I have a relatively simple network consisting of:
x.x.1.x LAN
x.x.2.x VLan 1
x.x.3.x VLan 2
x.x.4.x VLan 3
Everything runs fine with unbound and KEA.
I do the following:
1) Disable Unbound and KEA (dhcp4).
2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN
4) I add static ips through "host" tab
5) I enable DHCP ranges using x.x.X.100 thru 150 for each vlan
6)I added server, dns and server search options for x.x.1.1
Can't get dhcp to work.
Is there a write up on how to migrage from unbound/KEA to using dnsmaq and an outside dns provider like 1.1.1.1 or 9.9.9.9?
Thanks in advance,
D
Do you see any blocked DHCP traffic for the VLANs in the firewall live view? Your post says that you only have firewall rules for the LAN.
Can't answer your question, but I am curious why you would want to switch away from a working setup that will continue to be supported and improved by OPNsense in future versions?
Quote from: davidfi01 on May 14, 2025, 08:27:12 PMEverything runs fine with unbound and KEA.
Sounds like it is not broken, so what are you trying to fix or to improve?
1) I would like to move away from Unbound/KEA to dnsmasq as it SHOULD BE a simpler setup, simpler to maintain and use less resources (i.e. more efficient). Further, it should be more understandable for people doing maintenance who are less experienced.
2) Using dnsmasq as exclusive provider for dns/dhcp (with or without VLans) should be a supported configuration
3) With respect to Firewall rules, activating the firewall rules in setup only creates rules for LAN, none of the VLans. I have added PASS rules for in and out on ports 67/68, on the vlans, but still no dhcp.
**It would be nice if the config option to generate fw rules would do so for all enabled interfaces. Not sure why it only creates rules for LAN.
D
The code automatically creates firewall rules for all chosen interfaces, and even for interfaces chosen in dhcp ranges.
The only thing that must be done is reloading the firewall manually right now to load these new rules.
Quote from: davidfi01 on May 14, 2025, 08:27:12 PM2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN
This doesn't seem right. So in Services: Dnsmasq DNS & DHCP --> General, under Interfaces you can see all your interfaces selected there (4 in total)?
If that is the case and you have "DHCP register firewall rules" and you applied the settings, the firewall rules should be created for all those interfaces?
For each respective interface, there should be three rules in the "Automatically generated rules" with the Description "allow access to DHCP server".
The rules are only being created in LAN, no other vlan gets rules generated!
D
Just confirmed that KEA creates 2 firewall rules in all vlans and lan.
When stopped, and dnsmasq started, dnsmasq is only creating 3 rules in LAN. dnsmasq is NOT creating rules in other vlans.
D
Do you see any blocked DHCP traffic for the VLANs in the firewall live view?
I have the exact same issue. dnsmasq does not create firewall rules for chosen interfaces. Adding them manually doesn't seem to work and I can find any error messages generated in the logs. Adding floating rules doesn't seem to work either. With firewall rules in place I can see the port 67 and 68 traffic being passed, but no leases are ever negotiated. I gave up after trying a few times. I'll wait until a future update until it's more fully baked.
I am confirming that as well. I see no blocks in the logs. Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually. Seems like Dhcp does NOT work if KEA/Unbound were used previously. Any other ideas to try?
D
Quote from: davidfi01 on May 16, 2025, 09:38:19 PMI am confirming that as well. I see no blocks in the logs. Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually. Seems like Dhcp does NOT work if KEA/Unbound were used previously. Any other ideas to try?
No other things to try here. Weird that your FW rules are getting created in all networks using the KEA toggle, but that it doesn't happen with dnsmasq.
That being said, I can't agree with the statement that dhcp does not work if KEA/Unbound were used previously. I was using KEA/Unbound for months prior to dnsmasq DHCP being released and am now up and running with DHCP and DNS services exclusively via dnsmasq.
This is not the case here. I used ISC DHCP before and the rules get created as "pfctl -vvsr | fgrep -i 'bootp'" clearly shows.
However, as the help text for the DHCP firewall rules says:
"Automatically register firewall rules to allow dhcp traffic for all explicitly selected interfaces, can be disabled for more fine grained control if needed. Changes are only effective after a firewall service restart (see system diagnostics)."
I have not tried to the contrary, but I selected the interfaces explicitely (first field on the general tab) and I restarted my firewall after enabling the checkbox.
I also verified that the service actually starts and does not hit a misconfiguration, which is still easy to achieve because of some missing validations. I made sure that none of the other DHCP services were still active, thus preventing DNSmasq from starting. Also, there were still some glitches that have been hotfixed in the latest version 25.1.6_4, so I run that.
FWIW, I migrated from ISC->KEA and now trying to get dnsmasq to work. Not sure what is preventing fw rules from being created w/dnsmasq.
@Drinyth - are you running multple Vlans. If you disable dnsmasq, re-enable kea dhcp4 does kea re-insert fw rules in vlans? After resetting back to dnsmasq, does dnsmasq reinstall fw rules on vlans?
D
Quote from: davidfi01 on May 17, 2025, 03:02:17 PM@Drinyth - are you running multple Vlans. If you disable dnsmasq, re-enable kea dhcp4 does kea re-insert fw rules in vlans? After resetting back to dnsmasq, does dnsmasq reinstall fw rules on vlans?
Yes. I'm running multiple VLANs here.
If I disable dnsmasq, all of the firewall rules that were set for it get removed. Enabling KEA will insert the KEA firewall rules in the VLANs. Removing KEA will remove the firewall rules. And lastly, turning dnsmasq back on will put the dnsmasq firewall rules back in for all VLANs.
Intersting. I only see 3 rules created by dnsmasq in the LAN vlan. No rules are created in any of the other vlans. Are you using static addresses or only dhcp?
@davidfi01: Are you aware that DNSmaq DNS and DHCP interfaces are a different thing (just asking)?
FWIW: When you enable the "advanced options" switch, you will see a list of interfaces that are not bound to DHCP.
OMG .... Thanks for this response!!!
Yes, I understand diff between dns & dhcp.
NO, I was unaware that the advanced settings had "interface NO DHCP" option. Of course all my vpn interfaces were listed there. As soon as I removed them, guess what....? Problem solved.
Not sure how those got set as I never used the advanced interface option. Don't recall seeing any description of advanced interface options in opnsense
documentation.
As soon as I removed the vlans from "interface no dhcp" dns/dhcp started working.
THANK YOU!!!
D
Fixed my issue also. I stumbled on this earlier today and I came here to post the update. All the interfaces I had selected were automatically also selected for "no DHCP" option and hidden in the advance toggle switch. Once I deselected all of them, my leases started working.
Quote from: djr92 on May 18, 2025, 03:15:38 AMAll the interfaces I had selected were automatically also selected for "no DHCP" option and hidden in the advance toggle switch.
I just tried this on a fresh 25.1.6_4 installation - this did not happen here. The default for the "no DHCP" interfaces is "nothing selected" after selecting interfaces for DNS, so I reckon you must have done something to change that manually at some point.
If this were like you say, I would have opened a Github issue.
I have now run into this issue as well. I am a total OPNsense noob ... though I have a year of pfsense under my belt. I followed the documentation very carefully to configure Unbound and Dnsmasq to work together. I followed the example configuration steps in "DHCP4 with DNS Registration". "DHCP register firewall rules" has been checked since the beginning. After I was done, I noted that the Dnsmasq service failed to start. Logs pointed me to the issue. I disabled the ISC DHCP4 service and manually restarted the Dnsmasq Service. So far, so good. Then I noticed no rules had been created with respect to DNS on any of my interfaces. Based on this thread, I verified that the Dnsmasq General Tab listed all the interfaces (physical and VLAN) I had created (except WAN) in the "Interface" field, and under Advanced Mode the "Interface [no dhcp]" field says "Nothing selected". I did a System - Diagnostics - Packet Filter - Restart and when this changed nothing, I did a Power - Reboot. Can anyone offer any suggestions for things to check? Thanks.
POSTSCRIPT: Never mind. Noob GUI interface ignorance. I didn't realize all the autogenerated rules are collapsed into their own folder. The 3 "allow access to DHCP server" rules are on each interface.