I completed a successful install of OPNsense and Adguard Home in a new router PC. It works well. My former router PC is now a backup and a hobby machine.
My install includes about 30 static DHCP reservations using the ISC DHCPv4 menu selection. I think it was the default.
I later read that DNSmasq should have been used for my small home install because ISC is end of life. I took a look and decided I have no idea how to properly configure it or how to migrate or install my current static reservations. The documentation makes no real sense to me. On pfSense, all I had to do to change DHCP backends was check off a box.
So, what is the recommended path and if it involves changing over to DNSmasq, can the DHCP reservations be moved automatically? My DHCP pool is 256 devices but only about 50 are auto-congif and the rest are for static reservations if needed. The ISC page was easy to understand. The Other 2 are not.
Thanks.
Right now the documentation on Dnsmasq is ahead in time, the DHCP feature has not been released yet. It reflects what is available in System: Firmware: Settings: Type: Development" branch of the repository, not the community branch.
There is no issue with still using ISC for now, just wait a bit and the new Dnsmasq features will be released, probably in 25.1.6. If you want to try them early switch to the development branch.
Dnsmasq has an "import and export csv" feature which can import the static host reservations.
Quote from: Monviech (Cedrik) on April 09, 2025, 04:12:49 PMDnsmasq has an "import and export csv" feature which can import the static host reservations
Hi, no offence intended, but as the OP wrote: in pfSense it was just a tick box to switch to new DHCP. No "export/import". If the export/import works reliably, just do it with the tick box and the community will be happy!
Actually, all three DHCP services (Kea, ISC and DNSmasq) could be served from the same stock of static reservations which consist of:
- Static ARP
- MAC address
- IP address
- Hostname
- Description
I had the migration problem for ISC -> Kea DHCP in a similar way. It would be way easier to switch if there were no separate sections in the config.xml. Not everyone is capable to do these things with XSLT like this:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" indent="yes"/>
<xsl:template match="/">
<reservations>
<xsl:apply-templates select="//staticmap"/>
</reservations>
</xsl:template>
<xsl:template match="staticmap">
<reservation>
<!-- UUID wird in Python ersetzt -->
<xsl:attribute name="uuid">PLACEHOLDER_UUID</xsl:attribute>
<subnet>PLACEHOLDER_SUBNET_UUID</subnet>
<ip_address><xsl:value-of select="ipaddr"/></ip_address>
<hw_address><xsl:value-of select="mac"/></hw_address>
<hostname><xsl:value-of select="hostname"/></hostname>
<description><xsl:value-of select="descr"/></description>
</reservation>
</xsl:template>
</xsl:stylesheet>
#! /usr/bin/python
import uuid
import sys
from lxml import etree
# Prüfe, ob eine Subnet-UUID als Argument übergeben wurde
if len(sys.argv) < 3:
print("Bitte gib eine Eingabedatei und eine Subnet-UUID als Parameter an!")
print("Beispiel: python transform.py input.xml 39a4a48d-4ed6-43d3-9b54-d44dd7397221")
sys.exit(1)
subnet_uuid = sys.argv[2] # Subnet-UUID aus dem Argument übernehmen
xml_input = sys.argv[1]
# XML- und XSLT-Dateien
xslt_file = "transform.xslt"
output_file = "output.xml"
# Lade das XML-Dokument und das XSLT-Stylesheet
xml_tree = etree.parse(xml_input)
xslt_tree = etree.parse(xslt_file)
transform = etree.XSLT(xslt_tree)
# Wende die XSLT-Transformation an
result_tree = transform(xml_tree)
# Ersetze Platzhalter für UUIDs
output_str = str(result_tree)
# Setze die zufälligen UUIDs für jede Reservation
while "PLACEHOLDER_UUID" in output_str:
output_str = output_str.replace("PLACEHOLDER_UUID", str(uuid.uuid4()), 1)
# Setze die Subnet-UUID an der richtigen Stelle
output_str = output_str.replace("PLACEHOLDER_SUBNET_UUID", subnet_uuid)
# Speichere das transformierte XML in eine Datei
with open(output_file, "w", encoding="utf-8") as f:
f.write(output_str)
print(f"Transformation abgeschlossen. Ergebnis gespeichert in {output_file}")
dnsmasq supports multiple mac addresses and multiple ipv4 and ipv6 addresses per single reservation entry. So its a bit different in its capabilities.
Also partial ipv6 addresses that get automatically constructed via dynamic prefix on interfaces.
Overlap is not quite there regarding the other available services.
Hmmm, but if only the new (DNSmasq) option is more feature-rich, then there is no problem with moving to this option, right? Or are you refering to the use of a single "DHCP"-section in config.xml for all three DHCP servers?
I did not mean DHCPv6, only DHCPv4. I would always argue for SLAAC with IPv6 unless you have a static prefix.
Even if DNSmasq offers multiple IPv4s per MAC, there is nothing forcing the GUI to offer that feature - I fail to see why it is useful, UNLESS these IPs are in different subnets/VLANs - and that is well possible in ISC DHCP.
As for feature incompatibility for IPv6 with dynamic prefixes, this would probably be only an interpretation of the upper 64 bits? IDK DNSmasq, but I imagine that if you use something like ::1111:2222:3333:4444, it is interpreted as "use interface prefix"?
It also offers multiple MAC addresses per single IPv4 address, eg if your laptop traverses between lan and wifi.
And of course also multiple IPs in different subnets in a single host.
Read the man page of dnsmasq, its pretty awesome :)
(dhcp-host)
I use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.
Quotednsmasq supports multiple mac addresses and multiple ipv4 and ipv6 addresses per single reservation entry. So its a bit different in its capabilities.
I missed this when I moved to OPN. I was a dnsmasq user on dd-wrt. My use was the dhcp reservation for freebsd jails that were not vnet, back when vnet wasn't much known. So I could have various IP-to-same-mac assignments, with a different attribute to distinguish, like a hostname.
Still useful.
Quote from: Seimus on April 10, 2025, 10:39:59 AMI use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.
There is no native sync but we have thought about HA scenarios and implemented something that allows to skip configuration sync for DHCP and use a DHCP reply delay.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-for-small-ha-setups
Quote from: Monviech (Cedrik) on April 10, 2025, 11:37:20 AMQuote from: Seimus on April 10, 2025, 10:39:59 AMI use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.
There is no native sync but we have thought about HA scenarios and implemented something that allows to skip configuration sync for DHCP and use a DHCP reply delay.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-for-small-ha-setups
Nice! Basically you are using the dhcp-reply-delay=x, where x = seconds, option that is supported by dnsmasq.
I am using this as well on dnsmasq to make sure primary is mainly giving out the IPs. While still syncing the DHCP static reservation list ;)
This way with keepalived, I can assure devices reach the Primary for DNS+DHCP+NTP and in case of failure Secondary overtakes this functionality.
Glad to see you actually thought about this already.
Regards,
S.
Quote from: Monviech (Cedrik) on April 09, 2025, 07:20:12 PMIt also offers multiple MAC addresses per single IPv4 address, eg if your laptop traverses between lan and wifi.
That's a nice idea. My current reservation list has several duplicates for wireless vs wired pcs and 5ghz vs 2.4ghz on cell phones. I'll take a closer look.
Is there any magic sauce in dnsmasq that will allow IPv6 SLAAC addresses to be resolved to hostnames in OPNsense logs? I know that's where DHCPv6 can be helpful but really hoping for a solution for SLAAC client traceability.
Yes, check out the
ra-names
directive in the dnsmasq man page. Its also supported in the new GUI that comes.
Darn... so close.
man(8) dnsmasq:
Quotera-names enables a mode which gives DNS names to dual-stack
hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
lease to derive the name, network segment and MAC address and
assumes that the host will also have an IPv6 address calculated
using the SLAAC algorithm, on the same network segment. The
address is pinged, and if a reply is received, an AAAA record is
added to the DNS for this IPv6 address. Note that this is only
happens for directly-connected networks, (not one doing DHCP via
a relay) and it will not work if a host is using privacy
extensions. ra-names can be combined with ra-stateless and
slaac.
Putting aside the future-proofing issue of IPv4 dependency, privacy extensions are important to me as a home internet user. As a home network admin however it's like flying blind without traceability in things like DNS and pf logs.
The designers of IPv6 are not without a twisted sense of humor, it seems.
Now, that I installed a test installation of OpnSense with the development version and had a look at it, I have a few questions/observations:
1. Even standard options like DNS server, NTP server, gateway or netmask are now separated out into several DHCP options that are indirectly referenced via "tags". This was much easier with ISC DHCP, because those standard options could be specfied per interface.
How to specify some options is unclear, e.g. how should the IPv4 netmask be given? Say, "/24", "24" or "255.255.255.0"?
2. Considering that the XML specification is somewhat complex (e.g. every host entry has its own UUID and references tags by UUID), the option to import CSV is useful for migration if no other means if available (like discussed before). However, there are no CSV export options for ISC DHCP or Kea as of yet. These would be highly desireable if no other means are provided.
1.
Just create a range with an interface
and then create the option(s) with an interface
You do not need to use the tag system, it's for advanced usecases.
When a DHCP Discover enters a network interface, Dnsmasq will automatically set a tag with the interface name that received this packet. That is what you select with the interface selectpicker in options or ranges.
Yesterday I improved the selectpicker where you can select interfaces in, if you select it and press the add button in a grid the interface will be preselected.
https://github.com/opnsense/core/commit/e72077c376c08b51ffe01e42da135d8a29850067
You'll find me in the Kea department ... ;-)
Thats okay, we support both DHCP servers.
https://docs.opnsense.org/manual/dhcp.html
Quote from: meyergru on April 17, 2025, 03:07:12 PM2. Considering that the XML specification is somewhat complex (e.g. every host entry has its own UUID and references tags by UUID), the option to import CSV is useful for migration if no other means if available (like discussed before). However, there are no CSV export options for ISC DHCP or Kea as of yet. These would be highly desireable if no other means are provided.
https://github.com/opnsense/core/issues/8075#issuecomment-2799938354
I started on opnsense a few months ago with kea. But i quickly moved to isc as static mappings where not really enforced and some devices couldn't get an address.
If you choose to move to dnsmasq (which i happily used years ago), do you have to use it for dns also or can you stay with unbound ?
Read this for a full overview:
https://docs.opnsense.org/manual/dnsmasq.html
I moved to Kea with 24.7, with Unbound. Given either sufficient patience for expiry or a client reboot I have had no problems with IP reservations working.
I was initially put off by some of the discussions around Kea, but in practice I found it is a well laid out and easy to use and manage DHCP, and is mainstream so given there is nothing in DNSmasq for my needs I will stay with that.
Quote from: Patrick M. Hausen on April 17, 2025, 03:41:39 PMYou'll find me in the Kea department ... ;-)
Aaand ... landed.
At home at least, and completely painless to boot.
For work I definitely need custom/vendor options. Is that on the roadmap? I might try and implement it myself.
Quote from: Patrick M. Hausen on April 30, 2025, 09:19:35 PMFor work I definitely need custom/vendor options. Is that on the roadmap? I might try and implement it myself.
To answer my own question: yes, being worked on.
https://github.com/opnsense/core/pull/7361
Hi all.
Where can I find the documentation for the format of the CSV import file?
-- I created one sample entry and exported a CSV file to get the format, but when providing now a few lines of CSV in exactly this format, it does throw errors.
IIRC each IP in the static import must lie within an existing Kea subnet.