I have the problem that when I convert a dynamic DHCP lease to a static one, both lease entries remain. The client receives the statically assigned IP but cannot connect to the network.
There must be a way to delete this dynamically assigned lease via the GUI. I am blind and cannot find anything... Can anyone help me?
Kea? It will be removed when it expires.
Yes, it's about kea (it's in the title). It can't be right to assign a static IP address and then wait until the dynamic lease expires so that the device can connect to the network. Is that really how it's supposed to work?
At the moment yes, because the standard says so. Once a lease is granted it is valid for the relevant time period. Only the client can release it. OPNsense follows the book here, I don't know from the top of my head if a change is planned.
You can find part of the discussion with links to more here:
https://github.com/opnsense/core/issues/9217
If the client is Windows you can use "ipconfig something something /release".
Quote from: Lip90 on February 23, 2026, 10:24:01 PMYes, it's about kea (it's in the title). It can't be right to assign a static IP address and then wait until the dynamic lease expires so that the device can connect to the network. Is that really how it's supposed to work?
No, unless you have turned on some kind of
"Don't allow Clients that don't have a Static DHCP Mapping configured" setting which some DHCP Servers have ??
Usually the let's say "Random DHCP Lease" from your DHCP Pool should be replaced when it expires and the Client shouldn't even notice the change to it's new Static DHCP Mapping IP Address :)
@nero355 yet it is a common workflow to onboard a new device with a static reservation like this:
- connect it to the network
- check DHCP for a new dynamic lease
- create a static reservation
- nuke the dynamic lease
- power cycle the device
I am willing to bet every sysadmin does this. Regardless of standards and lease expiry - just power cycle the thing, done.
Therefore it would be nice if Kea on OPNsense supported deletion of leases on the server side. As far as I read in the various discussions on Github it might be coming.
It's operational reality vs protocol purity like always. Being an RFC warrior vs sysadmin. xD
No promises but since kea provides actual commands for this it can be looked into. Though since their control socket is weird and deprecated right now it might still take a while.
https://github.com/opnsense/core/issues/9647
Quote from: Patrick M. Hausen on February 24, 2026, 02:55:55 PM@nero355 yet it is a common workflow to onboard a new device with a static reservation
I know : I do it too! :)
QuoteI am willing to bet every sysadmin does this. Regardless of standards and lease expiry - just power cycle the thing, done.
Windows Clients are my main issue : You REALLY need to ipconfig /release first, then reboot and hope everything goes as expected...
Everything else just respects your wishes luckily!
QuoteTherefore it would be nice if Kea on OPNsense supported deletion of leases on the server side.
As far as I read in the various discussions on Github it might be coming.
More webGUI options are always good to have, but software that respects my network is where it all should start IMHO :)
Quote from: Patrick M. Hausen on February 24, 2026, 02:55:55 PMnuke the dynamic lease
Good morning!
What's the best way to do this?
a. Should the lease time be set to a short interval (e.g., 60 seconds)?
b. Should the corresponding entry be deleted from Kea's database via terminal?
That's a hypothetical workflow that is available in ISC but not in Kea at the moment. Really short lease times might be a solution, although I would only use that temporarily when I know I'll be connecting some new devices.
Quote from: Lip90 on February 23, 2026, 10:24:01 PMNo, unless you have turned on some kind of "Don't allow Clients that don't have a Static DHCP Mapping configured" setting which some DHCP Servers have ??
Regarding this, I opened a thread and an issue on Github on the General Discussion forum, maybe not the right place... This is the thread (https://forum.opnsense.org/index.php?topic=50929.0).
I don't use random DHCP addressing. Some nets are fully static assignment, an if DHCP is in use, I always use reservations. Exceptions apply on labs and similar, things that are disposable.
I really miss the "Deny unknown clients" feature from ISC exposed in the web GUI. With this option checked, I can find the MAC address of the device before it receives an IP, make the reservation and rules if apply, and let it connect afterwards.
I have not tried but can you create a subnet and an empty dynamic range in Kea?
I haven´t tried, but it's not an easy workaround for a medium network, because one would have to connect the new machine to the "no-leases" VLAN and then to the device's destination VLAN, which is not always feasible. Plus the existence of that "no-leases" VLAN in all the infrastructure (wired and wireless).
Maybe your advice could do the trick for a small network, but I think most of OPNsense users tend to be from medium in advance networks sizes.
I proposed the new web feature because I think I'm not alone in this situation, it's a supported Kea feature, and improves the alignment with, the now plugin and mostly deprecated, ISC.
[EDIT]
Your advice works perfectly.
What I didn't know was that subnets can be created with an empty list of pools, so I didn't understand your approach at first. As far as I can remember, that couldn't be done in ISC, so I had all my subnets with, at least, a little pool. Following your advice, I tried to delete the pool from some of the subnets (those that I want to function with reserves only). It does what it is supposed to do and no lease is given.
Maybe that should be documented, specially for people migrating from ISC.
Closing the issue I opened...
Quote from: Netlearn on February 28, 2026, 01:53:44 AMI haven´t tried, but it's not an easy workaround for a medium network, because one would have to connect the new machine to the "no-leases" VLAN and then to the device's destination VLAN, which is not always feasible. Plus the existence of that "no-leases" VLAN in all the infrastructure (wired and wireless).
I would imagine it to work a bit like a RADIUS 802.11r Enabled network but with the difference that you manually do the move to the right VLAN :)
Yes, kind of. But a little mess for me. Doing this process with some devices is a bit difficult.
Also, I must take care of not forgetting the "no-leases" VLAN existence if I don't use it for a week or so :D