"
I completely re-created the FR as Feature Request: Kea DHCP: Enable shared networks for DHCPv4 and DHCPv6, a sanity check would be appreciated if time permits...
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 19, 2025, 08:47:16 PM #2
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 18, 2025, 10:05:59 PM
Thank you.
I did receive an email from the core "auto-responder" - apparently my feature request used the wrong template?
There was a help link about policies, but it wasn't much help (or I am running on too little sleep and too much caffeine to fully comprehend what I need to change...).
Any clue-by-fours you can swing my direction?
I did receive an email from the core "auto-responder" - apparently my feature request used the wrong template?
There was a help link about policies, but it wasn't much help (or I am running on too little sleep and too much caffeine to fully comprehend what I need to change...).
Any clue-by-fours you can swing my direction?
#3
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 18, 2025, 03:08:11 PM
https://github.com/opnsense/ports/issues/243
Has been submitted - though it appears that the project has been idle since August?
Is there a new /different Git repo where I should have dropped the request?
Has been submitted - though it appears that the project has been idle since August?
Is there a new /different Git repo where I should have dropped the request?
#4
25.7, 25.10 Series / Re: What is going to happen to ISC DHCP?
November 17, 2025, 06:08:55 PMQuote from: Stormscape on November 17, 2025, 03:05:45 AMLike all software, best to assume it's safe to use unless and until you hear about a CVE.Isn't that backwards? I tend to presume all software is unsafe until proven otherwise...
#5
25.7, 25.10 Series / Feature Requst: KEA DHCPv6 "shared subnets" (redux)
November 16, 2025, 11:10:20 PM
My initial thread seems to have been re-purposed for troubleshooting, so a new thread for new data...
I've been testing Kea-DHCP v3.0.2 on a separate FreeBSD box and from that testing I can state:
* Shared Networks works as expected in assigning both GUA and ULA addresses from the configured pools, for the primary "lan" interface and an aliased "vlan01" interface on the same hardware port
- IPv6 traffic on both GUA and ULA networks from client systems to the Public Internet works
* Data flows to both the "lan" subnet and to the "vlan01" subnet internally with no crossover
* DDNS in both IPv4 and IPv6 works as expected, updating my internal "master" DNS server with IPv4 and both the GUA and ULA IPv6s
- A, AAAA in the "lan.internal" and "iot.internal" TLDs and PTR records in the right .ip6.arpa /in-addr.arpa zones
- Using either the "always" or the "when-not-present" flag
* Shared Networks configuration works with just one network /range /pool defined, so it should be possible to use as a default for all networks
- I don't have access to a full test rack /setup so I cannot be definitive for a broader scope
So it appears (at least locally) that allowing Shared Subnets and DDNS updates in the Kea-DHCP config would work...
And I would prefer to have it running on the OpnSense system, since that's also where radvd and the other upstream "find my PD and populate addresses" scripts are set to run.
Any hope to put this on the roadmap /PoA&M?
I've been testing Kea-DHCP v3.0.2 on a separate FreeBSD box and from that testing I can state:
* Shared Networks works as expected in assigning both GUA and ULA addresses from the configured pools, for the primary "lan" interface and an aliased "vlan01" interface on the same hardware port
- IPv6 traffic on both GUA and ULA networks from client systems to the Public Internet works
* Data flows to both the "lan" subnet and to the "vlan01" subnet internally with no crossover
* DDNS in both IPv4 and IPv6 works as expected, updating my internal "master" DNS server with IPv4 and both the GUA and ULA IPv6s
- A, AAAA in the "lan.internal" and "iot.internal" TLDs and PTR records in the right .ip6.arpa /in-addr.arpa zones
- Using either the "always" or the "when-not-present" flag
* Shared Networks configuration works with just one network /range /pool defined, so it should be possible to use as a default for all networks
- I don't have access to a full test rack /setup so I cannot be definitive for a broader scope
So it appears (at least locally) that allowing Shared Subnets and DDNS updates in the Kea-DHCP config would work...
And I would prefer to have it running on the OpnSense system, since that's also where radvd and the other upstream "find my PD and populate addresses" scripts are set to run.
Any hope to put this on the roadmap /PoA&M?
#6
25.7, 25.10 Series / ISP IPv6 Subnet delegation pass-through
November 12, 2025, 01:51:36 AM
Related to: Feature Requst: KEA DHCPv6 "shared subnets"
As an alternative to official "shared subnets" support, is there a way to "pass-through" the IPv6 subnet delegation from my ISP (Cox Cable) to a standalone Kea DHCP server?
The Kea "readthedocs" site infers that such is possible, but doesn't give any specifics or details - saying it's up to the "router vendor".
I did some keyword searching in the OpnSense docs along with "Dr. Google", but nothing useful turned up other than some confusion regarding PD pools and subrouters (none of which was very clear - most posts said something like "after I played around with it for a while..." but gave no details).
Any thoughts, help, links to good docs, etc.?
As an alternative to official "shared subnets" support, is there a way to "pass-through" the IPv6 subnet delegation from my ISP (Cox Cable) to a standalone Kea DHCP server?
The Kea "readthedocs" site infers that such is possible, but doesn't give any specifics or details - saying it's up to the "router vendor".
I did some keyword searching in the OpnSense docs along with "Dr. Google", but nothing useful turned up other than some confusion regarding PD pools and subrouters (none of which was very clear - most posts said something like "after I played around with it for a while..." but gave no details).
Any thoughts, help, links to good docs, etc.?
#7
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets"
November 08, 2025, 12:31:53 AM
Correct on DNS hostname registration.
I'm not sure on the SLAAC part, but testing (which left things kinda weird) using PiHole DHCPv6 for private and OpnSense for Public, I was able to pull SLAAC from OpnSense for Public IPs, and also get valid DHCPv6 for my internal subnet.
Since PiHole uses dnsmasq for pretty much everything including DHCP, it is not capable of performing TSIG updates from it's own internal database (flatfile).
I have found that enabling 'kea-dhcp_ddns' works (as long as I re-enable after updates or reboots, since again it reverts any .conf changes "automagickally") and pushes data to my internal DNS master for A, AAAA and PTR records.
My desired outcome is to have Kea DHCPv4 and v6 running on OpnSense, then use DHCP-DDNS to send dynamic assignment updates to the DNS master server.
I'd even accept running Unbound on the OpnSense if the any of the DHCP flavors (Kea, ISC, dnsmasq) were capable of shared networks - as long as it would push DDNS to my internal DNS master.
I'm not sure on the SLAAC part, but testing (which left things kinda weird) using PiHole DHCPv6 for private and OpnSense for Public, I was able to pull SLAAC from OpnSense for Public IPs, and also get valid DHCPv6 for my internal subnet.
Since PiHole uses dnsmasq for pretty much everything including DHCP, it is not capable of performing TSIG updates from it's own internal database (flatfile).
I have found that enabling 'kea-dhcp_ddns' works (as long as I re-enable after updates or reboots, since again it reverts any .conf changes "automagickally") and pushes data to my internal DNS master for A, AAAA and PTR records.
My desired outcome is to have Kea DHCPv4 and v6 running on OpnSense, then use DHCP-DDNS to send dynamic assignment updates to the DNS master server.
I'd even accept running Unbound on the OpnSense if the any of the DHCP flavors (Kea, ISC, dnsmasq) were capable of shared networks - as long as it would push DDNS to my internal DNS master.
#8
25.7, 25.10 Series / Re: Feature Requst: KEA DHCPv6 "shared subnets"
November 07, 2025, 11:41:22 PM
Oh, I'm familiar with your write-up - that's how I got IPv6 working at the start of things.
But the "variability" of the public IP space lead me down the path of using an internal private space (fde4:b3e2:db9e:: in this case) so that my internal PiHole servers, NAS boxes, and so on will have at least one "static" IP. Yes, they end up with additional IPs based on need, but they always have one outside of the pool that is attached to their network adapter.
Poking around a bit on the Kea DHCP mailing list, my situation is not uncommon.
In fact, it's so common that Kea built a specific method to accommodate the need (shared networks for IPv6).
There are several Rube Goldberg-ish solutions to running my own internal Kea (or ISC, or PiHole) DHCP platform, but I'd rather have it all live in the same place (OpnSense) as the interface tracking to update the dynamic Public IPs makes things much easier.
I can set up and validate a .conf file, but even doing manual configuration fails since something in the OpnSense platform "nukes" the config on restart.
Thus the request that "shared networks" be made available...
But the "variability" of the public IP space lead me down the path of using an internal private space (fde4:b3e2:db9e:: in this case) so that my internal PiHole servers, NAS boxes, and so on will have at least one "static" IP. Yes, they end up with additional IPs based on need, but they always have one outside of the pool that is attached to their network adapter.
Poking around a bit on the Kea DHCP mailing list, my situation is not uncommon.
In fact, it's so common that Kea built a specific method to accommodate the need (shared networks for IPv6).
There are several Rube Goldberg-ish solutions to running my own internal Kea (or ISC, or PiHole) DHCP platform, but I'd rather have it all live in the same place (OpnSense) as the interface tracking to update the dynamic Public IPs makes things much easier.
I can set up and validate a .conf file, but even doing manual configuration fails since something in the OpnSense platform "nukes" the config on restart.
Thus the request that "shared networks" be made available...
#9
25.7, 25.10 Series / Feature Requst: KEA DHCPv6 "shared subnets"
November 07, 2025, 09:17:20 PM
Kea DHCP does have a provision for what are known as "shared networks".
Kea Doc Examples
My use case (which I cannot imagine is unique) is:
ISP that provides a "public" range of IPv6 (/56), which can (and does) change based on when the router/modem reboots.
The need for internal non-public IPv6 to point at NTP, DNS (PiHole) and so on, since the ISP assigned addresses change and there is no graceful or smooth way to re-publish service related addresses that I have found (yet - I'm willing to be wrong).
The configuration looks straightforward in the example document, so maybe a dropdown or somewhere in the "Advanced" options?
Kea Doc Examples
My use case (which I cannot imagine is unique) is:
ISP that provides a "public" range of IPv6 (/56), which can (and does) change based on when the router/modem reboots.
The need for internal non-public IPv6 to point at NTP, DNS (PiHole) and so on, since the ISP assigned addresses change and there is no graceful or smooth way to re-publish service related addresses that I have found (yet - I'm willing to be wrong).
The configuration looks straightforward in the example document, so maybe a dropdown or somewhere in the "Advanced" options?
#10
25.7, 25.10 Series / Re: Switch from ISC DHCP to KEA
November 06, 2025, 10:32:45 PM
Second vote for `kea-dhcp-ddns`.
I can enable it once the firewall is up, but it disables itself on every reboot, overwriting the .conf file that should allow it to run.
Oddly, it does not reset the `kea-dhcp-ddns.conf` file, that stays and it works once I re-enable in the master .conf.
I can enable it once the firewall is up, but it disables itself on every reboot, overwriting the .conf file that should allow it to run.
Oddly, it does not reset the `kea-dhcp-ddns.conf` file, that stays and it works once I re-enable in the master .conf.
#11
25.1, 25.4 Series / IPv6, Cox Internet and v25.1.1
February 26, 2025, 07:21:38 PM
Currently running v25.1.1 upgraded from v25.1
When on v25.1 (pre-upgrade), IPv6 was working via the "Track Interface" mechanism on the WAN (igb0) interface.
Settings are the same as used in the v24 production series, which also worked.
The behavior (pre-upgrade) was:
Request a /56 allocation from Cox
Deploy the /56 as a /64 to:
LAN (igb1) with prefix "0"
IoT (opt1) with prefix "1"
With the 25.1.1 upgrade, this does not seem to work any more.
The log is filled with messages like:
I also spot that both internal interfaces (LAN and IoT, which are physical interfaces) end up with the same IPv6 address: 2001:579:4c:3700:2e0:67ff:fe1f:2529/64 which is apparently not a "reachable" address.
Rolling back to 25.1, IPv6 works as expected once again, internal systems are assigned IPv6 from the allocation, etc.
Not sure what else might be needed to troubleshoot /debug, but I'm game to deliver as requested...
When on v25.1 (pre-upgrade), IPv6 was working via the "Track Interface" mechanism on the WAN (igb0) interface.
Settings are the same as used in the v24 production series, which also worked.
The behavior (pre-upgrade) was:
Request a /56 allocation from Cox
Deploy the /56 as a /64 to:
LAN (igb1) with prefix "0"
IoT (opt1) with prefix "1"
With the 25.1.1 upgrade, this does not seem to work any more.
The log is filled with messages like:
Code Select
RDNSS address 2001:579:4c:3700:a434:9a73:b10d:e091 received on igb1 from fe80::53bb:1ff4:f59c:40b3 is not advertised by us
AdvPreferredLifetime on igb1 for 2001:579:4c:3700:: doesn't agree with fe80::53bb:1ff4:f59c:40b3
AdvValidLifetime on igb1 for 2001:579:4c:3700:: doesn't agree with fe80::53bb:1ff4:f59c:40b3I also spot that both internal interfaces (LAN and IoT, which are physical interfaces) end up with the same IPv6 address: 2001:579:4c:3700:2e0:67ff:fe1f:2529/64 which is apparently not a "reachable" address.
Rolling back to 25.1, IPv6 works as expected once again, internal systems are assigned IPv6 from the allocation, etc.
Not sure what else might be needed to troubleshoot /debug, but I'm game to deliver as requested...
#12
24.7, 24.10 Legacy Series / Re: I'm a doofus and I broke my firewall...
November 24, 2024, 02:37:08 AM
I had spotted the other thread, but when I checked the file I found:
The natives were getting restless in the household, so I girded my loins and moved the `eastpect` file out of `/usr/local/etc/rc.d`.
That worked and the WebUI came up on reboot.
Oddly, when I checked the system config I noticed that all the "offload" boxes were UNchecked.
Moving the `eastpect` file back where it started and rebooting worked as I would have expected before this evolution. WebUI, SSH, etc. working.
Checking those boxes didn't change anything in the `/conf/config.xml` file, so maybe that's controlled /set somewhere else these days?
At any rate, I'm back up and running and managed to remove Zenarmor (it didn't work since it's missing the database).
Thanks for the pointers, it got me moving (even if I had a flop-sweat moment moving files around).
Code Select
# grep offloading /conf/config.xml
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>The natives were getting restless in the household, so I girded my loins and moved the `eastpect` file out of `/usr/local/etc/rc.d`.
That worked and the WebUI came up on reboot.
Oddly, when I checked the system config I noticed that all the "offload" boxes were UNchecked.
Moving the `eastpect` file back where it started and rebooting worked as I would have expected before this evolution. WebUI, SSH, etc. working.
Checking those boxes didn't change anything in the `/conf/config.xml` file, so maybe that's controlled /set somewhere else these days?
At any rate, I'm back up and running and managed to remove Zenarmor (it didn't work since it's missing the database).
Thanks for the pointers, it got me moving (even if I had a flop-sweat moment moving files around).
#13
24.7, 24.10 Legacy Series / I'm a doofus and I broke my firewall...
November 23, 2024, 11:48:35 PM
Not sure if anyone can help, but I screwed up and thought I'd try Zenarmor.
Unfortunately, I didn't read far enough into the "gotchas" to discover that turning on checksum offloading is a "Bad Idea (tm)" with Zenarmor.
Now my firewall is stuck with no WebUI, no SSH and no Serial/TTY console (spamming the "drop mbuf that needs checksum offload" message).
I built a NomadBSD USB and can mount up the correct partition - but can't find where the config files live to either:
1) Turn checksum offload "Off"
-or-
2) Disable Zenarmor so the WebUI starts and I can change the checksum offload there
Can anyone point me in the right direction?
Or have I just blown up my firewall and need to re-image from bare metal?
Unfortunately, I didn't read far enough into the "gotchas" to discover that turning on checksum offloading is a "Bad Idea (tm)" with Zenarmor.
Now my firewall is stuck with no WebUI, no SSH and no Serial/TTY console (spamming the "drop mbuf that needs checksum offload" message).
I built a NomadBSD USB and can mount up the correct partition - but can't find where the config files live to either:
1) Turn checksum offload "Off"
-or-
2) Disable Zenarmor so the WebUI starts and I can change the checksum offload there
Can anyone point me in the right direction?
Or have I just blown up my firewall and need to re-image from bare metal?
#14
24.7, 24.10 Legacy Series / Re: Dashboard not showing correct WAN public IP address using PPPOE
August 01, 2024, 06:37:51 PM
Here's my config.
#15
24.7, 24.10 Legacy Series / Re: Dashboard not showing correct WAN public IP address using PPPOE
August 01, 2024, 05:42:41 PM
For me the widget is titled "Interfaces" and is one of the default widgets on the Lobby/Dashboard page.
I'm on 24.7_9 and can confirm that the widget only displays the link-local IPv6 addresses, though via command line I can see that public IPv6 addresses are assigned to devices, which is confirmed by https://ip6only.me.
I'm on 24.7_9 and can confirm that the widget only displays the link-local IPv6 addresses, though via command line I can see that public IPv6 addresses are assigned to devices, which is confirmed by https://ip6only.me.
