Dnsmasq (noob question)

awair

I think I understand the documentation, but just wanted to clarify.

If I have a new installation of 2.3, I will automatically have unbound enabled. Is dnsmasq still available, or only for legacy upgrades?

Supplementary question:
I have dnsmasq on several open-source wireless routers (which I am trying to replace with pfsense). This enables me to assign a different DHCP scopes to various mac/IP groups (eg alternate DNS & Gateway) - is this available (either via dnsmasq or otherwise) in pfsense?

Many thanks.

johnpoz

dnsmasq (forwarder) is still there, you can use it if you want.  Just disable the resolver unbound.

You want to use pfsense as a wifi router?  With some sort of wifi card in pfsense?  Yeah good luck with that ;)  There are many things that pfsense does well!!  Wifi is not one of them ;)

awair

Hi John,

Thanks for the clarification. I will try disabling the Resolver and enabling Forwarder with my previous options.

I have no intention of using pfsense as a wifi router. I just prefer to remove all the active functionality (step 1 - DNSmasq; step 2 - openVPN) from 4 separate access points up to the router for better control, performance (and synchronisation):

# all clients get these defaults, except as below
dhcp-option=3,192.168.31.1
dhcp-option=6,192.168.31.1

# my media devices (don't have an option for static IP)
dhcp-host=11:22:33:44:55:66,192.168.31.62
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.31.63

# route via openvpn on WAP2
dhcp-option=uk,option:router,192.168.31.2
dhcp-option=uk,option:dns-server,192.168.31.2

#route via openvpn on WAP3
dhcp-option=usa,option:router,192.168.31.3
dhcp-option=usa,option:dns-server,192.168.31.3

# assign the media devices for special handling
dhcp-mac=usa,aa:bb:cc:dd:ee:ff
dhcp-mac=uk,11:22:33:44:55:66

# DNS basics
address=/remote.mail.server.net/192.168.44.10
address=/local.mail.server.net/192.168.31.10
address=/other.internal.server.net/192.168.31.15
address=/other.external.server.net/192.168.44.15

I am sure there is another/better(?) way with pfsense, only this is what I'm used to. It's worked reliably for several years.

I'm open to suggestions/recommendations. Thanks again.

johnpoz

Why do you need to send your WAP to special gateways?  Why not just policy route their traffic out your vpn you have setup on pfsense as a client..  Much easier setup to be sure..  But you can for sure hand out different gateways via just dhcp gui.. once you setup a reservation for those mac's

awair

Thanks again for your help and suggestions.

First of all, I am transitioning from a working network to a new pfsense-centered network.

Until 24 hours ago, my primary router was a Linksys RV082 (IPsec ike v1 only & PPtP) with compromised firmware, ineligible for upgrade. My WAPs (3 needed for coverage of the house due concrete walls) all have Tomato firmware, and with them, I am making use of dnsmasq & OpenVPN. Each WAP runs a different OpenVPN tunnel for geo-ip purposes, and is an alternate designated Gateway. The main router also runs an IPsec tunnel to my off-site server.

I am replacing all of this with pfsense, as I learn each step.

1\. Internet access
2\. Resume existing IPsec ike tunnel
3\. OpenVPN remote access (to manage/learn while away)
4\. Restore & enhance static IP reservations
5\. Enhance firewall/forwarding
6\. Enable VLAN/Guest networks
7\. Replace existing (WAP) OpenVPN connections with pfsense clients
8\. Replace current device based routing with destination based routing

At the moment, I am only on step 3 (which worked during testing), so should be working on 4 & 5 over the next 2 days.

To avoid breaking my existing setup, and keep the TVs running over the holidays, the WAPs continue to run the OpenVPN clients (for the moment).

I am having difficulty with the firewall rules, and until I have mastered that, there is no point using pfsense as an OpenVPN client.

To make things easier, I am re-assigning all my local Static IPs to fit into an appropriate subnet /28, /29, /27 etc to control access via the firewall rules.

So the step I'm currently on is how (best) to assign a different gateway to a few devices (and also my mac on an occasional basis).
I can now see the option in the Static Reservation for assigning an alternate gateway.

While this meets my immediate needs, it is rather tedious for the large number of entries. Can I edit a file directly via SSH, or does it get overwritten by the GUI? Which file should I edit for DHCP static reservations?

The other problem I foresee is when I transition to using pfsense OpenVPN clients as the gateway. What's the procedure & format for specifying that? I can setup the client without issue, but am unsure on the subsequent steps (still a bit more reading to do…)

Thanks again, and happy new year.

awair

OK, so I have found the file containing the reservations:

/var/dhcpd/etc/dhcpd.conf

Is it safe to edit/add to this file, or is the configuration overwritten by another process? I would like to add another 20-30 reservations.

doktornotor

I must be missing something, but..

• dnsmasq is NOT the thing used for DHCP server on pfSense.
• messing with configuration files via shell is of no use, these changes will NOT persist

awair

Thank you for the confirmation.

Now that I have found the equivalent feature in the gui, I won't be needing dnsmasq, but it would be useful to have a feature for bulk import of static reservations.