Re: [Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
Hi William, I think priority is correct here. Well observed! On 10/2/21 13:55, William Edwards wrote: > Jochen Demmer via Dnsmasq-discuss schreef op 2021-10-02 10:28: >> Hi, >> >> I've been trying to develop my own kind of firewall solution named >> nftwall which uses nftables as packet filter and is being managed >> centrally by Ansible - no webGUI. >> >> My first attempt was to use dnsmasq but then I found out of this >> obstacle. I've been thinking about switching to KEA + radvd but >> actually I would like to keep using dnsmasq. >> I manage my VRRP IPs with keepalived. There are small scripts for an >> event of a primary - secondary change. Especially in an event of >> controlled switch of primary - secondary I would like the primary >> dnsmasq to send a lifetime of 0 in the router advertisement package. >> That way the clients know that this router shall not be used any more. > > No experience with RAs so far, but isn't that what the priority field > is for? Correct! ra-param already supports setting lifetime to 0, which should work for your use case even without code change. # server is not primary ra-param=eth0,low,0,0 # should announce prefix without clients routing via it. # server is primary dhcp-authoritative ra-param=eth0,high,0,600 # Use on elected primary router, make this route preferred. Isn't switching those parameters on election change all you would need? > >> >> Please confirm my findings that this is currently not possible with >> dnsmasq. If so please accept my feature request to implement that. >> >> Regards >> Jochen Demmer -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
Hello Jochen, I think it would need to be more complex change I think. On 10/4/21 13:04, Jochen Demmer via Dnsmasq-discuss wrote: > Hi, > > I'm sorry for being unclear. > There is a cluster of two firewalls (active passive). > The clients use the link local address as their default gateway. I > want to initialize a manual switch: > The primary becomes secondary, the old secondary becomes primary. I think dnsmasq does not implement DHCP failover in any sort of ways. It expects it is the only one DHCP server and maintains just its own lease database, right? Wouldn't more complex support be required? It seems to me such scenario might be better suited for enterprise grade DHCP implementations, such as ISC Kea. It seems to me dnsmasq targets less resourceful machines without router duplication environment. > > As the router advertisements for the clients contain a default route I > would like to make adjustments. The default route is being published > by providing clients with the link-local address of the firewall > (whichever is primary). > When there is such a controlled switch I would like to let the old > primary send a router advertisement package to the clients with a > lifetime of 0. This will signal the clients to not use this device any > more. > Next the new primary (formerly secondary) will start to advertise > itself as the new default router. I think it should also switch dhcp-authoritative flag. It is not only about routes, but it should stop managing IP addresses, when different instance is primary server, right? I think dnsmasq may receive signal to switch state over d-bus for example. Then it should deactivate its own dhcp-range and start sending lifetime 0 to indicate it is no longer the preferred one. It would be much easier if dnsmasq would restart on such change and configuration would change, correct? > > In this event I would like to have a trigger so that the designated > primary sends such a 0 lifetime package. If I'm not mistaken such a > feature is missing. Dnsmasq seems to be able to send 0 lifetime. It does so in cases when address range disappears on the router. I admit it is too radical to remove address range to send it, if there might be other server better suited for it. We could add dhcp-range=...,ra-inactive, which would send lifetime==0 announcement for the duration of a lease, then stop it. Similar to src/dhcp6.c:793 handling of removed addresses. May that work? It would require dnsmasq restart after configuration change. > > AFAIK this is how pfSense handles such setups. They do use CARP but at > that point it doesn't differ from a VRRP scenario. > > Regards > Jochen > > Am Samstag, Oktober 02, 2021 13:17 CEST, schrieb Geert Stappers via > Dnsmasq-discuss : > >> On Sat, Oct 02, 2021 at 10:28:16AM +0200, Jochen Demmer via >> Dnsmasq-discuss wrote: >> > >> > Hi, >> >> Welcome, >> >> >> > I've been trying to develop my own kind of firewall solution named >> > nftwall which uses nftables as packet filter and is being managed >> > centrally by Ansible - no webGUI. >> > >> > My first attempt was to use dnsmasq but then I found out of this >> > obstacle. I've been thinking about switching to KEA + radvd but >> actually >> > I would like to keep using dnsmasq. >> > I manage my VRRP IPs with keepalived. There are small scripts >> > for an event of a primary - secondary change. Especially in an >> > event of controlled switch of primary - secondary I would like the >> > primary dnsmasq to send a lifetime of 0 in the router advertisement >> > package. That way the clients know that this router shall not be used >> > any more. >> >> What? >> >> >> > Please confirm my findings that this is currently not possible with >> > dnsmasq. >> > >> > If so please accept my feature request to implement that. >> >> Patches to this mailinglist do get noticed. >> >> >> >> Groeten >> Geert Stappers >> -- >> Silence is hard to parse >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
Hi, I'm sorry for being unclear. There is a cluster of two firewalls (active passive). The clients use the link local address as their default gateway. I want to initialize a manual switch: The primary becomes secondary, the old secondary becomes primary. As the router advertisements for the clients contain a default route I would like to make adjustments. The default route is being published by providing clients with the link-local address of the firewall (whichever is primary). When there is such a controlled switch I would like to let the old primary send a router advertisement package to the clients with a lifetime of 0. This will signal the clients to not use this device any more. Next the new primary (formerly secondary) will start to advertise itself as the new default router. In this event I would like to have a trigger so that the designated primary sends such a 0 lifetime package. If I'm not mistaken such a feature is missing. AFAIK this is how pfSense handles such setups. They do use CARP but at that point it doesn't differ from a VRRP scenario. Regards Jochen Am Samstag, Oktober 02, 2021 13:17 CEST, schrieb Geert Stappers via Dnsmasq-discuss : On Sat, Oct 02, 2021 at 10:28:16AM +0200, Jochen Demmer via Dnsmasq-discuss wrote: > > Hi, Welcome, > I've been trying to develop my own kind of firewall solution named > nftwall which uses nftables as packet filter and is being managed > centrally by Ansible - no webGUI. > > My first attempt was to use dnsmasq but then I found out of this > obstacle. I've been thinking about switching to KEA + radvd but actually > I would like to keep using dnsmasq. > I manage my VRRP IPs with keepalived. There are small scripts > for an event of a primary - secondary change. Especially in an > event of controlled switch of primary - secondary I would like the > primary dnsmasq to send a lifetime of 0 in the router advertisement > package. That way the clients know that this router shall not be used > any more. What? > Please confirm my findings that this is currently not possible with > dnsmasq. > > If so please accept my feature request to implement that. Patches to this mailinglist do get noticed. Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
Jochen Demmer via Dnsmasq-discuss schreef op 2021-10-02 10:28: Hi, I've been trying to develop my own kind of firewall solution named nftwall which uses nftables as packet filter and is being managed centrally by Ansible - no webGUI. My first attempt was to use dnsmasq but then I found out of this obstacle. I've been thinking about switching to KEA + radvd but actually I would like to keep using dnsmasq. I manage my VRRP IPs with keepalived. There are small scripts for an event of a primary - secondary change. Especially in an event of controlled switch of primary - secondary I would like the primary dnsmasq to send a lifetime of 0 in the router advertisement package. That way the clients know that this router shall not be used any more. No experience with RAs so far, but isn't that what the priority field is for? Please confirm my findings that this is currently not possible with dnsmasq. If so please accept my feature request to implement that. Regards Jochen Demmer ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- With kind regards, William Edwards ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
On Sat, Oct 02, 2021 at 10:28:16AM +0200, Jochen Demmer via Dnsmasq-discuss wrote: > > Hi, Welcome, > I've been trying to develop my own kind of firewall solution named > nftwall which uses nftables as packet filter and is being managed > centrally by Ansible - no webGUI. > > My first attempt was to use dnsmasq but then I found out of this > obstacle. I've been thinking about switching to KEA + radvd but actually > I would like to keep using dnsmasq. > I manage my VRRP IPs with keepalived. There are small scripts > for an event of a primary - secondary change. Especially in an > event of controlled switch of primary - secondary I would like the > primary dnsmasq to send a lifetime of 0 in the router advertisement > package. That way the clients know that this router shall not be used > any more. What? > Please confirm my findings that this is currently not possible with > dnsmasq. > > If so please accept my feature request to implement that. Patches to this mailinglist do get noticed. Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] HA Cluster - IPv6 router adv lifetime of 0
Hi, I've been trying to develop my own kind of firewall solution named nftwall which uses nftables as packet filter and is being managed centrally by Ansible - no webGUI. My first attempt was to use dnsmasq but then I found out of this obstacle. I've been thinking about switching to KEA + radvd but actually I would like to keep using dnsmasq. I manage my VRRP IPs with keepalived. There are small scripts for an event of a primary - secondary change. Especially in an event of controlled switch of primary - secondary I would like the primary dnsmasq to send a lifetime of 0 in the router advertisement package. That way the clients know that this router shall not be used any more. Please confirm my findings that this is currently not possible with dnsmasq. If so please accept my feature request to implement that. Regards Jochen Demmer ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
