1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Configuring TomatoUSB to work with Active Directory

Discussion in 'Networking Issues' started by Ice Drake, Mar 11, 2018.

  1. Ice Drake

    Ice Drake Network Newbie Member

    I am trying to figure out the correct configuration for my router and server. I want my router running TomatoUSB to handle DHCP requests while both router and server cooperatively handle DNS requests. The current problem I think I am having is that I can't figure out how to configure my router properly.

    Currently, I have the router (192.168.1.1) assigned devices dynamic IP addresses with the range from 192.168.1.2 to 192.168.1.51 via DHCP. For certain devices, it will statically assigned IP address based on its hostname (192.168.1.100 to 192.168.1.200). In doing so, I allowed me to keep the network configuration setting on those devices to "automatically obtain IP address and DNS server address" from my router. My router, of course, will assign those devices with a static-like IP address since their hostname is unique and consistent. I did this for my server as well. So my server IP address always remains the same, which is 192.168.1.101, since its hostname is consistent. The problem comes when I tried to join a computer to the Active Directory. It complains about DNS setting configuration, which both the server and the router are hosting.

    After studying the problem for a bit, it seems that I can configure my router to setup all devices to forward all DNS requests to the server as its primary DNS server and have the router as its secondary DNS server. The issue is that I can't figure how to even do that on my router.
     
    Last edited: Mar 11, 2018
  2. Sean B.

    Sean B. LI Guru Member

    Put this in the custom configuration box under Advanced->DHCP/dns in the routers GUI:

    Code:
    dhcp-option=tag:br0,option:dns-server,X,Y
    This is assuming the network you are speaking of is on the br0 bridge. X would be primary server, Y would be secondary server. This sets the DNS servers dnsmasq gives the clients during the DHCP exchange.

    And in regards to setting specific IP addresses to hostnames using DHCP, the term you're looking for is "DHCP reservation" rather than static IP.
     
  3. Ice Drake

    Ice Drake Network Newbie Member

    That was exactly what I needed. I have been trying to make sense out of reading man page of dnsmasq, but I can't make any sense out of it. Thank you so much.
     
    Sean B. likes this.
  4. Ice Drake

    Ice Drake Network Newbie Member

    Well, I am back with a broken Active Directory when IPv6 is enabled. After doing more research and meddling with the configuration a bit, here is my new configuration:
    Code:
    # other network
    dhcp-range=set:other,192.168.1.2,192.168.1.200
    dhcp-option=tag:other,option:dns-server,192.168.1.101,192.168.1.1
    dhcp-option=option6:dns-server,[X],[Y]
    
    # linux network
    dhcp-range=set:linux,192.168.1.202,192.168.1.254
    dhcp-mac=set:linux,A
    dhcp-option=tag:linux,option:dns-server,192.168.1.201,192.168.1.1
    dhcp-option=tag:linux,option6:dns-server,[Z],[Y]
    where X is the IPv6 address of the first DNS server (IPv4 address of 192.168.1.101), Y is the IPv6 address of the router LAN (IPv4 address of 192.168.1.1), and Z is the IPv6 address of the second DNS server (IPv4 address of 192.168.1.201). A is the MAC address of a particular server (IPv4 address of 192.168.1.203).

    I want the devices with IPv4 address from 192.168.1.202 to 192.168.1.254 to use Z as primary DNS and all other devices to use X as primary DNS. Y will be the alternative DNS for all devices.

    The configuration I have is somewhat working, but not entirely. Here is what I have observed:
    1. Two systems running Windows 10 (IPv4 address of 192.168.1.102 & 192.168.1.107) have been assigned to Y, 192.168.1.101, & 192.168.1.1 as DNS servers, but X is missing.
    2. One system running Windows Vista (IPv4 address of 192.168.1.80) have been assigned to X, Y, and 192.168.1.1 as DNS servers, but 192.168.1.101 is missing.
    3. One Linux system with MAC address of A is assigned to Y and 192.168.1.201 as DNS servers, but X and 192.168.1.1 are missing. Maybe it is due to the limitation of the Linux OS?
    4. One Linux system with IPv4 address of 192.168.1.201 is assigned to 192.168.1.1, X, and Y as DNS servers. Only this system has the correct configuration. Why?
    It seems there must be something that I don't understand.

    By the way, I am currently running Dnsmasq version 2.73.
     
  5. Sean B.

    Sean B. LI Guru Member

    What IPv6 implementation are you running for your LAN? DHCPv6, SLAAC, or both?
     
  6. Ice Drake

    Ice Drake Network Newbie Member

    I am kind of new to IPv6. I think both as the setting for "Announce IPv6 on LAN (SLAAC)" and "Announce IPv6 on LAN (DHCP)" is checked. After researching on the two configurations, it seems that it may be the source of the problem. For Windows 10 clients, they use SLAAC, but for linux, they use DHCPv6; however, how does this affect IPv4 DNS server configuration? Unless my configuration is not correct? Also, is it not possible to assign DNS server for Windows 10 clients if they use SLAAC?
     
    Last edited: Mar 28, 2018
  7. Sean B.

    Sean B. LI Guru Member

    I would recommend running DHCPv6 only, as both Windows 10 and Linux ( at least the main distros ) are compatible with it. I can confirm this as I run both systems on my LAN with DHCPv6. I would also recommend configuring DHCPv6 yourself rather than having Tomato do it. To do so, uncheck both the SLAAC and DHCPv6 options in the GUI, then put this in the dnsmasq custom config box ( assuming you're enabling this on the br0 interface, if not then change accordingly ):

    Code:
    enable-ra
    dhcp-range=tag:br0,::100,::254,constructor:br0,64,1440m
    This enables router advertisements and DHCPv6 on the br0 interface, as well as configures DHCPv6 to create a dynamic pool using the IPv6 prefix from the br0 interface with a range of ::100 to ::254. To keep things organized I suggest adding all the IPv6 related directives together underneath these.

    I'm guessing under Basic->Network you still have DHCP enabled for the br0 interface? If so, your additional dhcp-range directives for IPv4 are going to conflict, as they will clearly overlap sense you've covered the entire subnet.

    What I would recommend to do:

    Under Basic->Network in the GUI, configure the br0 interface with DHCP enabled and a corresponding range to one of your custom directives. We'll use the "other" network, so set the range to 192.168.1.2 - 192.168.1.200.

    Now, Tomato sets a tag on each range configured in the GUI already, and you cannot set more than one tag on the range. So instead, just use the br0 tag it sets instead of "other" for your directives.

    For the "linux" network you can now use your dhcp-range directive without overlapping anything, and therefor not conflict with the tag/addresses set by Tomato's GUI.
     
    Last edited: Mar 28, 2018
  8. Sean B.

    Sean B. LI Guru Member

    Example:

    This should be correct for the configuration you're trying to achieve. This is intended to work in conjunction with br0 configured in Basic->Network with DHCP enabled and range set as 192.168.1.2-200 , And the options for DHCPv6 and SLAAC unchecked in Advanced->DHCP/dns..

    Code:
    dhcp-range=set:linux,192.168.1.202,192.168.1.254
    dhcp-mac=set:linux,A
    dhcp-option=tag:br0,option:dns-server,192.168.1.101,192.168.1.1
    dhcp-option=tag:linux,option:dns-server,192.168.1.201,192.168.1.1
    enable-ra
    dhcp-range=tag:br0,::2,::200,constructor:br0,64,1440m
    dhcp-option=tag:br0,option6:dns-server,[X],[Y]
    dhcp-range=set:linux,::202,::254,constructor:br0,64,1440m
    dhcp-option=tag:linux,option6:dns-server,[Z],[Y]
    Also, the dhcp-range directive for IPv4 you stated would encompass the 192.168.1.101 DNS server IP you're sending to clients. I wouldn't think you'd want that IP to be inside of the dhcp dynamic pool, and rather have it reserved for the DNS server. If I'm correct, amend the range or add a dhcp reservation for the server via a dhcp-host directive.
     
    Last edited: Mar 28, 2018
  9. Ice Drake

    Ice Drake Network Newbie Member

    Yeah, I do need to keep br0 configured in Basic->Network with DHCP enabled, so I can reserve certain IPv4 addresses to new hosts and to allow monitoring of devices on the network over IPv4 through the GUI.

    You are correct that dhcp-range directive for IPv4 I set would encompass 192.168.1.101. It was because I didn't quite understand the functioning of this command:
    Code:
    dhcp-range=set:other,192.168.1.2,192.168.1.200
    I thought it meant assigning all hosts within that IPv4 address range to "other" tag, not assigning all hosts to that IP range. That is why I have basic DHCP enabled from 192.168.1.2 to 192.168.1.100. Of course, this setting, as you mention, would conflict with the command above. So I ended up with using the br0 tag as you suggested.

    As for IPv6, staying anonymous is an issue since it isn't as easy as in IPv4. And I realize that using just DHCPv6 disables temporary IPv6 self-addressing that Windows offer. On the other hand, using just SLAAC doesn't allow a specific DNS server designation to go through. In the end, I found a configuration below that works for both.
    Code:
    # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
    # so that clients can use SLAAC addresses as well as DHCP ones.
    dhcp-range=1234::2, 1234::500, slaac 
    Finally, I am done with all the router configurations. Thanks again! Time to move on to configuring for Active Directory.
     
  10. Sean B.

    Sean B. LI Guru Member

    Just so you're aware, using DHCP with IPv6 is no less anonymous than it is with IPv4. The temporary addressing used in Windows is only a benefit when SLAAC auto-configuration is enabled, which is when hosts make their own IPv6 IP using the prefix sent in the router advertisements. This is because the auto-configuration protocol for SLAAC uses the hosts MAC address in combination with the received prefix and a mathematical algorithm to create the remaining bits ( most commonly 64 ) not set by the prefix of a full 128bit IPv6 address. The resulting IPv6 address can be reverse calculated to obtain the MAC address of the host. This is not an issue with DHCPv6, in any way.
     

Share This Page