Messages

I started with these instructions:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

I ran into a problem where defining a DHCP pool that included dynamic and reserved assignments (a requirement of the DNSMasq DHCP servers) did not successfully allow (some maybe all) unused addresses in the reserved range to declared "static" (advanced option) if they were not subject of a reserved assignment to prevent automatic assignment of undesirable addresses.  I entered each "static" entry as a single address as the window indicated was required.  This problem was present in both IPv4 and IPv6 DHCP Dynamic assignments.

I switched to using DNSmasq as a local DNS server and Kea as the IPv4 & IPv6 DHCP server.  I have successfully gotten all addresses (and not all suffixes) assigned as desired.  Kea only includes the dynamic assigned addresses in the pool and both static and reserved assignments are made from outside the dynamic pool addresses per the Kea documention.

I have been working on getting a DNS suffix assigned to dynamic pool and reserved assignments.

The KEA IPv4 DHCP server has a field in the pool setup to contain that DNS Suffix value along with a DNS Search suffix value.  This works for me.

IPv4 and IPv6 reserved addresses seem to work fine if the full FQDN including trailing period is included in the Hostname of the reservation entry  The DNS Suffix value in the reserve configuration was not sufficient to be appended to Hostname (without the suffix) in my testing.

The IPv6 DHCP server DOES NOT have a DNS Suffix value and only has a DNS Search Suffix in the dynamic pool configuration window.

I tried without any real hope of success (no documentation indicated this would work) putting both suffixes in the DHCPv6 Server DNS Search Suffix (the DNS Suffix value first).  No surprise it did not work.

I also found under advanced DHCPv6 pool values a V6-DNR entry.  The help references finding the format of this value in the Kea Documentation.  I have tried several entries the last being "1 {DNS Suffix} ::1 port=53053"  (DNSMasq is the local dns server running on the router using port 53053).  I also tried "1 ,DNS Suffix},::1,port=53053".  Neither entry generated an error in the Kea DHCP log file.  However, my IPv6 dynamic assignments are not getting the DNS Suffix assigned in the DHCPv6 Leases window or according to my queries of the DNS server.

Is my V6-DNR entry coded incorrectly?  Is there somewhere else to specify the DNS Suffix for the IPv6 Dynamic Pool that I have not found?

Thanks; if anyone can provide some insight as to what I am doing wrong.

I will proceed accordingly and install the change.  Sorry I missed the clarification.

I tried what I thought was the desired change.  It appears from the notes that followed the update this option is deprecated and soon to be removed.


The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    cpu-microcode-intel: 20251111_1
    libpci: 3.14.0
    os-cpu-microcode-intel: 1.1
    pciids: 20251206
    x86info: 1.31.s03_1

Number of packages to be installed: 5



===>  NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Abandoned upstream, fails to identify anything remotely new according to upstream issue reports.

It is scheduled to be removed on or after 2025-06-30.


Thanks for identifying the option.

Thank You -- I will attempt this next.

Sorry I appear to have left out I am running a freshly loaded Opensense 25.7 using ZFS with serial console (and HDMI) support.  Just started the reconfiguration last night.

Boots hang occasionally and the HDMI display blanks out leaving me nothing to research.  I ran a memory check from a USB drive and the memory appears to be good.  I just reinstalled the ZFS boot with the serial console (and HDMI) of Opnsense community 25.7.  One of my boots this morning started displaying repeatedly what to me is a cryptic message.  This time I saw the message in putty using the serial console.  This may be better addressed by the FreeBSD people to decipher this message; and I will do so if directed.  But as an Opnsense implementation issued this message I am trying here first.  This is intermittent -- I not sure if I can reproduce the error.  Due to the lack of the serial console before how often this occurs is unknown.  However; this does not appear to be the only reason that boots hang or fail.  This is the only case I have at this time that was not a hang with no message I saw indicating why the boot froze.

What I got is as follows:


Tracing command kernel pid 0 tid 100154 td 0xfffff8002e2dc000
sched_switch() at sched_switch+0x88b/frame 0xfffffe00d9fede20
mi_switch() at mi_switch+0xbd/frame 0xfffffe00d9fede40
_sleep() at _sleep+0x1f3/frame 0xfffffe00d9fedec0
taskqueue_thread_loop() at taskqueue_thread_loop+0xb1/frame 0xfffffe00d9fedef0
fork_exit() at fork_exit+0x81/frame 0xfffffe00d9fedf30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00d9fedf30
--- trap 0x1163e6de, rip = 0x3007531f952e194d, rsp = 0xb427d73f110e9d6d, rbp = 0x6e54d3bba8655fd8 ---


Thanks to anyone that might be able to propose a next check beyond checking memory.  The box may need to be replaced, I am trying to determine if that is necessary.

Using this as a guide:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

My goal is to setup IPv4 and a managed DHCPv6 server as well as a local DNS server using DNSmasq accessed from the unbound DNS server.  Thus far with a couple of surprises that could result in changes to the documentation; I appear to be succeeding in this task as far as I have gotten which is largely the DHCP/DNS setup with limited testing.  The setting of the router addresses could be interesting and the coding of the ipv4 switch ACLS has been accomplished on an IPv4 only network before.  The IPv6 router and ACL settings could prove to be an additional challenge.

The DHCPv4 setup largely follows the example with my own choice of IP addresses. 

My DHCPv6 configuration attempted to follow this using IPv6 ULA addresses for an internal only network:


Attention

If you plan to use partial IPv6 addresses in ranges with a constructor, enable the advanced mode and set Domain Type to Interface. This will register any subnets on the chosen interface to the selected domain. This is the only way dynamic DNS registration succeeds when the IPv6 prefix is dynamic.


The first gotcha I encountered was that with one pool being a standard Domain Type of range and the other being an advanced Domain Type of interface that the domain names needed to be different according to the window.  So I created v4.xxx.internal and v6.xxx.internal; when assigning IP dynamic IP addresses all domains IPv4 and IPv6 appeared as though they were v6.xxx.internal.  So I changed the DHCPv4 range to the advanced setting of interface and set both domain names to xxx.internal, which was my initial settings.  This at least preliminarily seems to work.

Then I encountered these instructions:


Tip

Reservations will reserve the IP address inside a range, meaning the reserved IP will not be offered to dynamic clients.

A dynamic range like 192.168.1.100-192.168.1.199 and a reservation like 192.168.1.101 are valid and there will be no collisions.

The reservation can also be outside the dynamic range, but it is not recommended for simple setups as the dynamic dns registration with dhcp-fqdn will not work correctly.


Attention

Setting the range mode to static is not required for reservations. It is for specific usecases where a range should not serve any unknown dynamic clients.


In IPv4 I considered creating a range of ending octets 64 - 191.  Where 64-127 are dynamically assigned and 129-191 are reserved and 192-255 are for straight static assignments (including the broadcast address).  When attempting to create a static range the window indicates there can be no ending address.  I was able to add single addresses to the static pool with a Domain Type of interface as noted before.  It appears the equivalent of excluded addresses on the switch except these must be must be individually entered, please confirm.

I have not yet dealt with the IPv6 pool delegation, it could easily be hardcoded as the assignments if done will be completely internal to the router.

My IPv4 and IPv6 address assignments appear to be working on the switch and notebook I have connected to perform the setup.

The reason I am attempting this is that I intend to use different base addresses with different numbers of bits to separate devices for security purposes in IPv6 ACL rules on the switch.  A similar process is also considered for IPv4 addresses.  I have not yet tested this in this version of the router and switch configuration to assure it is possible; however in an IPv4 only version this approach as been successfully implemented.  The reason for this approach is that local traffic largely is handled by the main switch and the router primarily handles communication with the outside world.  DHCP and DNS on the router being the exception for internal only IPv6 ULA networks.  One of the desires of this process is that the switch perform most if not all the "router" processing for my local devices.  Meaning the OpnSense router for internal networks local IPv4 - local IPv4 and all IPv6-IPv6 traffic is only a connected DNS/DHCP server and nothing else.  My internet connection is IPv4 so the Opnsense Router will be processing traffic intended for beyond my walls the internet as well as possibly some tunneled traffic.

As I have not fully implemented any IPv6 network yet.  However; this appears to be showing signs of success.  Another unmentioned aspect of the design is that my internal servers, such as file servers and streaming servers only provide access to their data on the IPv6 network,  They will also access the internet via IPv4 connection but file sharing and streaming an other local data services are generally not intended to be available on the IPv4 subnets.  There are some devices that may require IPv4 access that will require additional security restrictions in both the switch and router.

Thanks and I hope these suggestions are considered for the documentation, if they are accurate.

Am I on the correct track?

Thanks it worked.   I was wrong about IPv6.  My switch programming has me entering the 5 colon MAC address I believe as the client ID and the 2 period MAC Address as the hardware address.  OPNsense only needs the 5 colon MAC address in the hardware address with a blank client id.  (one should not be working on this at 3 AM, I guess).  I entered both as noted above.  If this can be passed to your development team it may help others.

PS I have updated to  OPNsense 25.1.6_4-amd64 and entering that data is still possible, if that helps with the problem

I converted from ISC DHCPv4 to DNSMASQ DHCPv4 successfully I believe then I tried to add some IPv6 entries.  It appears I messed up something and have disabled dnsmasq completely.  I know I need to fix whatever is in line 139 and other things like it using probably the WEB GUI.  However; it would be nice to see what is in line 139 of /usr/local/etc/dnsmasq.c so I can do something other than deleting all the IPv6 stuff I tried to add (learning nothing) to recover from the problem,  This is not my working router this is a test environment.

Thanks for any suggestions.  I have read through many forum entries indicating manual editing config files will not work and that is not an issue as far as I am concerned.  My desire is only to determine the contents of line 139 of /usr/local/etc/dnsmasq.c to know what to remove or change in the web gui.

Sorry I tried updating in the middle of the night so as not to affect others.  I failed to notice the first update only got me to 25.1 and NOT 25.1.2.  I just performed both updates and you are correct the problem was resolved.  The first time I tried to patch I only updated to 25.1 because I did not update a second time.  No patch was needed or attempted this time.

Thanks

Thanks for the attempt -- this patch did not seem to work in my case.   

Thanks to both of you that cleared the matter up completely.

I have seen the following "dnsmasq: migrate to MVC/API".  Does this affect the ability to use dnsmasq?  I will admit MVC/API has little real meaning to me.  Searches using "opnsense MVC/API" shed no light on the issue.  API is application programming interface, I believe.  But as far as MVC goes -- that is move character in IBM 360/370 assembler language; which I know is clearly not applicable in this case as well as giving away my age.  Could someone explain please what MVC/API is in this case and if it affects dnsmasq usage.  Thanks in advance.

I cannot say I tested the 25.1 upgrade completely because the Lobby Temperature sensor pannel indicated some potentially significant problems.  I have a feeling the sensor display was in error and I had probably had no hot running components.  It took about 4 hours to re-establish the 24.7.12-4 router.  Attached are two images of the temperature sensors.  The better looking one was from the restored 24.7.12.4 version the one with 100C readings was from 25.1.  The base machine that generated this output is an Qotom Q838GE.  I hope this helps.    I would like to know how to setup a ZFS rollback before attempting the 25.1 upgrade again.  Is someone provides additional information I could extract log files or other information to assist in debugging the problem.

My processor is an I3-8130U.

Update 3/7/2025  using a ZFS snspshot I attempted this update again.  The results were the same as before.  I attempted to follow the advice below for the patch. 

The patch indicated below was attempted.  It reported as successful and the restart appeared to have worked.

Code Select Expand

# opnsense-patch https://github.com/opnsense/core/commit/695772d2017
# service configd restart
  The results were the same as before.  I successfully restored the 24.7.12.4 using my ZFS snapshots.  I can provide additional information from the 25.1 snapshot that still exists.

Any Ideas?

Using the following instructions I have gotten wireguard working without a kill switch.

https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

The instructions in step 11 indicate "There are a couple of ways to avoid this, one of which is outlined here".  My understanding which may be wrong is that the creation of the WAN rule may be too general for my case.  I have multiple vlans several (a subset) of which utilize the wireguard gateway for outbound traffic and others do not.  Changing the firewall rules for each the participating vlans that use the wireguard interface makes sense and I believe is appropriate as written (and I believe understand how to do that).  However the second WAN rule to be added (I probably only need one.) has me concerned I have a feeling that I somehow need to restrict it to only the traffic that was allowed on the wireguard gateway.  Since there is an outbound NAT for that gateway created in Step 9.  Do I need to include an address like the outbound wireguard IP in the WAN rule or do I need to include a list of the specific vlan networks that utilize the wireguard gateway and which address are they (probably the source IP address for the outbound side of the traffic) in the required WAN rule?