Using this as a guide:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
My goal is to setup IPv4 and a managed DHCPv6 server as well as a local DNS server using DNSmasq accessed from the unbound DNS server. Thus far with a couple of surprises that could result in changes to the documentation; I appear to be succeeding in this task as far as I have gotten which is largely the DHCP/DNS setup with limited testing. The setting of the router addresses could be interesting and the coding of the ipv4 switch ACLS has been accomplished on an IPv4 only network before. The IPv6 router and ACL settings could prove to be an additional challenge.
The DHCPv4 setup largely follows the example with my own choice of IP addresses.
My DHCPv6 configuration attempted to follow this using IPv6 ULA addresses for an internal only network:
Attention
If you plan to use partial IPv6 addresses in ranges with a constructor, enable the advanced mode and set Domain Type to Interface. This will register any subnets on the chosen interface to the selected domain. This is the only way dynamic DNS registration succeeds when the IPv6 prefix is dynamic.
The first gotcha I encountered was that with one pool being a standard Domain Type of range and the other being an advanced Domain Type of interface that the domain names needed to be different according to the window. So I created v4.xxx.internal and v6.xxx.internal; when assigning IP dynamic IP addresses all domains IPv4 and IPv6 appeared as though they were v6.xxx.internal. So I changed the DHCPv4 range to the advanced setting of interface and set both domain names to xxx.internal, which was my initial settings. This at least preliminarily seems to work.
Then I encountered these instructions:
Tip
Reservations will reserve the IP address inside a range, meaning the reserved IP will not be offered to dynamic clients.
A dynamic range like 192.168.1.100-192.168.1.199 and a reservation like 192.168.1.101 are valid and there will be no collisions.
The reservation can also be outside the dynamic range, but it is not recommended for simple setups as the dynamic dns registration with dhcp-fqdn will not work correctly.
Attention
Setting the range mode to static is not required for reservations. It is for specific usecases where a range should not serve any unknown dynamic clients.
In IPv4 I considered creating a range of ending octets 64 - 191. Where 64-127 are dynamically assigned and 129-191 are reserved and 192-255 are for straight static assignments (including the broadcast address). When attempting to create a static range the window indicates there can be no ending address. I was able to add single addresses to the static pool with a Domain Type of interface as noted before. It appears the equivalent of excluded addresses on the switch except these must be must be individually entered, please confirm.
I have not yet dealt with the IPv6 pool delegation, it could easily be hardcoded as the assignments if done will be completely internal to the router.
My IPv4 and IPv6 address assignments appear to be working on the switch and notebook I have connected to perform the setup.
The reason I am attempting this is that I intend to use different base addresses with different numbers of bits to separate devices for security purposes in IPv6 ACL rules on the switch. A similar process is also considered for IPv4 addresses. I have not yet tested this in this version of the router and switch configuration to assure it is possible; however in an IPv4 only version this approach as been successfully implemented. The reason for this approach is that local traffic largely is handled by the main switch and the router primarily handles communication with the outside world. DHCP and DNS on the router being the exception for internal only IPv6 ULA networks. One of the desires of this process is that the switch perform most if not all the "router" processing for my local devices. Meaning the OpnSense router for internal networks local IPv4 - local IPv4 and all IPv6-IPv6 traffic is only a connected DNS/DHCP server and nothing else. My internet connection is IPv4 so the Opnsense Router will be processing traffic intended for beyond my walls the internet as well as possibly some tunneled traffic.
As I have not fully implemented any IPv6 network yet. However; this appears to be showing signs of success. Another unmentioned aspect of the design is that my internal servers, such as file servers and streaming servers only provide access to their data on the IPv6 network, They will also access the internet via IPv4 connection but file sharing and streaming an other local data services are generally not intended to be available on the IPv4 subnets. There are some devices that may require IPv4 access that will require additional security restrictions in both the switch and router.
Thanks and I hope these suggestions are considered for the documentation, if they are accurate.
Am I on the correct track?
Sorry I appear to have left out I am running a freshly loaded Opensense 25.7 using ZFS with serial console (and HDMI) support. Just started the reconfiguration last night.