Hello Jochen, I think it would need to be more complex change I think.
On 10/4/21 13:04, Jochen Demmer via Dnsmasq-discuss wrote: > Hi, > > I'm sorry for being unclear. > There is a cluster of two firewalls (active passive). > The clients use the link local address as their default gateway. I > want to initialize a manual switch: > The primary becomes secondary, the old secondary becomes primary. I think dnsmasq does not implement DHCP failover in any sort of ways. It expects it is the only one DHCP server and maintains just its own lease database, right? Wouldn't more complex support be required? It seems to me such scenario might be better suited for enterprise grade DHCP implementations, such as ISC Kea. It seems to me dnsmasq targets less resourceful machines without router duplication environment. > > As the router advertisements for the clients contain a default route I > would like to make adjustments. The default route is being published > by providing clients with the link-local address of the firewall > (whichever is primary). > When there is such a controlled switch I would like to let the old > primary send a router advertisement package to the clients with a > lifetime of 0. This will signal the clients to not use this device any > more. > Next the new primary (formerly secondary) will start to advertise > itself as the new default router. I think it should also switch dhcp-authoritative flag. It is not only about routes, but it should stop managing IP addresses, when different instance is primary server, right? I think dnsmasq may receive signal to switch state over d-bus for example. Then it should deactivate its own dhcp-range and start sending lifetime 0 to indicate it is no longer the preferred one. It would be much easier if dnsmasq would restart on such change and configuration would change, correct? > > In this event I would like to have a trigger so that the designated > primary sends such a 0 lifetime package. If I'm not mistaken such a > feature is missing. Dnsmasq seems to be able to send 0 lifetime. It does so in cases when address range disappears on the router. I admit it is too radical to remove address range to send it, if there might be other server better suited for it. We could add dhcp-range=...,ra-inactive, which would send lifetime==0 announcement for the duration of a lease, then stop it. Similar to src/dhcp6.c:793 handling of removed addresses. May that work? It would require dnsmasq restart after configuration change. > > AFAIK this is how pfSense handles such setups. They do use CARP but at > that point it doesn't differ from a VRRP scenario. > > Regards > Jochen > > Am Samstag, Oktober 02, 2021 13:17 CEST, schrieb Geert Stappers via > Dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk>: > >> On Sat, Oct 02, 2021 at 10:28:16AM +0200, Jochen Demmer via >> Dnsmasq-discuss wrote: >> > >> > Hi, >> >> Welcome, >> >> >> > I've been trying to develop my own kind of firewall solution named >> > nftwall which uses nftables as packet filter and is being managed >> > centrally by Ansible - no webGUI. >> > >> > My first attempt was to use dnsmasq but then I found out of this >> > obstacle. I've been thinking about switching to KEA + radvd but >> actually >> > I would like to keep using dnsmasq. >> > I manage my VRRP IPs with keepalived. There are small scripts >> > for an event of a primary - secondary change. Especially in an >> > event of controlled switch of primary - secondary I would like the >> > primary dnsmasq to send a lifetime of 0 in the router advertisement >> > package. That way the clients know that this router shall not be used >> > any more. >> >> What? >> >> >> > Please confirm my findings that this is currently not possible with >> > dnsmasq. >> > >> > If so please accept my feature request to implement that. >> >> Patches to this mailinglist do get noticed. >> >> >> >> Groeten >> Geert Stappers >> -- >> Silence is hard to parse >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
