I have an ISP lab and I have tested mikrotik Routers RouterOS with dnsmasq as dhcp server and RouterOS do not accept DNSMasq dhcp offers and from MT support they do not intend to try and fix this bug.
They do not support dnsmasq and support isc-dhcpd.
isc-dhcpd does work fine with RouterOS.
@filippo_carletti What do you recommend, contact dnsmasq developers?
(there is probably something that is not 100% RFC compatible in their dhcp offer compared to isc-dhcpd)
@pike not really…
if dnsmasq send’s a non RFC compliant packet then i’m fine dropping it.
I think that any isc-dhpcd compliant device should have priority on-top of dnsmasq compliant,
tcpdump to the rescue.
I can capture both from isc-dhcpd and dnsmasq to compare…
I belive dnsmasq does bad things since I have seen it in action(while I have not tested to the tcpdump level yet the dhcp, only the dns part)
@pikeI have verified that this issue is not related to Mikrotik in any way.
Well I had some time to investigate this issue, since I knew that it works as expected on physical hardware devices but not VM’s.
The root cause to this issue is known to me couple years now and I was sure it has been fixed/resolved but it seems like a very unique issue to KVM.
The networking stack of KVM implements hardware ip packet checksum offloading.
Dnsmasq relies on the OS checksum of udp packets.
Due to this the DHCP offer broadcast is being checksummed wrongly when exits to the network.
There are several security appliances which enforce software checksum calculation when it runs on-top of any Virtualization platform.
Two possible solutions on the DHCP server side to avoid offloading all udp traffic: iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
or to disable offload of all transmitted traffic: /sbin/ethtool --offload eth0 tx off
Thanks for research, reporting and references.
It’s quite strange environment which allow the happening of this behavior, but i do not understand where needs to be applied the corrections you hint.
On the host or on the guest of NethServer installation?
@pike Inside the VM ie the guest.
The citrix docs have a more detailed information about the subject.
Like citrix netscalar Mikrotik has hw checksum offload disabled by default.
The setup is:
CentOS 7 KVM Hypervisor which has an internal network.
There are 2 guest VM’s hosted in the setup.
1 - Mikrotik RouterOS CHR vm with 2 nics
2 -VyOS/Nethserver/CentOS 7/Alpine/Ubuntu/Debian/Others… with 2 nics and dnsmasq as DHCP+DNS
The setup uses only virtio nics…
On the internal network The dnsmasq server has 192.168.1.254/24 and the Mikrotik tries to get an IP lease from the dnsmasq.
RouterOS broadcast for a dhcp request
Dnsmasq receives the request and sends an offer
RouterOS receive the udp packet but since the checksum verification of the packet failed the Kernel drops the packet