I just updated to 25.1.11 and my network is shot. Dnsmasq service won't start, throwing the error ,,failed to bind DHCP Server socket: Address already in use".
It tries to bind its DHCP socket although all interfaces are configured [no dhcp] within Dnsmasq Gerneral settings. I still use ISC DHCPv4, hence the conflict.
I guess this might be a bug in this release. Anyone else experiencing this?
I think the reboot did it. The rest is configuration. Maybe you stopped ISC manually to let Dnsmasq run.
Cheers,
Franco
Unfortunately the issue persists after a reboot.
That's exactly what I meant.
Cheers,
Franco
As soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.
no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.
Quote from: Monviech (Cedrik) on July 16, 2025, 05:01:55 PMAs soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.
no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.
Thanks, that must be it! I have had a DHCP-range defined, because I wanted to switch from ISC-DHCP to dnsmasq-DHCP some time ago. I have stopped in midcourse and have left the DHCP-range as defined. I just have set [no dhcp] for all interfaces.
So I guess I will spend this evening and finally finish what I have started... ;-)
Quote from: Monviech (Cedrik) on July 16, 2025, 05:01:55 PMAs soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.
no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.
You were right. I needed the better part of yesterday's (late) evening to confirm this. Btw: Is this behavior intentional? It seems a bit unintuitive not to say awkward tbh.
Anyway, at first, I tried to finish my half-baked migration from ISC DHCPv4 to dnsmasq DNS & DHCP, but although following the documentation by the word, recreating all hosts, DHCP ranges and DHCP options, I ended up in a complete mess. dnsmasq's DNS & DHCP service was running, debug logs were flawless, but it persistently failed to serve my hosts - whether connecting via LAN or WLAN. I must have checked, set and unset the [no dhcp] flags at least a dozen times, I restarted the service, I restarted the firewall. Nothing. Around midnight my frustration had grown that big, that I have eradicated all changes made to dnsmasq DNS & DHCP and set the [no dhcp] flags again for all adapters. So, I could at least confirm your solution.
Now I am running again my rock solid ISC DHCPv4 + dnsmasq combination - either I am simply too untalented or the dnsmasq DNS & DHCP service is really as confusing to configure and troubleshoot as it feels.
There was quite some noise when dnsmasq DHCP was first introduced but there is not much going on lately so I assume it must indeed work for most people who use it.
In your case, you were probably unlucky or under stress, frustration is pretty much guaranteed in failure.
Just try it again sometime without pressure and things will work. Maybe give it another go on 25.7. I know for a fact dnsmasq works as I use it fully featured and developed quite some things for its current implementation in OPNsense.
You are right again - frustration is never a good companion. Couldn't help it though.
Anyway, I am currently trying again. Unfortunately, with the same result. I simply can't get DHCP to serve my hosts. They won't get an IP assigned, only 169.x.x.x.
I have a 192.168.0/24 network with .253 assigned to my access point. Did I miss something to enable on the DHCP side in order to serve the hosts querying through the AP?
Can you share your /usr/local/etc/dnsmasq.conf
Here it is - my little nightmare.
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
rebind-localhost-ok
stop-dns-rebind
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/xxxx.yyy/
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
dns-forward-max=5000
cache-size=10000
local-ttl=1
conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
dhcp-range=tag:igb1,192.168.0.1,192.168.0.99,86400
domain=xxxx.yyy,192.168.0.1,192.168.0.99
dhcp-host=xx:xx:xx:xx:24:21,192.168.0.101,host1
dhcp-host=xx:xx:xx:xx:8e:7f,192.168.0.102,host2
dhcp-host=xx:xx:xx:xx:ba:5e,192.168.0.106,host3
dhcp-host=xx:xx:xx:xx:ca:1c,192.168.0.110,host4
dhcp-host=xx:xx:xx:xx:8a:1e,192.168.0.111,host5
dhcp-host=xx:xx:xx:xx:25:6e,192.168.0.112,host6
dhcp-host=xx:xx:xx:xx:72:df,192.168.0.113,host7
dhcp-host=xx:xx:xx:xx:d9:d4,192.168.0.103,host8
dhcp-host=xx:xx:xx:xx:16:cb,192.168.0.109,host9
dhcp-host=xx:xx:xx:xx:1d:e6,192.168.0.253,accesspoint
dhcp-option=3,192.168.0.254
dhcp-option=6,192.168.0.254
dhcp-option=15,xxxx.yyy
dhcp-option=81
dhcp-option=42,192.168.0.254
dhcp-option=1,255.255.255.0
no-ident
I cannot see a line like this
interface=vlan0.1,vlan0.2
Can you check "Services: Dnsmasq DNS & DHCP: General: Default: Interface" and choose the interfaces there that DHCP should work on?
In your case igb1. That also generates the DHCP firewall rules.
Also you don't have to define any DHCP options if 192.168.0.254 is your router and your dns server (and its the OPNsense), it will work automatically.
Here is my current working configuration for you to compare to:
root@opn03:/usr/local/etc # cat /usr/local/etc/dnsmasq.conf
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
rebind-localhost-ok
stop-dns-rebind
port=53
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=vlan0.1,vlan0.2,vlan0.3,vlan0.12,vlan0.13,vlan0.14
dhcp-fqdn
domain=lan.internal
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/lan.internal/
local=/admin.internal/
local=/ad.internal/
local=/gast.internal/
local=/dmz.internal/
local=/dns.internal/
local=/docker.internal/
local=/captive.internal/
dhcp-authoritative
enable-ra
# Never forward addresses in the non-routed address spaces.
bogus-priv
server=/*/127.0.0.1#53053
rebind-domain-ok=/*/
server=/facebook.com/127.0.0.1#53053
ipset=/facebook.com/dnsmasq_facebook_com
rebind-domain-ok=/facebook.com/
server=/youtube.com/127.0.0.1#53053
ipset=/youtube.com/dnsmasq_youtube_com
rebind-domain-ok=/youtube.com/
server=/microsoft.com/127.0.0.1#53053
ipset=/microsoft.com/dnsmasq_microsoft_com
rebind-domain-ok=/microsoft.com/
server=/google.com/127.0.0.1#53053
ipset=/google.com/dnsmasq_google_com
rebind-domain-ok=/google.com/
# Never forward to servers in /etc/resolv.conf
no-resolv
# Never forward plain names (without a dot or domain part)
domain-needed
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
dns-forward-max=5000
cache-size=10000
local-ttl=1
conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
dhcp-range=tag:igc0,192.168.11.100,192.168.11.110,86400
domain=admin.internal,igc0
dhcp-range=tag:vlan0.1,172.16.0.100,172.16.0.199,86400
domain=ad.internal,vlan0.1
dhcp-range=tag:vlan0.2,172.16.1.100,172.16.1.199,86400
domain=gast.internal,vlan0.2
dhcp-range=tag:vlan0.12,10.0.0.20,10.0.0.29,86400
domain=dmz.internal,vlan0.12
dhcp-range=tag:vlan0.13,10.1.1.250,10.1.1.250,86400
domain=dns.internal,vlan0.13
dhcp-range=tag:vlan0.14,10.16.1.101,10.16.1.110,86400
domain=docker.internal,vlan0.14
dhcp-range=tag:vlan0.1,::,::ff,constructor:vlan0.1,slaac,ra-names,64,86400
domain=ad.internal,vlan0.1
ra-param=vlan0.1,60,1200
dhcp-range=tag:vlan0.2,::,::ff,constructor:vlan0.2,slaac,ra-names,64,86400
domain=gast.internal,vlan0.2
ra-param=vlan0.2,60,1200
dhcp-range=tag:vlan0.12,::,::ff,constructor:vlan0.12,slaac,ra-names,64,86400
domain=dmz.internal,vlan0.12
ra-param=vlan0.12,60,1200
dhcp-range=tag:vlan0.13,::,::ff,constructor:vlan0.13,slaac,ra-names,64,86400
domain=dns.internal,vlan0.13
ra-param=vlan0.13,60,1200
dhcp-range=tag:vlan0.14,::,::ff,constructor:vlan0.14,slaac,ra-names,64,86400
domain=docker.internal,vlan0.14
ra-param=vlan0.14,60,1200
dhcp-range=tag:vlan0.3,::,::ff,constructor:vlan0.3,slaac,ra-names,64,86400
domain=captive.internal,::,::ff
ra-param=vlan0.3,60,1200
dhcp-host=XX:16:a8:XX:1b:bb,10.0.0.25,host1
dhcp-host=XX:89:ab:XX:51:f7,172.16.0.77,host2
dhcp-host=XX:a1:59:XX:b9:f6,172.16.0.121,host3
dhcp-option=option6:23,[::]
# default dns mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0
no-ident
Quote from: Monviech (Cedrik) on July 18, 2025, 11:05:58 AMI cannot see a line like this
interface=vlan0.1,vlan0.2
Can you check "Services: Dnsmasq DNS & DHCP: General: Default: Interface" and choose the interfaces there that DHCP should work on?
In your case igb1. That also generates the DHCP firewall rules.
You are my hero! Choosing "LAN" as interface did the trick. But why doesn't it work if it is set to "All"? Is this intentional?
Yeah right now it works as expected. Firewall rules will only be created for explicitely selected interfaces there.
https://github.com/opnsense/core/blob/2d6795c1477a0cb4a8d5f3d2c00e2ea955aa43a0/src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.php#L432-L447
In the main docs it says it here in the main setup tutorial:
https://github.com/opnsense/docs/blob/8b9ae8e47871cf5925738fe45046e52dd9072e8f/source/manual/dnsmasq.rst?plain=1#L504
Great that it works for you.
QuoteInterface
Interface IPs used to responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.
Looking at the OPNsense documentation Dnsmasq DNS & DHCP (https://docs.opnsense.org/manual/dnsmasq.html) this is imho not entirely clear. Maybe it should be added, that the relevant interfaces must be explicitly selected and the selection must not be "All". This information would have helped me a lot. What do you think?
Yeah sure the service will respond, but only if the correct firewall rules exist.
There are two different concepts at play here:
- Dnsmasq will respond (service - dnsmasq)
- Firewall must allow that (service - pf (packet filter))
https://github.com/opnsense/docs/blob/8b9ae8e47871cf5925738fe45046e52dd9072e8f/source/manual/dnsmasq.rst?plain=1#L168-L170
You are absolutely right - still I believe you are missing my point here:
I just checked again. If I remove all selections in the ,,Interface" drop-down field, it jumps back to the standard text/label displaying ,,All". And this is definitely wrong, because then no interface is selected to be active - and no firewall rules will be added - even if the setting ,,DHCP register firewall rules" is checked. This is even more confusing.
Instead the standard text/label of the ,,Interface" drop-down field should display ,,None". Then it is absolutely clear, that currently no interface is selected to be active.
This would be an easy fix.
I just opened a new issue in GitHub:
https://github.com/opnsense/core/issues/8954 (https://github.com/opnsense/core/issues/8954)