How is Pi-hole/embedded dnsmasq to distinct between the two VLANs with only those two new tag names (vlanmain & vlaniot)?
In below Pi-hole v5 example with a Pi-hole host thats got multiple interfaces, the tag is set to the physical interface name (eth1) to distinct between the two:
You cant have multiple DHCP ranges if the Pi-hole host only has one interface bc of the broadcast nature of DHCP.
DNS and HTTP etc are all unicast.
Your dhpc-ranges don't match any interfaces, so I'm not sure how you'd intend to relate those tags to your VLAN interfaces.
Typically, you'd match DHCP options depending on interfaces (where such an interface may belong to a VLAN), e.g. if your host would carry two virtual interfaces eth0.10 and eth0.20:
Oh above is not entirely true.
You can do some trickery if make the Pi-hole host VLAN aware which it istn OOTB with most distros.
But that means complicating your setup substantially with virtual VLAN aware interfaces bc embedded dnsmasq does nothing with VLAN tags (not the same as a dnsmasq tag).
I believe above can only work if you make the interfaces VLAN aware? I dont see how dnsmasq can distinct between the two with the initial DHCPDISCOVER broadcast from a client?
Wont both virtual interfaces, with eth0 being the parent interface, receive the initial DHCPDISCOVER broadcast?
Eg from no IP to 255.255.255.255.
I do have two interfaces on the host (Debian LXC container on Proxmox). They use the same bridge and real physical port but one interface is tagged with ID 3 in Proxmox.
As I said, devices on the “VID 3“ and so on subnet .3 — as is second pi-hole interface — do get tagged with ‘vlaniot‘, so I still don’t understand why not also those on subnet .1 ?
I’m new to VLAN. I used below threads as the basis for my setup. They both use tags and don’t seem to rely on interface names.
I understand all that. So let’s forget VLAN tags for a moment and keep the focus on dnsmasq tags.
Why do the people in the linked threads (maybe just the first two if the third is not a good example) seemed to have been able to manage multiple subnet ip ranges and options (associated to vlans) with the help of dnsmasq tags?
EDIT: Besides interface tagging with dnsmasq, tagging is also often used to supply a particular HW vendor/device, based on MAC, with tailored DHCP options like for example for IGMP snooping for streaming services etc.
From what I read in the above pihole forum threads, it really seems like it was working, as their issues were not at all because of the tagging errors but rather file naming/loading related.
No, as long as the router is configured correctly.
VLANs are managed (and terminated) by a router, i.e. it is the router that would decide which target NICs it would send a broadcast to (and it would commonly strip the VLAN tag from packets before doing so).
pihole-FTL/dnsmasq will then automatically tag a DHCP packet with the name of the NIC that it arrived on, and only one of the interface names will match the range.
(And deHakkelaar is correct to point out that dnsmasq's DHCP option tags are not the same as VLAN tags.)
Adding explicit OS level VLAN support on the host that runs pihole-FTL/dnsmasq may also be a choice, but not a likely one, as that would only be required if the router would treat the port Pi-hole is connected to as a trunk (i.e. a connection to another router), so it would not strip VLAN tags from packets before forwarding them, leaving it to the next router to manage (in that case, the machine hosting Pi-hole).
I haven't read them, but I'd guess that either the host's interfaces would be configured accordingly (i.e. the host has one interface in each VLAN subnet) or a DHCP relay would convey subnet information for relayed broadcasts.
I don't see any interface configuration details in your initial post, but assuming those would be configured appropriately, it would depend on how your router's VLANs are configured.
How does your router forward traffic to your Pi-hole VM?
Is your router aware of both VM interfaces, targeting VLAN traffic to the correct interface, or does it only know about the interface of the machine hosting your VM?
If the latter, you may have to add your VLAN interfaces to your host OS and attach both of them to your Pi-hole VM.
I think we might have a misunderstanding about how those two virtual interfaces from your example below are created/setup:
If I create two virtual ones:
$ sudo ip link add link eth0 name eth0.10 type macvlan
$
$ sudo ip link add link eth0 name eth0.20 type macvlan
$
$ sudo ip address add 192.168.10.2/24 dev eth0.10
$
$ sudo ip address add 192.168.20.4/24 dev eth0.20
$
$ sudo ip link set eth0.10 up
$
$ sudo ip link set eth0.20 up
$
$ ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0 UP b8:27:eb:XX:XX:XX <BROADCAST,MULTICAST,UP,LOWER_UP>
eth0.10@eth0 UP 2a:7b:a8:ce:06:85 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth0.20@eth0 UP 36:e1:f1:ba:36:6a <BROADCAST,MULTICAST,UP,LOWER_UP>
$ ip -br -4 address show scope global
eth0 UP 10.0.0.2/24
eth0.10@eth0 UP 192.168.10.2/24
eth0.20@eth0 UP 192.168.20.4/24
And run a dhcp-discover from another host:
$ sudo tcpdump -ti any udp port 67
[..]
eth0 B IP 10.0.0.145.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:XX:XX:XX (oui Unknown), length 548
eth0.10 B IP 10.0.0.145.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:XX:XX:XX (oui Unknown), length 548
eth0.20 B IP 10.0.0.145.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:XX:XX:XX (oui Unknown), length 548
eth0 Out IP 10.0.0.2.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 318
How is dnsmasq able to distinct if the DHCPDISCOVER is received on all interfaces (physical and virtual)?
EDIT: Without applying VLAN tagging and trunks on the host.
It doesn't matter how interfaces are created.
It's about the router supporting VLANs being able to identify those interfaces (regardless whether they are virtual or physical) and assign them to a specific VLAN - as long as the router is configured correctly, broadcasts emitting from one VLAN will only be received within that same VLAN.
If your router doesn't support VLANs, neither interface creation nor dnsmasq configuration will allow you to create them.
Well, if you don't have VLANs, clients would receive DHCPOFFERs from all configured dhcp-ranges, and it would then depend on the client's OS preferences which DHCPOFFER it would accept.
I've never heard of a switch engine that can "identify interfaces" on a receiving host.
I think you're missing the point which has nothing to do with VLAN tagging.
The switch would aggregate all DHCPDISCOVER packets received from the different VLAN's and dump them all on the single switch port that the Pi-hole host is connected to/tagged for.
Thats via a single receiving physical interface on the Pi-hole host and after the switch removed the VLAN tag(s).
So if the exactly same packet with source IP 0.0.0.0 is received on all three interfaces from above example, how would dnsmasq know what scope to apply?
Do you have it setup like your example or can you point me to a link where this works?
I dont want to mess too much with my DHCP server setup to try things out
EDIT: Ps, did you notice the DHCPOFFER is a broadcast and not unicast with my above tcpdump.
Not sure how you would translate that back to the VLAN's
Simpler switches may well only support static port based VLANs, where the switch's physical NIC (aka port) would determine which VLAN a device that connects through that port would belong to.
It's quite possible to dynamically assign traffic to VLANS based on different criteria (e.g. authenticated or MAC-based RADIUS profiles), and that would require some sort of VMPS running on your routing equipment, which may allow several ways of dynamically separating traffic into VLANs, including MAC-based assignments to VLANs.
Sounds complicated and maybe something not found on consumer switches/routers or not?
Maybe a DHCP relay can solve above not spilling to all VLAN's???
You dont want a malicious host in an untrusted VLAN to sniff all those broadcast packets that contain details like hostnames etc.
