# How to config NetworkManager's dnsmasq to lease proper IP?

## cord

Hello, I have server with 3 network controllers. One is connected to Internet (INTERNET), second - to Local_wired_net (LAN) and the third is wifi-card (WIFI), which I use as Access Point. All three interfaces are controlled by NetworkManager. It started at boot and all connections are up.

But there's problem with 'internal' dnsmasq - no dhcp lease and DNS resolves to LAN and WIFI:

```
[dnsmasq] failed to bind DHCP server socket: Address already in use
```

if I stop /etc/init.d/dnsmasq the error disappears, but no dhcp_lease/DNS_resolves anyway.

I have found that dnsmasq is started by 'nobody':

```
localhost # ps axu | grep dnsmasq

nobody    9515  0.0  0.1  21376  2964 ?        S    19:59   0:00 /usr/sbin/dnsmasq --conf-file --no-hosts --keep-in-foreground --bind-interfaces --except-interface=lo --clear-on-reload --strict-order --listen-address=192.168.1.1 --dhcp-range=192.168.1.10,192.168.1.254,60m --dhcp-option=option:router,192.168.1.1 --dhcp-lease-max=50 --pid-file=/run/nm-dnsmasq-wlp2s0.pid

root     17530  0.0  0.1   8364  2216 pts/1    S+   21:01   0:00 grep --colour=auto dnsmasq

localhost #

```

So it leases 192.168.1.10-192.168.1.254, but where's this value from?

I need 192.168.1.2-192.168.1.3, so where can I set it?

----------

## cboldt

/etc/conf.d/dnsmasq (unlikely place, but who knows)

/etc/dnsmasq.conf

```
dhcp-range=192.168.0.2,192.168.0.32,255.255.255.0,10h
```

Adjust to suit the range of addresses you want dnsmasq to handle for you.

Edit to correct /etc/init.d/dnsmasq to /etc/conf.d/dnsmasq

----------

## cord

I have tried /etc/dnsmasq.conf, nothing change. And the process is another, it has pid-file: /var/run/nm-dnsmasq-wlp2s0.pid not dnsmasq.pid  :Exclamation: 

So, it takes settings not from /etc/dnsmasq.conf but from anything else. Where is it?

----------

## cboldt

Something is sending dnsmasq that long command line, and the command line has priority over the contents of dnsmasq.conf.

Search for the service or application that is sending that dnsmasq command line.

```
grep -r keep-in-foreground /etc/*

grep -r keep-in-foreground /usr/bin/*

grep -r keep-in-foreground /usr/sbin/*
```

I picked "keep-in-foreground" out of the long dnsmasq command line because I think that won't be used by anything else, but other strings from that dnsmasq command line might be better.

----------

## cboldt

For what it's worth, I don't run networkmanager, but I believe the solution is in that application/service and its configuration file(s).  Just saying, I probably can't be of any more help.

I use openrc to start the network, and one machine on the local network starts and runs dnsmasq for the LAN.

----------

## cord

Well, I find this ...stupid code.

----------

## cboldt

From that Ubuntu thread, I gather that networkmanager (nm) builds the dnsmasq command line on the fly, with the logic for that building located in the source code for nm.

I have zero experience with networkmanager.

----------

## cord

 *cboldt wrote:*   

> From that Ubuntu thread, I gather that networkmanager (nm) builds the dnsmasq command line on the fly, with the logic for that building located in the source code for nm.

 

Seems to be it.

Maybe I will write bug report.

----------

## cboldt

Meanwhile, learn the tools that nm offers for configuration, and if those don't suit you, find another way to skin the cat.

dnsmasq is awesome, IMO.  I use it to block sites that are ad-servers for all on the LAN, assign fixed IP to a few devices, people come and go with their phones, laptops and tablets and dnsmasq handles it all.  If nm takes over all the dnsmasq config, I am certain I would not use nm on the machine that is doing DNS lookup and assigning LAN IP addresses.

----------

## cboldt

Just thinking, there is probably a way to tell nm to NOT act as DHCP server, at which point nm won't call dnsmasq.  Then you can run nm to start the netwrk, and separately start dnsmasq (using it's config files) for your LAN.

Out of probably 15 devices consistently on the LAN here, only ONE is DHCP server.  I am pretty sure nm has an easy switch to turn off DHCP server, because that is the way nearly all computers, phones, tablets run.  They look for a DHCP server, but they aren't one.

----------

## cord

 *cboldt wrote:*   

> Just thinking, there is probably a way to tell nm to NOT act as DHCP server, at which point nm won't call dnsmasq.  Then you can run nm to start the netwrk, and separately start dnsmasq (using it's config files) for your LAN.
> 
> Out of probably 15 devices consistently on the LAN here, only ONE is DHCP server.  I am pretty sure nm has an easy switch to turn off DHCP server, because that is the way nearly all computers, phones, tablets run.  They look for a DHCP server, but they aren't one.

 

Exactly!

And it has that switch - the USE flag:

```
connection-sharing  : Use net-dns/dnsmasq and net-firewall/iptables for connection sharing
```

but it's BROKEN!

There's nothing changed enable I that flag or not. The nm always starts nm-dnsmasq if I set to up keyfile for 'WIFI' connection ...and iptables also. Look:

```
Jan 18 17:55:46 [NetworkManager] <info>  [1484754946.9594] device (wlp2s0): supplicant interface state: disconnected -> completed

Jan 18 17:55:46 [NetworkManager] <info>  [1484754946.9595] device (wlp2s0): Activation: (wifi) Stage 2 of 5 (Device Configure) successful.  Started Wi-Fi Hotspot 'mywifi'.

Jan 18 17:55:46 [NetworkManager] <info>  [1484754946.9610] device (wlp2s0): state change: config -> ip-config (reason 'none') [50 70 0]

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9742] modprobe: '/sbin/modprobe ip_tables' exited with error 256 (modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9778] modprobe: '/sbin/modprobe iptable_nat' exited with error 256 (modprobe: FATAL: Module iptable_nat not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9837] modprobe: '/sbin/modprobe nf_nat_ftp' exited with error 256 (modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9877] modprobe: '/sbin/modprobe nf_nat_irc' exited with error 256 (modprobe: FATAL: Module nf_nat_irc not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9924] modprobe: '/sbin/modprobe nf_nat_sip' exited with error 256 (modprobe: FATAL: Module nf_nat_sip not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9960] modprobe: '/sbin/modprobe nf_nat_tftp' exited with error 256 (modprobe: FATAL: Module nf_nat_tftp not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:46 [NetworkManager] <error> [1484754946.9995] modprobe: '/sbin/modprobe nf_nat_pptp' exited with error 256 (modprobe: FATAL: Module nf_nat_pptp not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:47 [NetworkManager] <error> [1484754947.0034] modprobe: '/sbin/modprobe nf_nat_h323' exited with error 256 (modprobe: FATAL: Module nf_nat_h323 not found in directory /lib/modules/4.7.10-hardened-gnu)

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0035] Executing: /sbin/iptables --table filter --insert INPUT --in-interface wlp2s0 --protocol tcp --destination-port 53 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0074] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0076] Executing: /sbin/iptables --table filter --insert INPUT --in-interface wlp2s0 --protocol udp --destination-port 53 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0116] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0117] Executing: /sbin/iptables --table filter --insert INPUT --in-interface wlp2s0 --protocol tcp --destination-port 67 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0164] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0166] Executing: /sbin/iptables --table filter --insert INPUT --in-interface wlp2s0 --protocol udp --destination-port 67 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0213] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0215] Executing: /sbin/iptables --table filter --insert FORWARD --in-interface wlp2s0 --jump REJECT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0255] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0257] Executing: /sbin/iptables --table filter --insert FORWARD --out-interface wlp2s0 --jump REJECT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0298] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0300] Executing: /sbin/iptables --table filter --insert FORWARD --in-interface wlp2s0 --out-interface wlp2s0 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0340] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0345] Executing: /sbin/iptables --table filter --insert FORWARD --source 192.168.1.0/255.255.255.0 --in-interface wlp2s0 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0390] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0393] Executing: /sbin/iptables --table filter --insert FORWARD --destination 192.168.1.0/255.255.255.0 --out-interface wlp2s0 --match state --state ESTABLISHED,RELATED --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0442] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0457] Executing: /sbin/iptables --table nat --insert POSTROUTING --source 192.168.1.0/255.255.255.0 ! --destination 192.168.1.0/255.255.255.0 --jump MASQUERADE

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0507] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <error> [1484754947.0513] device (wlp2s0): share: (wlp2s0) failed to start dnsmasq: Could not find "dnsmasq" binary

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0515] Executing: /sbin/iptables --table nat --delete POSTROUTING --source 192.168.1.0/255.255.255.0 ! --destination 192.168.1.0/255.255.255.0 --jump MASQUERADE

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0564] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0568] Executing: /sbin/iptables --table filter --delete FORWARD --destination 192.168.1.0/255.255.255.0 --out-interface wlp2s0 --match state --state ESTABLISHED,RELATED --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0624] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0627] Executing: /sbin/iptables --table filter --delete FORWARD --source 192.168.1.0/255.255.255.0 --in-interface wlp2s0 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0677] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0681] Executing: /sbin/iptables --table filter --delete FORWARD --in-interface wlp2s0 --out-interface wlp2s0 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0733] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0736] Executing: /sbin/iptables --table filter --delete FORWARD --out-interface wlp2s0 --jump REJECT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0802] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0804] Executing: /sbin/iptables --table filter --delete FORWARD --in-interface wlp2s0 --jump REJECT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0893] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0896] Executing: /sbin/iptables --table filter --delete INPUT --in-interface wlp2s0 --protocol udp --destination-port 67 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.0949] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.0956] Executing: /sbin/iptables --table filter --delete INPUT --in-interface wlp2s0 --protocol tcp --destination-port 67 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.1075] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.1077] Executing: /sbin/iptables --table filter --delete INPUT --in-interface wlp2s0 --protocol udp --destination-port 53 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.1148] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.1151] Executing: /sbin/iptables --table filter --delete INPUT --in-interface wlp2s0 --protocol tcp --destination-port 53 --jump ACCEPT

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.1209] ** Command returned exit status 3.

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.1210] device (wlp2s0): Activation: Stage 5 of 5 (IPv4 Commit) start sharing failed.

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.1211] device (wlp2s0): state change: ip-config -> failed (reason 'sharing-start-failed') [70 120 18]

Jan 18 17:55:47 [NetworkManager] <info>  [1484754947.1222] policy: disabling autoconnect for connection 'WIFI'.

Jan 18 17:55:47 [NetworkManager] <warn>  [1484754947.1240] device (wlp2s0): Activation: failed for connection 'WIFI'

```

So, it doesn't start WIFI without USE="connection-sharing". And why it hardcoded to use iptables? I don't use one, but nftables instead.

However, nm can start wifi in client mode, but if to set mode as "Access Point" - it requires iptables and dnsmasq.

----------

## cboldt

So start nm in client mode, and do the access point things (dnsmasq, firewwall) independently.

I don't see that as a USE flag setting, unless the ebuild offers up varying NetworkManager.conf files, depending on the USE flag settings.

----------

## cord

 *cboldt wrote:*   

> So start nm in client mode, and do the access point things (dnsmasq, firewwall) independently.

 

Be the client, but act as AP?  :Smile: 

----------

## cboldt

Yep.  nm thinks it's the client, but you control the overall setup.

See NetworkManager.conf man page

https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html

----------

## cord

 *cboldt wrote:*   

> Yep.  nm thinks it's the client, but you control the overall setup.
> 
> See NetworkManager.conf man page
> 
> https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html

 

I don't understand. It requires ssid to connect to (if we are client).

```

# nmcli connection add con-name WIFI ifname wlp2s0 type wifi ip4 192.168.1.1/24    

Error: 'ssid' argument is required.

# nmcli connection add con-name WIFI ifname wlp2s0 type wifi ip4 192.168.1.1/24 ssid mywifi

Connection 'WIFI' (3a309748-92dd-4ae8-b0d2-0d74de51c699) successfully added.

# nmcli connection up WIFI

Error: Connection activation failed (reason 'ssid-not-found').

#

```

----------

## cboldt

Hopefully somebody else can help you with nm - I've never used it.  I also have never set up a wireless access point.  I use them (a couple routers here, one playing router hooked to cable modem, one playing access point), but have not set up a Gentoo box to play access point.

What you are trying to do doesn't depend on using nm to get the job done.  I don;t know if it (nm) eventually makes your task easier, or more difficult.

----------

## cord

Temporally I roll back to hostapd and set the nm to NOT manage wlp2s0 interface.

----------

## cboldt

Found this, not sure it is still effective ...

 *Quote:*   

> It is possible to pass custom options to the dnsmasq instance by adding them to files in the "${prefix}/etc/NetworkManager/dnsmasq.d/" directory.

 

----------

## cord

I didn't see any examples to use /etc/NetworkManager/dnsmasq.d/ for DHCP settings (IP-range lease), only for DNS (resolv.conf / hosts).

Well, I will try to check it again tomorrow. Thanks.

----------

## cboldt

See the dnsmasq man page for dnsmasq settings.  I think nm will use configs it finds in ITS place (/etc/NetworkManager/dnsmasq.d/dnsmasq.conf) as it sets up dnsmasq.

I gave the dnsmasq switch for dhcp range and duration earlier ...

```
dhcp-range=192.168.0.2,192.168.0.32,255.255.255.0,10h
```

Change to suit your network, see if it takes.

----------

## cord

Yeah, Gentoo is the Mystery!

Today I set back to nm and... it's working in AP mode without forced start of "sharing staff" (nm-dnsmasq / iptables). So, I start system-wide dnsmasq (nftables are already configured) and it's all ok now. Looks like some 'cache' is somewhere.

However, there's strange line in the log:

```
Jan 19 16:02:47 [nm-dispatcher] req:1 'down' [wlp2s0], "/etc/NetworkManager/dispatcher.d/10-openrc-status": complete: failed with Script '/etc/NetworkManager/dispatcher.d/10-openrc-status' exited with error status 1.
```

----------

## cord

By default the config for nm-dnsmasq is hardcoded to /dev/null, see details here:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/blob/7d3a05d493afe705a1f3defb0c58d1a829c3604d/src/dnsmasq/nm-dnsmasq-manager.c#L137

so it's need to edit sources to enable it.

----------

