I've just configured (in 26.1.2_5) HA - CARP VIPs for WAN and all my vlans. I made sure that VIPs have correct netmask (same as respective vlan).
I use Dnsmasq DNS & DHCP as DHCP server (ip4, ip6 in RA mode: slaac and ra-names).
And once I switched over to VIPs I had lost ip4 DHCP connectivity. I verified VIPs netmasks, in dnsmasq there's no any relevant option except selecting interfaces and strict binding - which doesn't help.
When I manually assign in client ip4 address - all works fine, connectivity is flawless even with switching over between master and backup...
Have I missed something, how to fix it??
EDIT:
Both opnsense instances are virtualised - Proxmox VM
If you are running a HA setup then you need KEA DHCP Server : https://docs.opnsense.org/manual/dhcp.html ;)
Quote from: nero355 on March 03, 2026, 06:27:31 PMyou need KEA DHCP Server
Thanks, just migrated to dnsmasq a few months ago... I also use wifi enterprise and freeradius.
For test purposes I configured KEA on one vlan (stopped dnsmasq), as per https://docs.opnsense.org/manual/kea.html (https://docs.opnsense.org/manual/kea.html), have added standby and primary HA peers (firewall rules as well) did synchronisation. KEA receives heartbeat but still nothing - I can't get assigned ip4 address in client.
As far as I can see, even KEA sends dhcp offers from interface address and not VIP. Is it correct?
Yes that is correct, that's how DHCP works.
You can have the Clients to reach the VIP, but the response for DHCP offer will come from the interface IP and not VIP.
You can only bind the listening interface/IP but not the responding.
I am running two DHCP servers based on DNSmasq on linux servers. They are both active, as DNSmasq doesnt support HA, so I have set on the second one a delay in response. Meaning the first server always is the one respond first.
Regards,
S.
Quote from: Seimus on March 04, 2026, 12:24:19 PMYes that is correct, that's how DHCP works.
Ok, I understand. But still, once HA (vlans carp vip) is activated, dhcp clients in lan don't receive ip4 address. FW rules have been created automatically...
You should review your secondary DHCP server then as well live log if you see anything blocked or dropped.
Regards,
S.
The issue shows up once VIPs are set. Even with backup instance completely off, I'm not able to obtain ip4 address. In dhcp logs, I can see offers being sent, maybe auto FW rules are not correct?
Quote from: GreenMatter on March 03, 2026, 07:28:52 PMFor test purposes I configured KEA on one vlan (stopped dnsmasq)
OPNsense does not support a different DHCP Server per Interface so if you want to test then you need to move EVERYTHING to KEA sadly !![/s]
/EDIT :Nevermind...
See : https://forum.opnsense.org/index.php?msg=261945
Quote from: nero355 on March 04, 2026, 09:14:47 PMmove EVERYTHING to KEA sadly
So if I want to run KEA dhcp server on one or selected interface only, it won't work? But that's how I use dhcp, it runs on 4 out 8 of my vlans...
I think my issue may have something to do with OVS bridge in Proxmox where both instances are connected to. I'm not so sure how this: https://docs.opnsense.org/manual/how-tos/carp.html#switch-configuration (https://docs.opnsense.org/manual/how-tos/carp.html#switch-configuration) refers to virtual, OVS bridge... Can anybody enlighten me?
Quote from: GreenMatter on March 05, 2026, 12:35:15 PMSo if I want to run KEA dhcp server on one or selected interface only, it won't work? But that's how I use dhcp, it runs on 4 out 8 of my vlans...
Of course you can do that. What you cannot do is run Kea on 2 interfaces and ISC-DHCPd on two different ones. Because ISC binds to all interfaces, even when only active on 2.
Quote from: Patrick M. Hausen on March 05, 2026, 01:00:18 PMWhat you cannot do is run Kea on 2 interfaces and ISC-DHCPd on two different ones.
That how I tested it: stopped dnsmasq and run KEA. Anyway, I can't get it working with CARP VIPs. Therefore I'm suspecting my OVS bridge in Proxmox to be guilty...
Quote from: GreenMatter on March 05, 2026, 12:35:15 PMQuote from: nero355 on March 04, 2026, 09:14:47 PMmove EVERYTHING to KEA sadly
So if I want to run KEA dhcp server on one or selected interface only, it won't work? But that's how I use dhcp, it runs on 4 out 8 of my vlans...
Quote from: Patrick M. Hausen on March 05, 2026, 01:00:18 PMOf course you can do that.
What you cannot do is run Kea on 2 interfaces and ISC-DHCPd on two different ones.
Because ISC binds to all interfaces, even when only active on 2.
Quote from: GreenMatter on March 05, 2026, 01:06:08 PMThat how I tested it: stopped dnsmasq and run KEA.
OK, then I have completely misunderstood previous posts about this subject... My bad! :)
QuoteI think my issue may have something to do with OVS bridge in Proxmox where both instances are connected to.
I'm not so sure how this: https://docs.opnsense.org/manual/how-tos/carp.html#switch-configuration (https://docs.opnsense.org/manual/how-tos/carp.html#switch-configuration) refers to virtual, OVS bridge...
Can anybody enlighten me?
It seems you don't have to deal with any of that : https://pve.proxmox.com/wiki/Open_vSwitch#Multicast
However that information also suggests you are using an old version of Proxmox : https://pve.proxmox.com/wiki/Multicast_notes ?!?!
Quote from: nero355 on March 05, 2026, 02:16:05 PMIt seems you don't have to deal with any of that : https://pve.proxmox.com/wiki/Open_vSwitch#Multicast (https://pve.proxmox.com/wiki/Open_vSwitch#Multicast)
However that information also suggests you are using an old version of Proxmox : https://pve.proxmox.com/wiki/Multicast_notes (https://pve.proxmox.com/wiki/Multicast_notes) ?!?!
I use latest and the greatest PVE 9.1.6 so, it can't be the case. I'm lost when it comes to VIPs and DHCP. What else to try?
So...., it seems like I'm an idiot.
I used to have USG (unifi router) and I ditched it in order to get opnsense. But I kept unifi switches where is an option of "dhcp guarding". And of course there were set main interfaces IP addresses. Those addresses have become VIP addresses, but dhcp answers now from new interfaces addresses. Once I added new addresses, all started working!
New question is whether I can keep using DNSMASQ on both instances with DHCP delay set in backup instance (and dnsmasq is now excluded from xmlrpc sync.)?