IP Route config with NetworkManager

Hello everyone,

I am connecting to internet with wireguard on external interfaces (wlan0 or cdc-wdm0) and share it over internal interfaces (wlan1, eth0 and usb0).

When I set up IP on the internal interfaces with NetworkManager as ‘shared’ all routing works.

However, I want to use alternative DNS server to dnsmasg, but I did not find way how to stop NetworkManager using dnsmasg except if I set up the internal interfaces with static/manual IP, in which case dnsmasg is not used. But in that case the routing does not work either, despite that ip route looks the same.

Thus I wonder if anyone would have suggestion how to either:

  • disable/stop NetworkManager using dnsmasg for DNS (and DHCP)

  • set up the routing for static/manual IP that it actually works with the wireguard

Hi @hobbitus,

Please see Manually Setting DNS Servers at:

Hope this helps!

This also might help:

NetworkManager - ArchWiki

the whole thing, especially
Section 4.7.1.1

to not use dnsmasq, comment out what is in there or remove the file altogether :man_shrugging:

Thank you both, quite obviously I visited those pages previously, but they do not provide solution to my enquiry.

I am not looking for ways how to set up DNS or dnsmasg, but either stop NetwokManager to use dnsmasg for ‘shared’ interfaces, or modify route so it correctly works with manual IP.

The config for eth0 is simple and the only difference is whether
method=shared or method=manual

In both cases

 $ nmcli
eth0: connected to LAN
        "Realtek RTL8152"
        ethernet (r8152), 00:E0:4C:36:00:8F, hw, mtu 1500
        inet4 10.42.0.1/24
        route4 10.42.0.0/24 metric 100

However, if method=shared the networkmanager uses dnsmasq

$ lsof -nP -iTCP -sTCP:LISTEN
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 4707 nobody    7u  IPv4  16220      0t0  TCP 10.42.0.1:53 (LISTEN)
$ systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; preset: disab>
     Active: active (running) since Mon 2023-01-16 17:30:22 UTC; 8min ago
       Docs: man:NetworkManager(8)
   Main PID: 2978 (NetworkManager)
      Tasks: 4 (limit: 3272)
     Memory: 24.5M
        CPU: 4.007s
     CGroup: /system.slice/NetworkManager.service
             ├─2978 /usr/bin/NetworkManager --no-daemon
             └─4073 /usr/bin/dnsmasq --conf-file=/dev/null --no-hosts --keep-in-foreground >

and devices connected to eth0 can ping IP address on the internet.

If method=manual networkmanager does not use dnsmasq, but no device connected to eth0 can ping IP on the internet.

$ lsof -nP -iTCP -sTCP:LISTEN
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
$ systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; preset: disab>
     Active: active (running) since Mon 2023-01-16 18:00:27 UTC; 2h 22min ago
       Docs: man:NetworkManager(8)
   Main PID: 2970 (NetworkManager)
      Tasks: 3 (limit: 3272)
     Memory: 23.0M
        CPU: 11.534s
     CGroup: /system.slice/NetworkManager.service
             └─2970 /usr/bin/NetworkManager --no-daemon

Without any success I have tried various options to stop NetworkManager to use dnsmasq (eg dns=none in config file), if method=shared it would always use dnsmasq for that interface.

IP route is always the same, regardless of method used

$ ip route
default via 172.17.17.1 dev wlan0 proto dhcp src 172.17.17.151 metric 600 
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.1 metric 100 
172.17.17.0/24 dev wlan0 proto kernel scope link src 172.17.17.151 metric 600 

Interestingly, it never displays wireguard connection, even though it is always on on the wlan0 or cdc-wdm0

Thus, my question how to somehow disable DNS/dnsmasq or set up route which would work.

Thank you for your time.

… only re the dnsmasq part of your question - you want to disable it being used by NetworkManager

It would not be used if the config for it didn’t exist.
This is the file in
/etc/NetworkManager/conf.d/

I don’t know nearly enough about networking to comprehend your setup.

I just noticed what seems to be a key difference re dnsmasq in your output of

systemctl status NetworkManager

yours says:

CGroup: /system.slice/NetworkManager.service
             ├─2978 /usr/bin/NetworkManager --no-daemon
             └─4073 /usr/bin/dnsmasq --conf-file=/dev/null --no-hosts --keep-in-foreground >

mine says:

CGroup: /system.slice/NetworkManager.service
             ├─533 /usr/bin/NetworkManager --no-daemon
             └─621 /usr/bin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 --cache-size=400 --clear-on-reloa>

a very different configuration, it seems

How do you end up running dnsmasq with these options?

I did not do any configuration at all - just the file
/etc/NetworkManager/conf.d/dns.conf
with the content:

[main]
dns=dnsmasq

I did nothing else -
no configuration change,
no starting dnsmasq (no systemd service for it active),
that is done by NetworkManager - just because that file is present.

I hope this might help you.

Thank you for that.
I do not have file in /etc/NetworkManager/conf.d/ at all and I did try e.g. dns=none in /etc/NetworkManager/conf.d/dns.conf or /etc/NetworkManager/conf.d/99-dont-touch-my-dns.conf etc.

How do you share it? Which program/config do you use for the sharing part?

… then I really do wonder why dnsmasq is even running :man_shrugging:
It’s mere presence (merely installed) will not cause that.

I use NetworkManager for sharing :slight_smile:

The setup is very simple:
The ‘external’ interface wlan0 connect to available WiFi and wireguard will connects over wlan0 (alternatively it could be cdc-wdm0)

The internal eth0 or wlan1 are configured as ‘hotspots’ also with NetworkManager, simply the method=shared and NetworkManager takes care of it.

All this works fine and without any issues. The challenge is that I would like to filter the DNS requests, i.e. used different DNS to dnsmasq
Thus I want to disable dnsmasq, I would not mind if the dnsmasq is on but listen on another port to :53

For example if NM is used for the sharing part. NM uses and requires Dnsmasq for it, to be used as a DNS and DHCP server.

NM requires Dnsmasq for that. It is, afaik, a hard requirement for connection sharing.

NetworkManager use dnsmasq for DHCP and caching DNS. Thus if the config is method=shared NetworkManager would use dnsmasq to provide the IP and DNS.
If the config is method=manual NetworkManager does not use dnsmasq, but then the route somehow does not work correctly and I do not know why.

aha - thanks
this is definitely above my paygrade then

I got from the Arch wiki that it will only be used when you tell NetworkManager to do so - by having that file in that place …

I know, which is why I would be happy to use method=manual, but then how to get the route right?

every day is opportunity to learn something new…

One option I am considering is to remove the internal interfaces eth0 and wifi1 from management by NM and do then manually. It is additional work, but I think there is option to say to NM not to manage specific interfaces.

PS:

[keyfile]
unmanaged-devices=interface-name:eth0

in /etc/NetworkManager/conf.d/unmanaged.conf does the trick, but I don’t know if that would help with route :confused:

You can do that, but as long as you use NM for connection sharing, Dnsmasq is started by NM.

Personally, I would not use NM for this. Set up the appropriate Firewall rules for the NAT, it is not that complicated. If you don’t want to use a DHCP server, you need to configure all client systems with a static IP, but if you only do IPv4 it is not that complex. The NAT rules are usually more complex.

Do you know if there is any option to force dnsmasq to use different port to :53 ?

Sharing is not that much about IP routes. It is about iptables or nowadays about nftables rules.
Of course you might call it a firewall, but it can a lot more.
Your wirguard VPN is also all about “Firewall” rules, the routing happens in there.

Dnsmasq alone yes, in combination with NM, I don’t think so. NM uses a temporary cerated config with Dnsmasq.