Messages

I am confirming that as well.  I see no blocks in the logs.  Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually.  Seems like Dhcp does NOT work if KEA/Unbound were used previously.  Any other ideas to try?

No other things to try here. Weird that your FW rules are getting created in all networks using the KEA toggle, but that it doesn't happen with dnsmasq.

That being said, I can't agree with the statement that dhcp does not work if KEA/Unbound were used previously. I was using KEA/Unbound for months prior to dnsmasq DHCP being released and am now up and running with DHCP and DNS services exclusively via dnsmasq.

2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN

This doesn't seem right. So in Services: Dnsmasq DNS & DHCP --> General, under Interfaces you can see all your interfaces selected there (4 in total)?

If that is the case and you have "DHCP register firewall rules" and you applied the settings, the firewall rules should be created for all those interfaces?

For each respective interface, there should be three rules in the "Automatically generated rules" with the Description "allow access to DHCP server".

[opnsense]

Hmmm I have rebooted pfsense many times what do you mean reload firewall rules? That doesn't make much sense even less pratical.
Does the DHCP register firewall rules really necessary.
To be honest the DNSMasq instructions are a bit confusing at the time.

If you have rebooted opnsense after making changes, your firewall rules will have reloaded as part of that reboot.

For my configuration (basic home network with a bunch of VLANs), setting "DHCP register firewall rules" was necessary. It wasn't necessary when I ran KEA, but dnsmasq must behave differently somehow to require those rules be there? Without those rules, DHCP services only worked intermittently where some devices were able to obtain an IP from the dnsmasq DHCP server, but others would not. After adding the firewall rules and reloading them, all those devices that would not connect previously started working.

Ive been plating with new dnsmasq implementations and i have huge issues with dchp clients! Some never get an ip others take forever or very slow to do so. Not sure if it's related  DHCP register firewall rules option
I've read the documentation a dozen times and followed it strictly and still have these issues.
Dns works more or less ok.
 

After you check the register firewall rules option, be sure to reload your firewall rules. I think I read someplace that it does not do this by default for you.

[System -> Settings -> General -> DNS servers]

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

The following patch appears to have fixed this issue for me.

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

[DHCP register firewall rules]

With dnsmasq suggested for small/medium installations moving forward, I decided to take a stab at converting my Unbound and ISC/KEA configuration over to just using dnsmasq. It wasn't without its problems, so I decided to document my findings here in hope that it will be helpful to others (and perhaps for potential improvements moving forward).

----------------------------------

DHCP register firewall rules
This was a setting that appears to be enabled by default, but where the equivalent setting I hadn't had enabled in KEA (I don't see such an option for it under ISC). I figured that since the setting wasn't enabled in KEA, that I would try and mimic this configuration in dnsmasq. This ended up causing all sorts of intermittent issues for me where some devices were able to register DHCP leases where other devices never appeared to reach the dnsmasq DHCP server at all (at least according to the logs). I do have some VLANs on my home network with rules prohibiting traffic to other VLANs. I suspect that these inter-VLAN blocks might have been the root cause, but still was weird that some devices worked while others didn't in this configuration.

Interface
Adding onto the firewall issue above, the default configuration in the GUI has the "Interface" set to "All" which is a bit misleading. When leaving this at "All" and checking DHCP register firewall rules, these rules actually don't get written to all the available interfaces. Obviously, this also causes DHCP services to behave sporadically since the firewall rules for proper operation never get added to their respective interfaces. I initially wanted it as all because I wanted to be able to do lookups on localhost. Later I would find out that localhost is enabled regardless. Once I explicitly enabled all of my interfaces where I needed DHCP services, I then saw the appropriate firewall rules being created accordingly.

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

EDIT: This has been fixed in the patch posted in the #2 comment below.

DHCP ranges
I have a few VLANs with only static IPs in them with another VLAN with some statics and some dynamic. If you try and define static IPs under the "Hosts" tab and you don't define that subnet in "DHCP ranges", dnsmasq DHCP will not work properly. Luckily, there is verbiage in the logs to reflect this. I just wanted to mention it in case someone ran into that issue.

Static IP Wishlist
As a nice to have, it would be nice if for static IPs that the domain could be set globally someplace or perhaps if it used the system domain if nothing was defined? I had to include the domain name for each of my static entries individually in order to get FQDN lookups to work for those entries. Similarly, it would be nice if the lease time for static IPs could be defined globally someplace. Again, I had to define them individually for each static IP entry. Luckily for both of the above, the export and import features from the GUI allowed me to do some quicker editing to a text file to make the changes.

Regarding import/export, it also appears that if an entry already exists in the configuration and you try to export the config, make a change to one of those entries and import the updates, the update doesn't actually take effect. Instead I had to export the config, then delete entries from the GUI, make changes to the exported configuration, and then do an import for it to take effect. I don't know what the proper solution is here and what should be authoritative (i.e. do we leave the GUI entry in place since it already exists or should it get overwritten by whatever is in the imported config). But just wanted to throw that out there. Hopefully some of the above can be implemented in a future release?

EDIT: After further testing of import/export behavior, it appears that imports of existing entries do update their respective entry as I would expect.

----------------------------------

All that said, thank you to the developers for continuing to improve opnsense on a regular basis! With constant releases and new features, bugs are bound to creep up which end up causing you guys more work to fix them. As a user, I appreciate all your work that you put into these new releases and that you continue to drive forward with the feature set of opnsense!

In Systems -> Settings -> General, do you have any DNS servers explicitly defined under that section? If not, try adding some there.

I noticed the same issue where when my WAN just gets DNS servers via DHCP from my ISP, I cannot resolve anything in dnsmasq. But if I define a few (non-ISP) resolvers under "DNS servers" in the general settings, it works fine.

Not exactly sure why that is the case. Nothing in the dnsmasq.conf gets modified as a result of this. And my ISP nameservers in resolv.conf work just fine. It's quite odd.

I don't think it's nearly reliable enough at the moment and after all it is mimicking what ISC DHCP always did.

With "not nearly reliable" I mean that if you choose the old "all" default it will generate no firewall rules and if you happen to use that on a LAN with no default allow present you'll have some fun figuring out why it's not answering.

Still pondering what to do here but in general we are more or less expecting more support due to this new component either way. Dnsmasq is just a bit different from Kea and (ISC) DHCPD.

Indeed, turning off "DHCP register firewall rules" was part of my problem. That and not defining "Interfaces" under dnsmasq and leaving it with the default setting of "All" (which does not appear to register firewall rules on "All" interfaces as one might assume).

Once I fixed those things, all my issues where devices wouldn't connect to the dnsmasq DHCP server went away.

For what it's worth, when I was using KEA I did NOT have "Firewall rules" checked under its settings and my DHCP services still worked as expected? As such, I left that similar firewall configuration setting unchecked in dnsmasq as well thinking it would work too. Not sure whey KEA works without that checked but dnsmasq does not?

In any case, I'm still doing some testing but all seems much better now.

I've been fighting with this since I upgraded this morning and have noticed some oddities as well.

I finally got everything configured and got dnsmasq to answer DNS requests and hand out (some) IP addresses via DHCP. But there were some devices on the network that work perfectly fine with ISC/KEA that just refuse to talk to the dnsmasq DHCP service and get an IP? I could tail the log file and see that dnsmasq was receiving DHCPREQUEST and sending DHCPACK packets to some devices on my network. But I had a few devices where I repeatedly tried renewing the IP address on and never saw an entry in the dnsmasq log file.

I would then disable dnsmasq dhcp and reenable KEA and boom. IP address got assigned each and every time. I rebooted the clients several times (but not the firewall itself) to no avail. DHCP services through dnsmasq seems rather intermittent where KEA (and ISC) give me no issues whatsoever.

Potential similar issues here as well. I had my system crash twice today after upgrading to 24.7.10_1 when normally my system is very stable.

Running the test kernel here as well to see if that clears up my crashes too.

Still loving the AdGuardHome plugin and that it works flawlessly on the same device as my opnsense installation.

I noticed from "System -> Firmware -> Plugins" that it shows up now as:

os-adguardhome-maxit (misconfigured)

It doesn't seem to affect things, but I did try deleting and reinstalling the software to see if it would go away and it doesn't? The console also displayed something about the metadata in /usr/local/opnsense/version/adguardhome-maxit being invalid or something?

Looks like the service started up just fine after it was enabled. Turned down my old, physical pi-hole device yesterday. Thank you for your work on this!

Thanks for your work on this. I have your Adguard package installed (although I have to run it manually for the time being as it looks like there are some startup issues with it). I didn't realize that this runs natively on FreeBSD so I'm looking forward to being able to move DNS services to opnsense and remove a server (dedicated linux Adguard [formerly pi-hole] server) off the network.

Any thoughts of incorporating static DHCP names into the DNS Rewrites section of Adguard? I have a few static DHCP entries on my network so to resolve these names, I have unbound running on a different port (which maps these names) and then have Adguard running on port 53 that forwards to this unbound service.

If the static name entries could be added directly into adguard, I could remove the unbound service from running entirely and forward directly to something upstream.

Thanks again!

I only came here to say that I also have not experienced any issues with unbound crashing since upgrading to 20.7.7 on release day. I'm sorry to those that have had issues and based on the flurry of activity surrounding this, there clearly is an issue that is affecting *some* users. But not all users are having this problem.

It looks like hphosts ad_servers.txt (and possibly the others?) is no longer actively being maintained and has been taken down:

https://forums.malwarebytes.com/topic/257401-inquiry-regarding-automated-processing-of-hosts-files/

Pi-hole is also removing it from their default configuration as well. Just a heads up in case you want to remove it from the next update. :)