Messages

kea 2.6.3 supports DHCP lease affinity, but the configuration options haven't yet been exposed in OPNsense GUI

https://forum.opnsense.org/index.php?topic=48462.0

https://github.com/opnsense/core/issues/9094

In current OPNsense 25.7.1_1 release, manually editing the kea config file to add the options, are overwritten / removed when kea service is re-started ( from either OPNsense GUI or cli)...

Thanks for posting this. https://github.com/opnsense/core/issues/9094 is exactly what we would need to address the issue.

Not sure about the scale of your issue and the number of  machines affected, but why don't you just reserve an IP for this client based on its MAC address (under 'reservations' tab in the KEA service configuration)? Make sure the assigned IP is outside of the range dynamically assigned by KEA but still in the same subnet. Your client will get the exact same IP each time it request one through DHCP.

Yes, this fixed it. Thank you.

If you are forwarding the DNS queries to Google DNS servers (8.8.8.8) that might be causing the issue. Can you try another DNS provider such as Cloudflare (1.1.1.1) to see if that solves the issue?

I'll try that when I'm home. I'm using my providers DNS resolvers, which work fine when queried from OPNsense or directly from clients on my LAN. Maybe the new version of dnsmasq in 26.1.6 suddenly has an issue with their response.

perhaps https://forum.opnsense.org/index.php?topic=47135.0

I have no issues with DHCP (I'm using ISC kea). Just that dnsmasq is failing to resolve external hosts/domains.

Hi all

After the upgrade to 26.1.6, dnsmasq is no longer able to resolve queries to the external DNS from clients on the LAN. Queries for internal hosts work though. In the log I can see that dnsmasq tries to forward the queries to the configured resolvers (from general settings) but then immediately sends error REFUSED to the client. Resolving external hosts in the OPNsense shell works though. Also, if I assign the external resolver as DNS server in DHCP, clients on the LAN can resolve external hosts.

I can't figure out what is wrong. Any ideas?

Regards
Sven

That was quick! Both changes have been included in 25.1.6. I guess this was planned even before my post.

Hi all

I have configured IKEv2 with EAP-TLS to connect from my iOS device to my home network. I've configured a split tunnel that just routes my home subnet over IPsec.

Everything worked perfectly except DNS. However, I found that I can make it work if I manually add attribute 25 to my charon configuration (adding the name of my internal DNS domain):

        attr {
            25 = domain.home
            subnet = 192.168.34.0/24
            split-include = 192.168.34.0/24
            dns = 192.168.34.1
   }

Attribute 25 stands for INTERNAL_DNS_DOMAIN according to https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-21

It would be nice if support for this attribute could be added to the GUI.

Somewhat unrelated I would also appreciate if support for proposal 'aes256-sha256-modp1024' could be added to the phase 1 proposal list as this is the only algorithm I found to make my Azure VPN gateway (cheapest type 'basic' with only limited algorithm support) connect to my OPNsense box.

Kind Regards
Sven