-   Linux - Networking (
-   -   Advice for setting up a dynamic network (

<Ol>Origy 10-23-2008 02:32 AM

Advice for setting up a dynamic network
I've worked with a static IP network before and I've successfully managed to get a working NAT firewall in place by using iptables. Now I'd like to create a similar firewall box and add a few extra features to it. Yep, you guessed it. I'd like to create a dynamic network, meaning that IP addresses get assigned to clients automatically by the box in question. I'll explain the scenario a bit.

Suppose you're on a LAN with a router "A" (IP acting as the main gateway. This is a dedicated linux router that is connected directly to internet and it has a DHCP server plus some other stuff to manage every client on People use it as a gateway to access the internet. Now I'd like to add a secondary firewall box "B" to this network that points to a different sub-network. This box is basically a PC running a 2.6 linux distro and has two NIC's - eth0 and eth1. One of them (eth0) is connected to the main LAN and has an IP of let's say This IP address is assigned by the main router "A" and both devices can ping each other. The other NIC of PC "B" (eth1) has a different subnet IP of and a number of clients attached to the LAN.

Now here's where I'm stuck. I'm able to configure the iptables of box "B" to forward the traffic through, but the network itself is static (clients have static IP addresses and DNS servers have to be manually configured on each client). My task is to automate this process and make the network a dynamic one, meaning that IP's and DNS servers get assigned automatically to every client on the subnet by the "B" box. The goal is that when a client "C" connects to this network, he gets an IP address of let's say assigned. His DNS server and gateway address point to

As I said earlier, when the box "B" connects to the main LAN on, it gets certain settings assigned from the main router "A". So basically the DNS server of box "B" points to the IP address of the main router "A", which is I can see this in /etc/resolv.conf file. Now here is where I need some suggestions e.g. what software and what settings to use to get an IP assigned, gateway and DNS server set to to all clients on

I'm sitting here in my room with machine "B" that has a 2.6 linux on it, dhcpd, dnsmasq and named are all installed. I've managed to get the DHCP server working at some point, but the DNS didn't seem to work. I've tried running both (DHCP and dnsmasq) in parallel, but they seem to conflict with each other. This is a rather new topic in networking for me and I thought I'd seek some help before I break something ;)

Any suggestions/ideas are welcome.
And thanks in advance.
See ya's.

acid_kewpie 10-23-2008 04:14 AM

this just sounds like a totally standard dhcp implementation, or am i miss reading something? dnsmasq can be used to provide *simple* dns and *simple* dhcp in a combined way, so if you want a basic level of intergration within that routing server then that might have a benefit, but you don't say you have any requirement to update dns dynamically or anything. Assuming that's the case then this is still just normal dhcp stuff.

<Ol>Origy 10-23-2008 04:46 AM

So you're saying I don't have to run both DHCP and dnsmasq at the same time? That solves one piece of the puzzle. I've been reading some article where they set up both progs to do the job. DHCP was assigning IP addresses while dnsmasq provided the proper DNS stuff.
I just need a way to "forward" the DNS requests to the main router "A" from the client "C" via the box "B". The DNS server address of machine "B" is assigned to it automatically by router "A" and I'm guessing I can forward the DNS requests to this address. However all clients on the subnet should use as their DNS since the network won't be visible from within
From the looks of your post I'm guessing I should stick to dnsmasq.

EDIT: Oh, and client "C" should have the DNS server address of assigned automatically whenever he joins the network. If he disconnects from this subnet and joins the network then he0s supposed to have a new DNS server address ( assigned by the main router "A"... just like the box "B" does. This way I'd like to avoid having to manually set up the DNS addresses on each client each time they join the net. Can dnsmasq do something like this?

acid_kewpie 10-23-2008 06:02 AM

why don't you just route through to the 192.168.x.y address from the clients? what's stopping you there? is that box not also your default gateway?

dnsmasq is a very useful thing, and you certainly could do what you want with just that, but i'd personally only use it on personal home networks and such, not so much in business. It's certainly nice and simple though, so I wouldn't say you shouldn't use it if you want to, i just wouldn't myself.

<Ol>Origy 10-23-2008 09:21 AM

What's stopping me is my ultra-super-elite ability to know about the existence of such things. In other words, it's a new topic to me and I'm not quite sure how to configure the routes and/or applications *yet*. It's an area I'm still exploring. Anyway, I've managed to get the dhcpd automatically assign an IP address to a connecting client as well as update the DNS server to with this config:



default-lease-time 600;
max-lease-time 7200;

ddns-update-style none;
log-facility local7;

subnet netmask {
        option broadcast-address;
        option subnet-mask;
        option routers;
        option domain-name-servers;

The only problem now is that the DNS requests on don't work. What solution do you have in mind and how do you propose I go on from here?

The computer in question has a decent amount of RAM so there's no need to run minimal-resource applications on it. This means I can choose to run either dhcpd or dnsmasq... whichever I prefer. I haven't quite decided what to use here yet and since I'm not in a hurry, I'll poke around a bit with both progs once I get the basic stuff working.


acid_kewpie 10-23-2008 09:25 AM

well just set the dns server to the real one you already have. you're already setting the default gateway, so there's nothing else to do at all.

<Ol>Origy 10-23-2008 10:03 AM

I'm not sure I fully understand your suggestion. Do you imply that I change the "option domain-name-servers;" directive to a DNS server provided by my ISP?

EDIT: This is where I get lost. Perhaps I'm overcomplicating it, but I'd like the "B"-machine to handle DNS requests according to whatever is inside /etc/resolv.conf. Could you explain how? Suppose I unplug the "B"-machine from the network and plug it into a different LAN that has its gateway and DNS located at The "B"-box will do a DHCP-Request and have a new IP assigned plus the DNS server in /etc/resolv.conf will be updated to Of course all clients on the network will still have their DNS set to, but the "B"-box should be able to detect that there is a new DNS record present in /etc/resolv.conf and forward the DNS requests from to the new address.


acid_kewpie 10-23-2008 01:24 PM

Hmm, ok, seems like you might be planning on moving this network around to different locations and such? Whilst I might not have had the same plans as you what you're after seems to make sense in general, so sure, go with dnsmasq and *nothing* else for this. I don't *think* dnsmasq will automatically pick up any changes in /etc/resolv.conf though. you could modify your dhcp client settings on that box to automatically hup the dnsmasq daemon upon dhcp lease provision from the outside world. or just restart it manually.

Trying to extrapolate a bit from what you're saying you may well also be wanting to do ip masq stuff for everything leaving the world. I'd provide you a link to an ip masquerading page but can't find one for the life of me ;)

<Ol>Origy 10-23-2008 01:39 PM

Solved it!
The problem wasn't dhcpd or dnsmasq... It was a number of rules I set up for iptables while doing the masquerade stuff. Neither dhcpd not dnsmasq worked prior reconfiguring the firewall. Seems like I added a rule that prevented any DNS packets to reach my server, but I'm not sure why the DHCP requests did.

Anyway, I'm already familiar with IP masquerading as I've been using it for years.
Thanks for your assistance tho.

EDIT: w00t, 100 posts!

All times are GMT -5. The time now is 03:49 AM.