QuoteTo accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups. Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
I'm trying to figure out what I've to change in my setup related to the statements above. When it was first mentioned that ISC-DHCP will be deprecated I already moved my stuff over to using "Dnsmasq DNS & DHCP" like the DHCP ranges for my home and guest vlans as well as the reservations / host overrides. So after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended. However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to the new "Identity association" and try to save the changes I get an error message:
QuoteThe following input errors were detected:
The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.
which makes me wonder what the actual problem is since "Track Interface (legacy)" works without any issue, is it because I use "Dnsmasq DNS & DHCP"? I can't seem to find an option to do what I'm instructed by "disable the DHCPv6 Server service on this interface first" like in only use Dnsmasq DNS & DHCP for IPv4, like there was for ISC-DHCP and probably also is for Kea with its two separate Kea DHCPv4 & Kea DHCPv6 services to enable/disable. But that would somehow contradict to the statement of
Quote[...] to allow better interoperability with Kea and Dnsmasq setups
On another more or less unrelated note, some parts of the release notes are harder to read/understand for me than they maybe could be, for example:
QuoteOne thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
"the upstream software": which one? supposedly Dnsmasq? Why not call it by it's name?
"Use another DHCPv6 server in this case": when Dnsmasq doesn't work in this case and Kea is the new alternative to the now deprecated ISC-DHCP, why not just write "Use Kea DHCPv6" in this case? Or doesn't Kea work here as well, or are there too many other alternatives to mention them?
And another thing I was kind of scared is because the talk is all about DHCP and IPv6, I was afraid that removing the ISC plugin would also remove the option for the WAN interface to select "DHCPv6" in its "IPv6 Configuration Type" option, so a small mention that it doesn't touch that part and/or that they're completely unrelated and this option will stay would've probably been reassuring as well.
Quote from: tgurr on January 29, 2026, 11:50:48 PMSo after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended.
However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to the new "Identity association" and try to save the changes I get an error message:
QuoteThe following input errors were detected:
The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.
which makes me wonder what the actual problem is since "Track Interface (legacy)" works without any issue, is it because I use "Dnsmasq DNS & DHCP"? I can't seem to find an option to do what I'm instructed by "disable the DHCPv6 Server service on this interface first" like in only use Dnsmasq DNS & DHCP for IPv4, like there was for ISC-DHCP and probably also is for Kea with its two separate Kea DHCPv4 & Kea DHCPv6 services to enable/disable.
There were some reports of the option
"Track Interface (legacy)" not properly disabling I believe in another topic so maybe the fix for that bug didn't work out completely as it should have ?!
My guess is it still thinks you are using ISC DHCPv6 for some reason...
QuoteOn another more or less unrelated note, some parts of the release notes are harder to read/understand for me than they maybe could be, for example:
QuoteOne thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
"the upstream software": which one? supposedly Dnsmasq? Why not call it by it's name?
"Use another DHCPv6 server in this case": when Dnsmasq doesn't work in this case and Kea is the new alternative to the now deprecated ISC-DHCP, why not just write "Use Kea DHCPv6" in this case? Or doesn't Kea work here as well, or are there too many other alternatives to mention them?
And another thing I was kind of scared is because the talk is all about DHCP and IPv6, I was afraid that removing the ISC plugin would also remove the option for the WAN interface to select "DHCPv6" in its "IPv6 Configuration Type" option, so a small mention that it doesn't touch that part and/or that they're completely unrelated and this option will stay would've probably been reassuring as well.
I was wondering the same and totally agree with you :)
I think this to be a bug, as I believe you'll find that you can't set the IPv6 Configuration Type to 'None' on the affected interface, either. In short, you're pretty much stuck with whatever settings that interface has at the moment, it seems.
Quote from: tgurr on January 29, 2026, 11:50:48 PMQuoteTo accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups. Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
I'm trying to figure out what I've to change in my setup related to the statements above. When it was first mentioned that ISC-DHCP will be deprecated I already moved my stuff over to using "Dnsmasq DNS & DHCP" like the DHCP ranges for my home and guest vlans as well as the reservations / host overrides. So after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended. However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to the new "Identity association" and try to save the changes I get an error message:
QuoteThe following input errors were detected:
The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.
I came across the same issue with the warning message about DHCP server being active. The way to resolve it is to temporarily install the ISC plugin, (DHCPv6 I think was active on the LAN), then you can make the changes. It seems the wrong way round, but must be a bug, when done of course ISC plugin can be removed.
This worked for me, hoe it helps you too.
This old bug has been haunting the code for a while.
If you are sure you don't need the ISC-DHCPv6 anymore you can run this from the command line
# pluginctl -f dhcpdv6.<interfaceid>
where <interfaceid> is lan or opt1, etc.
If you are sure you're not using DHCPv6 at all you can also drop the whole DHCPv6 configuration from System: Configuration: Defaults: Components.
Cheers,
Franco
Thanks for all the helpful feedback.
Quote from: bazineta on January 30, 2026, 04:27:38 AMI think this to be a bug, as I believe you'll find that you can't set the IPv6 Configuration Type to 'None' on the affected interface, either. In short, you're pretty much stuck with whatever settings that interface has at the moment, it seems.
Correct, I'm also unable to set the interface to 'None'.
Quote from: btb62 on January 30, 2026, 08:50:48 AMI came across the same issue with the warning message about DHCP server being active. The way to resolve it is to temporarily install the ISC plugin, (DHCPv6 I think was active on the LAN), then you can make the changes. It seems the wrong way round, but must be a bug, when done of course ISC plugin can be removed.
This worked for me, hoe it helps you too.
Thanks, I'm pretty sure I've disabled the checkbox on on ISC for the networks also tried to switch to "Identity Association" before removing the plugin, but will try your suggestion as well.
Quote from: franco on January 30, 2026, 09:11:21 AMIf you are sure you don't need the ISC-DHCPv6 anymore you can run this from the command line
# pluginctl -f dhcpdv6.<interfaceid>
where <interfaceid> is lan or opt1, etc.
If you are sure you're not using DHCPv6 at all you can also drop the whole DHCPv6 configuration from System: Configuration: History: Components.
I guess I can be pretty sure in this case as I've already uninstalled the plugin?
> pluginctl -f dhcpdv6.<interfaceid>
Will try that, thanks.
> If you are sure you're not using DHCPv6 at all you can also drop the whole DHCPv6 configuration from System: Configuration: History: Components.
If Dnsmasq doesn't do anything here, as in if "not using DHCPv6" means "either ISC DHCP or Kea"
AND this doesn't apply to my WAN interface having "IPv6 Configuration Type: DHCPv6" then this is true for me.
However I can't find the "Components" under History you've mentioned, the menu path only goes as deep as System: Configuration: History for me where I can view the diffs and download, remove backups and so on. But I can't find anything related to "Components".
Sorry, I meant "Defaults", not "History".
"dhcpdv6." configuration key is specifically for ISC DHCPv6, nothing else.
Cheers,
Franco
Quote from: franco on January 30, 2026, 10:28:12 AMSorry, I meant "Defaults", not "History".
"dhcpdv6." configuration key is specifically for ISC DHCPv6, nothing else.
Ah thanks! I have nothing to select in regards to the ISC DHCPv6 / dhcpdv6. here:
(https://i.imgur.com/FT07Z3a.png)
probably I need to reinstall the plugin beforehand? Searching for the "dhcpdv6" key in my config export I can see:
<dhcpdv6>
<opt1>
<enable>-1</enable>
</opt1>
<lan>
<enable>-1</enable>
</lan>
</dhcpdv6>So I guess I could also remove that part manually and import the config again.
This is probably the bug: https://github.com/opnsense/core/issues/8838
Edit:
To tackle this:
You must Tick "Allow manual adjustment of DHCPv6 and Router Advertisements ", then Disable ISC DHCP6 for the interface. After that, you can enable Identity association.
Fair enough, the data given here makes sense so this should fix it:
# opnsense-patch https://github.com/opnsense/core/commit/c264c905
I also added the legacy components as they don't auto-register. Sorry for the noise.
Cheers,
Franco
Yes, that's it. My configuration contains the following:
<dhcpdv6>
<opt2>
<enable>-1</enable>
</opt2>
<opt1>
<enable>-1</enable>
</opt1>
<lan>
<enable>-1</enable>
</lan>
<opt3>
<enable>-1</enable>
</opt3>
</dhcpdv6>
And that corresponds to the 'stuck' interfaces. I had migrated to dnsmasq DHCP some time ago in preparation for this release, so ISC DHCP wasn't active on the interfaces either before or after the upgrade to 26.1. Tried the legacy -> association change both with the ISC plugin installed and with it uninstalled, no change.
There's no entry for ISC DHCP in System: Configuration: Defaults on my system.
To resolve, on each affected interface, I ticked "Allow manual adjustment of DHCPv6 and Router Advertisements", hit Save, then immediately changed the type to "Identity Association", hit Save again, and only then hit Apply.
This changed nothing in the dhcpdv6 section of the system configuration, still the same keys and values present there, but it did allow the type change to take.
Quote from: flushell on January 30, 2026, 12:15:11 PMThis is probably the bug: https://github.com/opnsense/core/issues/8838
Edit:
To tackle this:
You must Tick "Allow manual adjustment of DHCPv6 and Router Advertisements ", then Disable ISC DHCP6 for the interface. After that, you can enable Identity association.
That workaround worked for me as well, thanks. I'm was now able to switch from "Track interface" to "Identity Association", however I don't seem to get any IPv6 connection to outside on my networks (home & guest - test of: https://test-ipv6.com/ fails with "No IPv6 address detected) now where WAN (IPv6 Configuration Type: DHCPv6) works well, I can ping for example google.de with IPv6 from the diagnostics. Is it because I (have to) use Prefix delegation on my WAN interface due to my ISP? Or will be, because of:
> One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
switching over to Kea allow me to have a future proof setup with working prefix delegation? I don't think my ISP (GigaNetz) supports/offers something else.
Quote from: tgurr on January 30, 2026, 04:37:03 PMtest of: https://test-ipv6.com/ (https://test-ipv6.com/) fails with "No IPv6 address detected) now where WAN (IPv6 Configuration Type: DHCPv6) works well, I can ping for example google.de (https://google.de/) with IPv6 from the diagnostics
Seeing the same thing, with the same setup. I had gone with dnsmasq per the migration suggestions at the time, but it seems as if Kea is the only option now for this particular ISP setup.
Quote from: bazineta on January 30, 2026, 04:53:35 PMSeeing the same thing, with the same setup. I had gone with dnsmasq per the migration suggestions at the time, but it seems as if Kea is the only option now for this particular ISP setup.
Looking forward to see what you figure out and hope you can share it here, I just noticed in the Kea documentation: https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd "Dynamic prefixes common with most residential ISPs are not supported." so I'm totally confused, maybe staying on Dnsmasq+Track interface (legacy) will be the best - and only working(?) solution for now hoping that "Track interface (legacy)" won't be removed some time in the future?
Simple. The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea. In Kea there is no integration for dynamic prefixes. Dnsmasq does not support it at all.
Cheers,
Franco
An alternative is to create a SLAAC network and use this ndp proxy on the downstream OPNsenses (aka Opnsense 2 in this schema).
(If its ISP -> Opnsense 1 -> Opnsense 2...)
https://docs.opnsense.org/manual/ndp-proxy-go.html
Quote from: franco on January 30, 2026, 05:11:01 PMSimple. The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea. In Kea there is no integration for dynamic prefixes. Dnsmasq does not support it at all.
Thanks for the explanation, I was happy that I got things working in the first place so my networking knowledge sadly really doesn't go very deep, especially for IPv6 so two follow up questions:
1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear some time in the future?
2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.
My WAN looks like:
(https://i.imgur.com/VsVveSR.png)
and for HOME/GUEST:
(https://i.imgur.com/lmv0eGh.png)
So nothing that fancy I guess, it's working great like that with these settings and Dnsmasq, I just don't want to end up hitting a wall with a future update. So any advice on what and how to change is very welcome.
> 1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear some time in the future?
It will likely disappear when ISC-DHCP plugin will be removed, but that's not before 2027/28 in any case unless something more serious happens that would mean to prohibit use of the EoL ISC-DHCP but I doubt it.
> 2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.
That's sadly true. We'll tinker with Kea more now that we don't have ISC-DHCP to worry about as much. Probably changes and improvements coming for 26.7 and beyond. We try to cluster our work nowadays which seems to be more effective in terms of long term gains. That's why Kea was put on the backseat for Dnsmasq.
Cheers,
Franco
Quote from: franco on January 30, 2026, 05:47:39 PM> 1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear some time in the future?
It will likely disappear when ISC-DHCP plugin will be removed, but that's not before 2027/28 in any case unless something more serious happens that would mean to prohibit use of the EoL ISC-DHCP but I doubt it.
> 2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.
That's sadly true. We'll tinker with Kea more now that we don't have ISC-DHCP to worry about as much. Probably changes and improvements coming for 26.7 and beyond. We try to cluster our work nowadays which seems to be more effective in terms of long term gains. That's why Kea was put on the backseat for Dnsmasq.
> It will likely disappear when ISC-DHCP plugin will be removed
Is that because of the usage of ISC DHCP
client here (option DHCPv6 I use for WAN) that has be be removed as well due to EOL? Would using dhcpcd as a replacement work? I'm asking that because in my setup the ISC-DHCP plugin is already uninstalled so why there's the need to remove "Track interface (legacy)" in the first place - if not for the EOL of the client as well? I also don't yet get the (technical) difference between "Track interface (legacy)" and "Identity Association".
With that info I guess I'll stay on Dnsmasq+Track interface (legacy) for now then. It would be great if you could somehow release a tutorial / short howto then on how to configure these things for regular ISP usage then, as in "Configuration for just replacing my ISP Fritz!Box with OPNsense" as it's really hard to puzzle together everything, especially in this kind of constellations where things and certain combinations don't work at all.
Thanks for your patience to answer all my unskillful probably confusingly stated questions.
Quote from: tgurr on January 30, 2026, 06:11:02 PMWith that info I guess I'll stay on Dnsmasq+Track interface (legacy) for now then. It would be great if you could somehow release a tutorial / short howto then on how to configure these things for regular ISP usage then, as in "Configuration for just replacing my ISP Fritz!Box with OPNsense" as it's really hard to puzzle together everything, especially in this kind of constellations where things and certain combinations don't work at all.
Our setups are, I think, identical, and the best way to determine the optimal approach is to have someone excoriate you for doing it wrong, so I'll explain my approach, which is, you know, probably wrong.
So my ISP hands me a /56, which has not changed in ages, but that is by no means guaranteed, etc. As with your setup, I've always prefixed this into /64s for my internal networks, i.e., LAN is 0, GUEST is 1, etc. I've been migrated for months now from ISC to dnsmasq, and I'm happy with the dnsmasq setup, which I've had set to only do DHCP for v4.
Options appear to be two:
- I could configure IPv6 ranges in dnsmasq for each of the lan segments, turn on RA in dnsmasq, and have it hand out addresses.
- I can skip all that, and just turn on RA (Services -> Router Advertisements) for each of the segments, setting them to 'Unmanaged'.
Option 1 being seemingly the more complicated of the two, I went with option 2, which results dnsmasq doing IPv4 DHCP + DNS only, and IPv6 clients getting addresses purely via SLAAC.
I suspect but do not know for certain that this is more resilient to a renumbering when the /56 changes.
This appears to work properly with the prefix delegation setup, and all the usual IPv6 tests pass, but this is usually the point where more learned individuals tell me that I'm being an idiot, so let's see what they have to say.
Quote from: bazineta on January 30, 2026, 06:45:28 PMThis appears to work properly with the prefix delegation setup, and all the usual IPv6 tests pass, but this is usually the point where more learned individuals tell me that I'm being an idiot, so let's see what they have to say.
Sounds sensible to me, sent you a pm asking for details cause I'm interested to try to replicate your setup.