Extra DHCP Server Options


#1

I use Pi-hole on my rpi3 to serve DHCP for multiple networks. I have these networks:

MGMT - vlan 1 - 192.168.0.0/24
LAN - vlan 10 - 192.168.1.0/24
GUEST - vlan 20 - 192.168.2.0/24
DMZ - vlan 30 - 192.168.3.0/24
DNS - vlan 40 - 192.168.4.0/24 (this is where Pi-hole is)

I have a DHCP relay agent on my router which forwards DHCP requests from VLANs 1, 10, 20, and 30 over to the Pi-hole in VLAN40. This works perfectly. I also have a /etc/dnsmasq.d/dnsmasq.conf file that has the relevant DHCP scopes and static DHCP leases defined. This works fine also.

What doesn’t work is any of the DHCP functionality in the Pi-hole GUI. I’d love to be able to tweak / configure the DHCP scopes and static leases from the GUI but there’s several things preventing me from doing so:

  1. When enabling the DHCP server on Pi-hole (in general) it fails to specify the subnet mask. This causes dnsmasq to default to classful (class a, b, c) subnet masks. This breaks things, badly, because it gives out /16 subnet masks for 192.168.x.x addresses. This isn’t a problem for most small networks where there’s only one subnet, but it completely breaks when multiple vlans are in play. Pi-hole should, at the very least, default to a sane value (/24), and provide an option in the GUI to adjust this.

  2. Pi-hole GUI only supports one DHCP scope. It’d be great to have an option to define multiple scopes, with different gateways.

Thanks!


#2

I do the same thing, and while configuring it in dnsmasq.conf was simple, a tear leaks from my right eye every time I view the dhcp portion of the GUI. It would definitely be nice to allow multiple VLANs on the gui itself.


#3

You can quasi-use the GUI if you’re ok with manually editing the settings.php file. Details:

In “/var/www/html/admin/settings.php”, on line 473, change “if ($DHCP) {” to “if (true) {”. This will enable the leases section of the DHCP GUI. Then, put your static DHCP entries, if you have any, in:

/etc/dnsmasq.d/04-pihole-static-dhcp.conf

Then, store your dhcp.lease file in /etc/pihole/dhcp.leases. I use this line in my dnsmasq.conf file:
dhcp-leasefile=/etc/pihole/dhcp.leases

This will allow you to see any static reservations you have configured, and, it will also display the current leases.


#4

@networknerd Can you post an example of your /etc/dnsmasq.d/dnsmasq.conf file? I am trying to get this going to my network as well.

vlan 10/lan: 10.10.1.0/24
vlan 20/wlan: 10.10.2.0/24
vlan 30/iot: 10.10.3.0/24


#5

I wanted to post my slog resolving this for a 5 vlan network and coming from a windoze background (hence slowlearner). This is a long post but explains the conjunction of pi-hole, dnsmasq and vlans - hopefully in a way another slowlearner will understand.

First thing to say, I honestly don’t understand how the changes to network/interfaces are meant to help someone coming from an MS background. Virtually all the advice online is based on defining vlans as interface extensions (e.g. eth0.8 to indicate a vlan tag of 8) and then defining the dhcp range attached to them. But from what I can gather, once the right modules are installed (vlan and 8021q) dnsmasq just watches eth 0 and matches traffic to configured dhcp ranges. This is simpler but isn’t explained - google is just returning “delve into /etc/network/interfaces” … aaaannndd I’m lost. shrug

Second thing to note that vendors talk about vlans in different ways. Cisco = vlans, dnsmasq = subnet, blah = broadcast domains. They’re all the same but i was stuck on googling for dnsmasq vlans which brought me here with little to no answers. Things got better once i realised that “dnsmasq subnets” was the way to go (still no real answers, just lots of hints and a host of different config setups).

Thirdly, although you’ll get round to configuring dhcpcd quite quickly - it’s just a client that’s meant to enable static address assignment to the pi (and some other stuff, probably). It’s not dhcpd (which, if you’ve some linux admins around, it’ll be part of what they’ll happily throw onto your bonfire of confusion). It has nothing all to do with dhcpd or multiple vlan/subnets. Wasted quite a bit of time on this.

Fourthly, pihole messes about with dnsmasq subtly. Nothing that breaks dnsmasq (although I do eye the recent fork of dnsmasq for pi-hole nervously) but enough that you’re left confused as to where you should put stuff. Some people recommend adding vlans to /etc/dnsmasq.conf but really pi-hole just redirects this file to hoovering config from the /etc/dnsmasq.d/ directory. My gut feeling is leave it as it is and just add a new file to that dir with your vlans (and log-dhcp setting). More on this later.

Fifthly, I’m a slow learner and there will be a better way of doing this but windows clients are barnacle like in retaining previous ip addresses. Sorting my 5 vlans consisted of multiple “sudo reboot” commands on the pi and sending the clients for a 5 min shutdown (or disable/enable the network interface) whilst the pi came up in an orderly fashion.

Ok that’s some of the broader lessons from my experience, here’s some detail on config files and settings:

/etc/dnsmasq.conf

  • Contains reference to /etc/dnsmasq.d as the conf dir
  • LEAVE THIS FILE ALONE

/etc/dnsmasq.d/01-pihole.conf

  • Contains setup variables
  • eth0 interface defined in here (assuming you select “Listen on interface eth0” in web admin/settings/DNS)
  • WILL BE OVERWRITTEN BY PIHOLE ON UPDATE & CERTAIN SAVES FROM WEB INTERFACE

/etc/dnsmasq.d/02-pihole-dhcp.config

  • specifies dhcp ranges, router and lease file (dhcp.leases)
  • Only present when dhcp enabled
  • WILL BE OVERWRITTEN BY PIHOLE WEB INTERFACE

/etc/dnsmasq.d/04-pihole-static-dhcp.config

  • static leases defined via the web admin interface go here
  • WILL BE OVERWRITTEN BY PIHOLE WEB INTERFACE

/etc/dnsmasq.d/10-additional-dhcp.config

  • file for your vlan setup that the gods of pi-hole will leave alone. Call it what you like but must start with a numeric > 9 (I admit I plucked 10 out of thin air, some people name it “99-some_name.conf”. It’s the number that’s important)

/etc/pihole/dhcp.leases

  • Leases made by dnsmasq (including static ones picked up from 04-pihole-static-dhcp.config)
  • I REGULARLY INTERFERE WITH THIS DURING VLAN SETUP

/var/log/pihole.log

  • dns logging by default (dhcp logging has to be enabled)

WHAT YOU’LL NEED TO DO:
1 - ADD VLAN SUPPORT TO THE PI-HOLE
2 - TURN OFF DNS LOGGING (TEMPORARILY)
3- CREATE A CUSTOM PI-HOLE/DNSMASQ DHCP CONFIG FILE
4 - ADD DHCP LOGGING
5 - ADD TAGGED DHCP RANGES
6 - ENABLE 8021q VLAN TRAFFIC ON YOUR SWITCH/FIREWALLL
7 - TEST, TWEAK AND REBOOT, TEST, TWEAK AND REBOOT, TEST, TWEAK AND REBOOT …
8 - SORT OUT PI-HOLE LOGGING

1 - ADD VLAN SUPPORT TO THE PI-HOLE
Log into the pi (either via ssh or by having a direct keyboard/monitor connection to it). Type:

sudo apt-get install vlan
sudo su
echo 8021q >> /etc/modules

This installs the vlan and 8021q modules which allows the pi to understand vlan tagged traffic. Vlan traffic has additional bytes to normal which are enough to stop network access to the device. Don’t enable multiple vlans on your switch/router port before installing these - that’s how I lost SSH and HTTP access to my pi-hole.

2 - TURN OFF DNS LOGGING
In /etc/dnsmasq.d/01-pihole.conf put # before log-queries

sudo nano /etc/dnsmasq.d/01-pihole.conf
#log-queries
(CTRL-X, Y, Return key)

The # is a remark/comment character, everything is ignored after it. Your pi-hole will get lots of DNS queries, which turns out to be a good way to obfuscate what you’re really interested in at this point. We’ll turn it back on later.

3 - CREATE A CUSTOM PIHOLE/DNSMAQ DHCP CONFIG FILE
This file will contain config for dnsmasq that will survive pi-hole web admin changes or even an update of pi-hole itself (name it however you want but keep the initial number quite high > 9).
The confdir setting in /etc/dnsmasq.conf means dnsmasq reads files from /etc/dnsmasq.d/ in sequence.
NOTE: I ran into issues applying the same setting in the two config files. I set localise-queries in this file when it’s already in the 01-pihole.conf file). The result on reboot was a web admin page showing DNS and FTLDNS as being down and the dashboard helpfully displaying “Lost” “Connection” “To” “Api” instead of the graphs on that page. I saw this a lot when my dhcp config was a bit too “special”.
To edit the file type:

sudo nano /etc/dnsmasq.d/10-additional-dnchp.conf

4 - TURN ON DHCP LOGGING
In nano type:

log-dhcp

This will log dhcp requests, and with dns logging now turned off (see step 1) it’ll be a lot easier to see if your vlans are coming up correctly and any dnsmasq warnings.

5 - ADD TAGGED DHCP DETAILS
I set my initial test system up to have two vlans passing traffic to the pi-hole. The first vlan I defined as native (not tagged) and the other had a tag of 220. Ultimately it loks like the tags are handled in the background by the vlan/8021q modules so there’s no need to define eth0 tagged interfaces. dnsmasq just watches the interfaces defined in /etc/dnsmasq.d/01-pihole.conf for any traffic (in my case just eth0 and no wifi). This means dnsmasq just needs the dhcp-range information for each of the vlans.
However, when you have more than one vlan, dnsmasq needs the individual vlan config settings to be grouped so that it can make sense of them. This grouping is done via dnsmasq “tags” (these are just labels it applies to config items rather than the network traffic itself). As far as I can see the dnsmasq tag doesn’t need to match the actual vlan tag, but it makes life easier if they do (VLAN220 traffic matched to dhcp-range=set:220).
NOTE - the set: command is used to label the dhcp-range config and any additional dhcp-options then need to use the tag: command to link it to the right dhcp-range (see below)

dhcp-range=set:220,10.2.1.16,10,2,1,2534,255.255.255.0,24h
dhcp-option=tag:220,option:router,10.2.1.1

dhcp-range=set:10,192.168.5.128,192.168.5.254,255.255.255.0,24h
dhcp-option=tag:10,option:router,192.168.5.1

Aside from the set: and tag: to tie together dnsmasq config, it’s important to note that the subnet mask (255.255.255.0 for a /24 subnet) in dhcp-range is required. This is because dnsmasq doesn’t obtain the right information from 8021q tagged traffic about the actual size of the subnet so it needs to be told.

6 - ENABLE 8021q VLAN TRAFFIC ON YOUR SWITCH/FIREWALLL
Google is your friend, unless you have an aging cisco asa 5505, in which case hmu

7 - TEST, TWEAK AND REBOOT, TEST, TWEAK AND REBOOT, TEST, TWEAK AND REBOOT …
Having been burnt previously with an overabundance of gung-ho I was careful to bring one vlan into the pi-hole at a time. This involved a round of config on pi-hole, firewall and clients along with reboots of the pi-hole (sudo reboot) and the clients themselves to get one vlan working. Then rinse and repeat. Generally if there was an issue it was either the client clinging to a previous ip or a typo in the 10-additional-dhcp.conf file causing the “DNS/FTLDNS down” and “Lost” “Connection” “To” “API” in the web-admin interface. A bit of rooting around usually sorted it.

8 - SORT OUT PI-HOLE LOGGING
tbh I’ve still to do this. Re-enable the log command in /etc/dnsmasq.d/01-pihole.conf and disable the one in /etc/dnsmasq.d/10-additional-dnchp.conf

HOPE IT HELPS YA BECAUSE THAT’S TWO HOURS OF TYPING I’LL NEVER GET BACK
Ultimately I ended up with my wireless network handled via the pi-hole web admin interface with the 4 other vlans defined in 10-additional-dhcp.conf. The asa-5505 works with static ip addresses to lock down traffic and with this approach I was able to use the pi-hole web admin interface (settings/dhcp) to create the static ip’s I wanted for each vlan. Once the dhcp-range is set for any vlan, dynamic/static IP’s will appear in the pi-hole web admin interface. You won’t be able to manipulate the actual dynamic dhcp-range settings but they’re available via the command line. Overall it’s a sweet setup and something that the devs should be pushing.

PS slowlearner != roastme :wink: