Messages

I noticed that my acme client was failing. for the logs below I obfuscated my domain to MYDOMAIN

I use Cloudflare with DNS01 and a dns API

from logs:

acme.sh [Mon Aug  4 00:03:00 PDT 2025] 'opnsense.MYDOMAIN.com' is not an issued domain, skipping.
opnsense AcmeClient: domain validation failed (dns01)
opnsense AcmeClient: validation for certificate failed: opnsense. MYDOMAIN.com


on the router Services: ACME Client: Certificates
I clicked the red square, Issue/Renew All Certificates
I failed as it did this morning.

I clicked on the little circle arrow (Issue or Renew Certificate), that is on the same line as the existing certificate.
It updated the certificate with status OK

So there is a difference between the auto update, Issue/Renew All Certificates and the individual Renew
Only the individual Renew works

you might check your configuration as my road warrior wireguard does work with ipv6. many of my local servers are ipv6 only and until recently I ran it as ipv6 only.

my ifconfig for wg does show ip addresses for ipv6 and ipv4 that are assigned by the wireguard instance that dont seem to be in yours.

Code Select Expand

wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
description: WG (opt1)
options=80000<LINKSTATE>
inet 10.XX.XX.1 netmask 0xffffff00
inet6 2603:xxxx:zzzz:yyyy::1 prefixlen 64
groups: wg wireguard
nd6 options=1<PERFORMNUD>
those are the addresses I assigned as the tunnel address so it seems odd that you don't have any.

Added feature request:
https://github.com/opnsense/core/issues/8991

Hello,

ive looked into these options before and theyre reasonable to implement.

Is there a chance for a github ticket?

Thank you :)

I can do that. I just wanted to make sure I didn't miss the setting somewhere.

I am a primarily ipv6 environment using stateless, so switching from KEA/Radvd to try out dnsmasq. Seems to work but seems by default it logs every router announcement/solicit. A lot of log entries with every RTR-ADVERT, RTR-SOLICIT on every vlan.

I couldn't figure if there an option to control logging level but I have an SSD, so I prefer not to log so much.

The dnsmasq documentation mentions:
--quiet-dhcp, --quiet-dhcp6, --quiet-ra: These options suppress logging of routine DHCP and router advertisement operations, while still logging errors.

Seems like these would be better as defaults?

I added a custom .conf file with "quiet-ra" and more reasonable logging

In Unbound, I have checked the "Register DHCP Static Mappings" option.

In Dnsmasq, I have static mappings using the hosts tab, and I can see they are there in the /var/etc/dnsmasq-hosts, but they dont show when I do dig from the command line?

He asked about KEA, not dnsmasq.  I am also curious when this will be added to KEA dhcpv6?

I also find that the DUID column hides most the text field, so I cant manually copy to create my own static entry. What I have had to do is use my external logging to find the DUIDs.

Yes, I only have 2 physical interface and all vlans are on one(OPT1) and LAN with no vlans. Kea is active on all of them IPv6, and ipv4

I'm using Kea for both ipv6 and ipv4 and not seeing this. I am using raw socket on ipv4 side. I don't see the setting for that on the IPv6 side

I am using KEA as my DHCPv6 server now, and was curious if the Router Advertisement Service is aware of that.

There is an option "DNS options" "Use the DNS configuration of the DHCPv6 server"

I have unchecked it as I'm using the router DNS, unbound, which I believe is automatic. But it could be more clear which DHCP Server it is pulling it from.

What if I want only stateful DHCPv6 without SLAAC, which corresponds to the "Managed" mode under Services > Router Advertisements?  None of the DNSmasq RA modes seem to do this.  Possible using DNSmasq?

RA Mode set to "Default" will be same as "Managed" mode I believe. ?

Please push this request to GitHub.  Thanks!

Cheers,
Franco

Created Issue "KEA DHCP6 Option to select for Random vs Iterative Allocation of ipv6 Addresses" #8677

I noted that Issue #8506 was the same request but for ipv4. I also noted that the same solution of "allocator": "random" works for ipv4 so possibly change could be incorporated in both dhcpv4 and dhcpv6.

I couldn't get the dnsmasq/unbound combination to work well in my situation as I have a real domain with Cloudflare as my Name Servers.

So I have been using the new KEA DHCP6 and it seems to work well, and was noticing that by default it assigns ip addresses sequentially.

One option in KEA is to use the "random" allocation instead. The "allocator": "random" option might be more performant in an HA setup especially. It could be a selectable option per subnet or just be the default.

From the documentation:

Code Select Expand

{
    "Dhcp6": {
        "allocator": "iterative",
        "pd-allocator": "random",
        "subnet6": [
            {
                "id": 1,
                "subnet": "2001:db8:1::/64",
                "allocator": "random"
            },
            {
                "id": 2,
                "subnet": "2001:db8:2::/64",
                "pd-allocator": "iterative"
            }
        ]
    }
}


From the Docs:
-----------------------------
9.21.2. Iterative Allocator

This is the default allocator used by the Kea DHCPv6 server. It remembers the last offered lease and offers the following sequential lease to the next client. For example, it may offer addresses in this order: 2001:db8:1::10, 2001:db8:1::11, 2001:db8:1::12, and so on. Similarly, it offers the next sequential delegated prefix after the previous one to the next client. The time to find and offer the next lease or delegated prefix is very short; thus, this is the most performant allocator when pool utilization is low and there is a high probability that the next selected lease is available.

The iterative allocation underperforms when multiple DHCP servers share a lease database or are connected to a cluster. The servers tend to offer and allocate the same blocks of addresses to different clients independently, which causes many allocation conflicts between the servers and retransmissions by clients. A random allocation addresses this issue by dispersing the allocation order.

9.21.3. Random Allocator

The random allocator uses a uniform randomization function to select offered addresses and delegated prefixes from subnet pools. It is suitable in deployments where multiple servers are connected to a shared database or a database cluster. By dispersing the offered leases, the servers minimize the risk of allocating the same lease to two different clients at the same or nearly the same time. In addition, it improves the server's resilience against attacks based on allocation predictability.

The random allocator is, however, slightly slower than the iterative allocator. Moreover, it increases the server's memory consumption because it must remember randomized leases to avoid offering them repeatedly. Memory consumption grows with the number of offered leases; in other words, larger pools and more clients increase memory consumption by random allocation.

-----------------------------

I am trying it and it works well actually. First error found is:
firewall alias resolve error HOST_PRINTERS (no nameservers)

looks like the firewall can't find the name server if not unbound

In the guide, it suggests having unbound on port 53 acting as DNS and then forwarding local queries to Dnsmasq via port 53053.

Has anybody tried to reverse it where dnsmasq resides on port 53 and then uses unbound on port 5335 as the upstream resolver for dnsmasq?

That is basically what pihole does for its dns/dhcp.
https://docs.pi-hole.net/guides/dns/unbound/

Currently I had some dns looping issues as I have a real custom domain name.