Messages

What I meant to ask:  If the dhcp-range is for example 192.168.1.100 - 192.168.1.199, but I have a Host entry for a client at 192.168.1.20 (outside of the dhcp-range), this will work automatically?  Or requires a dedicated static range (and if so, how to create it)?

I'm running in a similar situation with a subnet with some static and some dynamic addresses. In your scenario, you do not need to add a dedicated static range.

From my own experience, if you setup a DHCP range and then set a static host reservation for an IP outside of that range (but still in that same subnet), then the static and dynamic DHCP addressing will work just fine. I haven't found a second, separate "static" range to be necessary for that subnet.

If you're setting up a subnet with only static addresses, then creating a DHCP range with the mode "static" will suffice for this and not require you to add a range (i.e. start and end).

Obviously, for dynamic only DHCP you can just setup the DHCP range and let dnsmasq pull IPs from that available pool.

4. They get the domain that is defined in /var/etc/dnsmasq-hosts, and if you leave it empty they register the one of the dhcp-range instead.

Just wanted to add that in the event that you're using that range as a static only range, you cannot add a domain to that range currently.

If a DHCP range has Mode set to "Static" and you try and specify an "End address", it will error out with "Static only accepts a starting address."

And if you try and add a domain to this "Static" range, opnsense will error with "Can only configure a domain when a full range (including end) is specified."

Hence, the only way to current add a domain to a static pool is to explicitly add the domain to every static entry manually.

I noted this behavior and desire too soon after dnsmasq with its DHCP offerings was released:

https://forum.opnsense.org/index.php?topic=47150.msg237043#msg237043

I didn't go so far as to open a feature request issue for it though. For now, I've just been doing an export of all my static hosts, doing a mass find and replace for all of the lease time values, and then reimporting that into opnsense. It's not as convenient as being able to do it all from within the opnsense GUI, but it has been working fine for me.

I can create a band-aid or manually configured variant, that works for me, as well, but I think normal users should have an option that is supported via the GUI.

For what it's worth, I'm using AGH that is listening on port 53 and forwarding queries for local and reverse domains to dnsmasq running on a different port. So similar to having unbound running on port 53 and handling everything non-local. AGH can forward to upstream providers using DoT or DoH. It is also available to configure via the GUI.

Granted, it's not part of the default opnsense offering and one has to add Mimugmail's repo to enable it.

If we set a DHCP range as per the docs of, say, 192.168.1.10 - 192.168.1.100 for dynamic leases, and then set a reservation up for 'Host A' at address 192.168.1.200 - do we need to set up a separate range but with mode 'static' that incorporates the desired reserved addresses?

The docs suggest we need to for DHCP v4, but the OP suggests they haven't done so and addresses are being set/reserved - what are the side effects of not doing so / why do we need a range set?

Just asking as this is contrary to what people are used to with Kea etc - the direction there was to ensure any reservations were explitly OUTSIDE of any defined ranges on the DHCP server...

From my own experience, if you setup a DHCP range and then set a static host reservation for an IP outside of that range (but still in that same subnet), then the static and dynamic DHCP addressing will work just fine. I haven't found a second, separate "static" range to be necessary for that subnet.

If you're setting up a subnet with only static addresses, then creating a DHCP range with the mode "static" will suffice for this and not require you to add a range (i.e. start and end).

Obviously, for dynamic only DHCP you can just setup the DHCP range and let dnsmasq pull IPs from that available pool.

Just want to say thank you to everyone involved for tracking this down and fixing it!

I had this problem when upgrading to 25.1.7 and immediately rolled back to my old KEA/Unbound configuration since that was working as intended. I applied patch e69b02c above and everything is working again.

Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.

@Drinyth - are you running multple Vlans.  If you disable dnsmasq, re-enable kea dhcp4 does kea re-insert fw rules in vlans? After resetting back to dnsmasq, does dnsmasq reinstall fw rules on vlans?

Yes. I'm running multiple VLANs here.

If I disable dnsmasq, all of the firewall rules that were set for it get removed. Enabling KEA will insert the KEA firewall rules in the VLANs. Removing KEA will remove the firewall rules. And lastly, turning dnsmasq back on will put the dnsmasq firewall rules back in for all VLANs.

I am confirming that as well.  I see no blocks in the logs.  Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually.  Seems like Dhcp does NOT work if KEA/Unbound were used previously.  Any other ideas to try?

No other things to try here. Weird that your FW rules are getting created in all networks using the KEA toggle, but that it doesn't happen with dnsmasq.

That being said, I can't agree with the statement that dhcp does not work if KEA/Unbound were used previously. I was using KEA/Unbound for months prior to dnsmasq DHCP being released and am now up and running with DHCP and DNS services exclusively via dnsmasq.

2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN

This doesn't seem right. So in Services: Dnsmasq DNS & DHCP --> General, under Interfaces you can see all your interfaces selected there (4 in total)?

If that is the case and you have "DHCP register firewall rules" and you applied the settings, the firewall rules should be created for all those interfaces?

For each respective interface, there should be three rules in the "Automatically generated rules" with the Description "allow access to DHCP server".

[opnsense]

Hmmm I have rebooted pfsense many times what do you mean reload firewall rules? That doesn't make much sense even less pratical.
Does the DHCP register firewall rules really necessary.
To be honest the DNSMasq instructions are a bit confusing at the time.

If you have rebooted opnsense after making changes, your firewall rules will have reloaded as part of that reboot.

For my configuration (basic home network with a bunch of VLANs), setting "DHCP register firewall rules" was necessary. It wasn't necessary when I ran KEA, but dnsmasq must behave differently somehow to require those rules be there? Without those rules, DHCP services only worked intermittently where some devices were able to obtain an IP from the dnsmasq DHCP server, but others would not. After adding the firewall rules and reloading them, all those devices that would not connect previously started working.

Ive been plating with new dnsmasq implementations and i have huge issues with dchp clients! Some never get an ip others take forever or very slow to do so. Not sure if it's related  DHCP register firewall rules option
I've read the documentation a dozen times and followed it strictly and still have these issues.
Dns works more or less ok.
 

After you check the register firewall rules option, be sure to reload your firewall rules. I think I read someplace that it does not do this by default for you.

[System -> Settings -> General -> DNS servers]

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

The following patch appears to have fixed this issue for me.

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

[DHCP register firewall rules]

With dnsmasq suggested for small/medium installations moving forward, I decided to take a stab at converting my Unbound and ISC/KEA configuration over to just using dnsmasq. It wasn't without its problems, so I decided to document my findings here in hope that it will be helpful to others (and perhaps for potential improvements moving forward).

----------------------------------

DHCP register firewall rules
This was a setting that appears to be enabled by default, but where the equivalent setting I hadn't had enabled in KEA (I don't see such an option for it under ISC). I figured that since the setting wasn't enabled in KEA, that I would try and mimic this configuration in dnsmasq. This ended up causing all sorts of intermittent issues for me where some devices were able to register DHCP leases where other devices never appeared to reach the dnsmasq DHCP server at all (at least according to the logs). I do have some VLANs on my home network with rules prohibiting traffic to other VLANs. I suspect that these inter-VLAN blocks might have been the root cause, but still was weird that some devices worked while others didn't in this configuration.

Interface
Adding onto the firewall issue above, the default configuration in the GUI has the "Interface" set to "All" which is a bit misleading. When leaving this at "All" and checking DHCP register firewall rules, these rules actually don't get written to all the available interfaces. Obviously, this also causes DHCP services to behave sporadically since the firewall rules for proper operation never get added to their respective interfaces. I initially wanted it as all because I wanted to be able to do lookups on localhost. Later I would find out that localhost is enabled regardless. Once I explicitly enabled all of my interfaces where I needed DHCP services, I then saw the appropriate firewall rules being created accordingly.

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

EDIT: This has been fixed in the patch posted in the #2 comment below.

DHCP ranges
I have a few VLANs with only static IPs in them with another VLAN with some statics and some dynamic. If you try and define static IPs under the "Hosts" tab and you don't define that subnet in "DHCP ranges", dnsmasq DHCP will not work properly. Luckily, there is verbiage in the logs to reflect this. I just wanted to mention it in case someone ran into that issue.

Static IP Wishlist
As a nice to have, it would be nice if for static IPs that the domain could be set globally someplace or perhaps if it used the system domain if nothing was defined? I had to include the domain name for each of my static entries individually in order to get FQDN lookups to work for those entries. Similarly, it would be nice if the lease time for static IPs could be defined globally someplace. Again, I had to define them individually for each static IP entry. Luckily for both of the above, the export and import features from the GUI allowed me to do some quicker editing to a text file to make the changes.

Regarding import/export, it also appears that if an entry already exists in the configuration and you try to export the config, make a change to one of those entries and import the updates, the update doesn't actually take effect. Instead I had to export the config, then delete entries from the GUI, make changes to the exported configuration, and then do an import for it to take effect. I don't know what the proper solution is here and what should be authoritative (i.e. do we leave the GUI entry in place since it already exists or should it get overwritten by whatever is in the imported config). But just wanted to throw that out there. Hopefully some of the above can be implemented in a future release?

EDIT: After further testing of import/export behavior, it appears that imports of existing entries do update their respective entry as I would expect.

----------------------------------

All that said, thank you to the developers for continuing to improve opnsense on a regular basis! With constant releases and new features, bugs are bound to creep up which end up causing you guys more work to fix them. As a user, I appreciate all your work that you put into these new releases and that you continue to drive forward with the feature set of opnsense!

In Systems -> Settings -> General, do you have any DNS servers explicitly defined under that section? If not, try adding some there.

I noticed the same issue where when my WAN just gets DNS servers via DHCP from my ISP, I cannot resolve anything in dnsmasq. But if I define a few (non-ISP) resolvers under "DNS servers" in the general settings, it works fine.

Not exactly sure why that is the case. Nothing in the dnsmasq.conf gets modified as a result of this. And my ISP nameservers in resolv.conf work just fine. It's quite odd.