv4
Hi all, I'm using dnsmasq (2.68-1ubuntu0.1) on a machine where the need to run tftpd-hpa along with dnsmasq's own tftp server has arisen (both on just IPv4). I decided to use the "secondary IP address" feature in Linux networking system to bind tftpd-hpa to the secondary IP address, and set up dnsmasq to bind the following: - primary IPv4 address - localhost IPv4 - For IPv6, I put in localhost, global and link-local addresses. IIUC, RA can't work in this config, since the destination on RS is multicast ff02::2 and therefore aren't delivered to any of the sockets opened by dnsmasq. Now, which IPv6 address do I enter so that IPv6 router announcements work correctly? (Is it even possible?) - adding ff02::2 doesn't work, dnsmasq reports error in syslog - cannot bind to this address. - replacing all IPv6 addresses with "::" allows dnsmasq to start and bind to wildcard IPv6, but it seems incoming RS packets are ignored - nothing appears in syslog when clients send solicitation. Is the filtering code in DSNmasq perhaps not expecting a wildcard address in the listen-address parameter and filters packets against it? Regards, MZ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss