Hi everyone,
I did a fresh install of the latest OPNsense community edition on a new N150 mini-PC (4 NICs: igc0, igc1, ix0, ix1). During initial setup I ran into some confusing behaviour around DNS/DHCP and the default services.
What happened in my setup:
After installation I used the console menu to reassign interfaces and set up a new LAN interface.
I plugged my notebook into the new LAN port but the client did not receive an IP address via DHCP.
I went back to the console, created/changed the LAN interface again and set a new IP, but the client still did not get an address.
At one point I briefly saw an error along the lines of "VIP already exists" when applying the new LAN settings.
In the end I changed the LAN IP to a completely different subnet and set a static IP on my notebook; only then I could reach the Web GUI again.
When I finally got into the GUI, I noticed that under
Services → Dnsmasq DNS & DHCP → General
the service was enabled by default on LAN on this fresh installation. At the same time, Unbound DNS and ISC DHCPv4 are also present, so effectively I had multiple DNS/DHCP components available from the start.
For my use case (multiple VLANs, Unbound as the only DNS resolver, clear separation of DHCP and DNS) this was quite confusing, because it is not obvious which combination is intended as the "default baseline" today. It also makes it easy to end up with:
dhcp/dns services bound to the old LAN interface after reassignment, or
overlapping IPs / VIP warnings when changing addresses repeatedly from the console.
My questions:
Is it intentional that Dnsmasq DNS & DHCP is enabled on LAN by default on a fresh install, even though Unbound DNS is also present as the standard resolver?
For new installations, what is the recommended baseline today:
Unbound DNS + dnsmasq DHCP,
Unbound DNS + ISC DHCP (legacy), or
dnsmasq for both DNS and DHCP on small setups?
Would it be possible to clarify this in the installer or GUI, for example:
a short note explaining "dnsmasq is the default DHCP engine, Unbound is the default DNS resolver", or
a simple choice/wizard for "single DNS stack" (Unbound only vs dnsmasq only) so users do not accidentally run two DNS services?
I am not complaining about dnsmasq itself; using it as default DHCP for small networks is perfectly fine. The confusing part is that on a fresh install it is not clear which component is meant to do what, and changing LAN via console while dnsmasq is active seems to make the first-time experience harder than necessary.
Any clarification on the intended design and best practice for new installs would be very welcome.
Thanks a lot for your work on OPNsense.
Best regards,
Alex