So maybe I am overlooking or not getting something, but has the default behavior changed since version 26?
Take it with a grain of salt, I am no expert.
Here is how I think the defaults used to work:
- A new Interface with the "Track Interface" option got RA set to unmanaged.
- A new Interface with the "Track Interface" option got no DHCPv6 enabled.
Here is how I think the defaults work now:
- A new Interface with the "Track Interface" option has no RA enabled by default.
- Not only do new interfaces have DHCPv6 enabled (::1000 to ::2000) it even retroactively enabled DHCPv6 for all old interfaces that did not have DHCPv6 enabled before?
These are the points I don't understand:
- Why is unmanaged RA no longer enabled by default?
- Why is DHCPv6 enabled by default?
- Why do old interfaces get DHCPv6 retroactively enabled (which does probably not even do anything, since RA is unchanged to "unmanaged")?
"Track Interface" is legacy now - what you probably want is now called "Identity Association". See: https://docs.opnsense.org/manual/interfaces.html
AFAIR the IPv6 changes were referenced in the 26.1 release notes, also.
Quotethe "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
AFAIK Track interface did also not automatically start ISC-DHCPv6 back in the days. This makes it sound like it did.
So enabling it retroactively seems a little bit strange IMHO.
What I also don't quite understand is this part.
QuoteDnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
We are not talking about prefix delegation on the WAN, right?
Are we talking about the "Assign prefix ID"?
Maybe I am putting the chart before the horse :)
I currently have this for each VLAN:
On the interface -> Static IPv4 and Track Interface for IPv6 and Assign prefix ID with the number of the VLAN, so for example 10.
ISC DHCPv4 -> Does DHCPv4
RA -> Since I did not even enable the manual config on the interface, it is totally default. So SLAAC and nothing else.
Unbound as DNS.
How would that setup look with none legacy stuff like Kea or Dnsmasq?
"Track interface" and ISC/Radvd defaults haven't changed at all.
Cheers,
Franco
In automatic mode ("Allow manual adjustment of DHCPv6 and Router Advertisements" not enabled), ISC DHCPv6 has always been active and RAs have always been set to assisted. This is not new.
Quote from: JamesFrisch on February 19, 2026, 02:40:59 PMWe are not talking about prefix delegation on the WAN, right?
No, this is about downstream prefix delegation - OPNsense delegating prefixes to DHCPv6 clients in the LAN. Dnsmasq doesn't support this at all, Kea only with static prefixes.
Cheers
Maurice
Ohh, my bad, than I probably misremembered.
QuoteOPNsense delegating prefixes to DHCPv6 clients in the LAN. Dnsmasq doesn't support this at all, Kea only with static prefixes.
So if I wan't to have multiple VLANs with different assigned prefixes, I need Kea.
Or basically my current setting can be replaced by switching from track interface to Identity Association and from switching from ICE to Kea? Is that accurate?
Quote from: JamesFrisch on February 19, 2026, 06:11:58 PMSo if I wan't to have multiple VLANs with different assigned prefixes, I need Kea.
No. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.
Quote from: JamesFrisch on February 19, 2026, 06:11:58 PMOr basically my current setting can be replaced by switching from track interface to Identity Association and from switching from ICE to Kea?
You can switch to Identity Association, but will then have to manually configure Router Advertisements and DHCPv6.
Kea requires a static prefix, so if you have a dynamic prefix and need stateful DHCPv6, you'll have to switch to Dnsmasq or stick with ISC (which imho is the best option for the time being).
I switched from Track Interface to Identity Association and from ISC DHCPv4 to Kea DHCPv4, but keep using radvd and ISC DHCPv6.
QuoteNo. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.
Ahhh that makes sense. Cheers for that.
Humble brag: My ISP is not an idiot and sticks with RIPE recommendations, so I get a static /48 prefix.
DHCPv6 I don't need.
So I could switch to Identity Association for the interfaces, KEA for DHCPv4 and RA for stateless SLAAC, I guess?
But since the DNS registration is not supported by KEA, I should go with dnsmasq, if I want the same as with ICE?
For that I would have to:
- change the interface to Identity Association
- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC
Quote from: JamesFrisch on February 20, 2026, 08:21:43 AMo I could switch to Identity Association for the interfaces
IMHO you should not. If you get a static /48 from your ISP why don't you configure all internal interfaces statically? At most you need the dhcp6c (client!) on WAN, that's all.
QuoteIf you get a static /48 from your ISP why don't you configure all internal interfaces statically?
You severely underestimate my laziness! :) /s
But you are right, I could set them statically. Even when I move eventually, my ISP let me keep my static prefix if I ask for it.
How about the other two points?
- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC
I like to follow defaults, so I should probably use radvd and not RA form dnsmasq, right?
I run Kea for DHCPv4 and radvd.
For whatever reason, I can't get my VM to get any IP. Neither for KEA nor dnsmasq. Works fine with ISC.
For Kea I did:
Subnet: 10.0.60.0/24
Pools: 10.0.60.2-10.0.60.200
Interface is listening on vlan60.
Service is running, restart does nothing, no errors in logs.
For dnsmasq, I can get the service is running, but as soon as I try to add the DHCP range onto the VLAN60 interface by using start 10.0.60.2 and end 10.0.60.200, the service crashes with no logs.
After or before you enabled and configured Kea, did you disable ISC completely? On all interfaces? You cannot migrate selectively, ISC must be off for Kea to work.
Ahh cheers, I did not know that. Did I overlook that in the docs? I left it enabled for the other vlan interfaces, and tried to enable it only for VLAN60.
I think I am gonna postpone my migration and hope for some kind of migration path tool, like with the new firewall rules.
I don't know. I could not find anything about that in the OPNsense docs, but it's a well known property of ISC DHCPd.
Quote from: JamesFrisch on February 20, 2026, 05:17:13 PMI think I am gonna postpone my migration and hope for some kind of migration path tool, like with the new firewall rules.
If you can or can not Enable/Disable DHCP Servers per Interface was one of the things I was curious about and got answered for me in various sources so afterwards I just did the following :
- Export all Static DHCP Mappings from ISC DHCP Server for all Interfaces/Networks.
- Pre-configure KEA DHCP Server and Import the Static DHCP Mappings for each Interface/Network.
Now that it's just a matter of :
- Stopping & Disabling ISC DHCP Server on all your Interfaces.
- Enabling and Starting KEA DHCP Server on all your Interfaces.
Simple as that and I would do the same with DNSmasqd DHCP & DNS Server should I ever need to ;)
I could not let it be and migrated to KEA, by disabling ICE.
There is at least for the static leases the option to export a csv and reimport it into KEA.