Hello all - first of all thanks for all the work for the 25.7 release.
I upgraded from 25.1.12 today and everything went well.
After upgrading to 25.7 I migrated from ISC to dnsmasq following the guide and DHCPv4 with DNS registration example but I have the adgaurd home plugin on opnsense and I think this is where my issue is. My configuration is:
Adguard on port 53
Unbound on port 5335
dnsmasq on port 53053
My main network (VLAN01 192.168.1.1/24) is working fine with adguard - unbound - dnsmasq
My guest network (VLAN20 192.168.20.1/24) I get a dhcp lease/ip correctly but web pages will not load. I think I need to change a setting/option so that the dhcp lease uses dns server / adguard on my main network.
I have tried adding dhcp options in the dnsmasq setting but I can't get it to work.
Any suggestions to try greatly appreciated
A bit of additional info that I think explains why its not working but not sure how to solve it.
If I connect to VLAN20 Guest network on 192.168.20.1/24 - I can no longer ping any ip on the main network 192.168.1.1/24 - so no wonder I don't have internet!
I have not changed any firewall rules and all was working before so maybe this is a routing issue stopping requests being forwarded.
looking at the dnsmasq log i can see this warning message from time to time - no upstream servers configured
Maybe a stupid question, but: does dnsmasq provide an gateway for the guest net?
I am using DNSmasp for DHCP and Unbound DNS for DNS. Several VLAN active. Since update to 25.7 no internal hostnames are provided. But defined in override.
Quote from: dMopp on July 24, 2025, 07:08:49 AMMaybe a stupid question, but: does dnsmasq provide an gateway for the guest net?
Not a stupid question. It is me probably stupid :-)
I have tried to add a gateway using dhcp options in dnsmasq but no dice so far...
here they are - not working though
Done a bit more digging but I am really stuck. I don't think I can get dhcp options to be applied to an interface.
Using netstat command on my Mac when connected to the VLAN I only see the interface ip of the vlan (192.168.20.1) when I expect the dhcp option to be providing 192.168.1.1
Any ideas or obvious things I can check/do?
here is netstat on my VLAN (guest)
Destination Gateway Flags Netif Expire
default 192.168.20.1 UGScIg en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#11 UCS en0 !
192.168.20 link#11 UCS en0 !
192.168.20.1/32 link#11 UCS en0 !
192.168.20.1 60:be:b4:13:66:ab UHLWIir en0 1190
192.168.20.168/32 link#11 UCS en0 !
224.0.0/4 link#11 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
255.255.255.255/32 link#11 UCS en0 !
and on my main network...
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGScg en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#11 UCS en0 !
192.168.1 link#11 UCS en0 !
192.168.1.1/32 link#11 UCS en0 !
192.168.1.169/32 link#11 UCS en0 !
224.0.0/4 link#11 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
255.255.255.255/32 link#11 UCS en0 !
I use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.
Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.
One question about this.
Why you are using also Unbound. It will work with dnsmasq and Adguard Home. Config which I use. So now you have three DNS Services running and each service needs the other service.
Doesn't this make more problems then solving?
@Devil neither dnsmasq nor AGH can work as a recursive resolver. If you e.g. do not want to use a public upstream, you need a local one.
@Patrick M. Hausen ah ok yes didn't thought on this.
Quote from: julsssark on July 24, 2025, 04:29:14 PMI use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.
Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.
This is what I have done. Using the two dhcp options as you have suggested.
Good that I am on the right track.
Looks like I have another issue where these dhcp options are not being set.
Can you post a screenshot of the gui showing the dhcp options please?
Jata please share:
/usr/local/etc/dnsmasq.conf
That way I can tell you if something is configured wrong.
thanks for helping. Much appreciated.
dnsmasq.conf attached
Hello, I see nothing wrong with this config. The manual dhcp options can be removed as theyre automatic (router and dns server will always point to opnsense when no options are set)
I imagine the issue to be dns related, and not dhcp related.
OK thanks. I will remove the dhcp options as suggested.
Is it expected that when I connect a client to the VLAN20 the dhcp network settings are showing 192.168.20.1 as gateway and for dns? I expected them to be 192.168.1.1 VLAN01 - lan?
What should I be looking for to fix DNS? I followed the dnsmasq and config example precisely (and everything was working correctly with ISC dhcp).
The main difference now is that I have the DNS query forwarding to dnsmasq from unbound - see screenshot attached
I expect Adguard to listen on 192.168.20.1:53
So create a Firewall rule in that vlan that allows this DNS traffic.
Otherwise no idea.
> Is it expected that when I connect a client to the VLAN20 the dhcp network settings are showing 192.168.20.1 as gateway and for dns? I expected them to be 192.168.1.1 VLAN01 - lan?
Usually, yes. Each VLAN is a separate network, the whole reason to be. So the traffic is expected to stay "in it", and not go "across to another". As I say, normally. The cross over would be needed to be specified and create "allows" for it.
I as Monviech would expect your services to be bound to your network interface or one in the same network so they can be found.
This is why if you look in AdGuardHome's "Setup Guide" (top right menu), under "Configure your devices", you would normally see it is listening to the a.b.c.1 address of the interfaces it has identified. I _guess_ your 192.168.20.1 is there ? Can you check ?
Thanks all for help.
For testing I have both main network (VLAN1 192.168.1.1/24) and guest network (VLAN20 192.168.20.1/24) fully open with one rule (allow all to all). See screenshot.
Adguard is installed on the main network in opnsense so it is listening on the following addresses.
127.0.0.1
192.168.1.1
It was setup this way and working when using ISC for DHCP. I think I was able to configure ISC for the guest VLAN to use 192.168.1.1 as the gateway and DNS. So maybe this is the key difference that made it work using ISC but I need to change my setup for dnsmasq.
I will try editing the adgauard config file to include 192.168.20.1 as a listening address.
thank you @cookiemonster!
That was it. I just needed to add the VLAN IP in the adguard config yaml - to the dns bind_hosts. See below
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:8083
session_ttl: 720h
users:
- name: [redacted]
password: [redacted]
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 127.0.0.1
- 192.168.1.1
- 192.168.20.1
- 192.168.30.1
port: 53
I think this is how I 'should' have set it up in the first place with ISC but I was a complete newbie then (still am haha).
Thanks again everyone who has chipped in to help.
I think I have now successfully migrated to 25.7 and dnsmasq.