Messages

For clarification:

• Just "slaac" is SLAAC + stateful DHCPv6.
• "slaac" + "ra-stateless" is SLAAC + stateless DHCPv6.

Hello, what static IP do you have on LAN and network mask?

Only the OPNsense itself (10.0.0.1).

Are you seeing any blocked DHCP traffic on the LAN interface in Firewall->Live View?

No

There's another post on this forum detailing the same issue. It appears the firewall rules are not being created automatically, even after a reboot or reload of the firewall rules.

I have found this one now indeed https://forum.opnsense.org/index.php?msg=237255
It seems that indeed the IPv4 rules for DHCP are not added if you have 'All' selected as interfaces, if you select the specific interfaces, they do get added.

I just noticed that too, but that didn't help either. I see the rules on my LAN interface, but restarting the packet filter didn't help to fix this.



Edit:
For some reason it took a while. My Android client finally has an IPv4 lease. I really don't know why it took a few minutes.

Edit 2:
I noticed something, that might help to find the issue here:
In the general settings tab of dnsmasq DHCP, when no interface is selected, it says "All". This is misleading. When you click on "Select All" right below that menu, it lists all the selected interfaces, but doesn't just say "All". This is what tricked me into believing that DHCP will work on my LAN interface.

A reboot may be required because DNSmasq modifies firewall settings, but these changes don't appear to be fully applied when using the 'Apply' button in the DNSmasq menu. As a result, client requests may not reach DNSmasq.

A reboot of my OPNsense didn't fix the issue.

It's me again, testing dnsmasq DHCP again, now that 25.1.7 is out.

My dnsmasq DHCP configuration didn't change from when I was on 25.1.6, but now on 25.1.7 my clients don't get a new DHCPv4 lease anymore. DHCPv6 is working fine though. In the logs I see the following:

Code Select Expand

2025-05-19T17:20:30 Informational dnsmasq-dhcp DHCP, IP range 10.0.0.20 -- 10.0.0.254, lease time 1dThat indicates it should work, right? I tested it on an Android client and a Linux PC. A reboot of my OPNsense didn't fix the issue.

Here's my range configuration for DHCPv4:


Let me know if I can provide more information to help you fix this.

Thank you. Then just setting "slaac" is the right choice for stateful DHCP + SLAAC. "ra-names" is optional, but a good choice to generate DNS names for SLAAC from DHCPv4 leases, if needed.

Can anybody tell me what combination of RA modes in dnsmasq DHCPv6 is equivalent to "Assisted" in Services > Router Advertisement, please?

I'd rather not use partial IPv6 address reservations, but my ISP gives me a dynamic IPv6 prefix. Thanks for looking into it.

Strange. I just tried it again without changing anything of the dnsmasq settings and it works now (IPv4 and IPv6). Obtaining an IP address takes much longer than with ISC DHCP though.

Edit:
Anything I can do to fix these warnings in the logs? Sounds like something isn't quite right with my IP reservation for this host.

Code Select Expand

not giving name Gaming-Server.home to the DHCP lease of XXXX:XX:XXXX:7c00::3 because the name exists in /var/etc/dnsmasq-hosts with address ::3(I censored the IPv6, because it's a valid lease.)

Even if that is the case, I restarted my OPNsense and that didn't help either.

Firewall rules not set? Automatic rules only work if interfaces are selected or of the LAN pass-all is used.

Not sure which rules exactly you mean. There's an allow any inbound traffic rule on my LAN interface. For DHCP ranges I selected my LAN interface.

Edit:
Ah, you might talk about the firewall rules with port 67 and 68. Yes, they're there.

No success with dnsmasq DHCP - neither with IPv4 nor IPv6. I stuck with the examples from the documentation and only made a few specific tweaks, according to my setup and added a few additional DHCP options. Not sure why all of my devices refuse to get an IP address. I don't even see a request in the logs. A reboot of my OPNsense didn't help either. What a bummer. :(

Since OPNsense 25.1 supports the selection of multiple hosts for firewall rules, I thought it would be a good idea to get rid of my nested aliases, but it's currently not working correctly.

Setup to reproduce:
I have a firewall rule with a nested alias as source and activated the checkbox for source inversion. I use this rule to route all traffic of all hosts through a specific gateway with that firewall, except for the hosts in that nested alias for the source (hence the inversion). With the nested alias everything works as intended, but when I instead multi-select the hosts in the nested alias (instead of the nested alias, which should have the same effect, right?) it does not work. Then even the traffic of the selected hosts in the source of the firewall rule is routed through that gateway. To me it looks like it's a bug, but maybe I'm just misinterpreting the multi-selection?

Remove IPv6-Support completely until IPv4 works flawlessly like you want.   

How would this help? It's not like IPv4 and IPv6 are blocking each other in any way.

And maybe don't use the WireGuard Tab at all and assign an interface for your WG-Server. But that is only an uneducated guess, could be unnecessary but it can't hurt.   

The firewall rules in the screenshot are assigned to the virtual WireGuard interface, that I had to assign in the interfaces settings first.

First some facts about my network(s) and my goal(s):

• LAN net: 10.0.0.0/24, dynamic /56 Prefix from my ISP
• Dual Stack setup
• WireGuard net: 10.0.1.0/24
• I want full LAN net access over WireGuard to my LAN net with IPv4 and IPv6
• All traffic from WireGuard clients should go over WireGuard connection
• To access the internet with active WG configuration, there's a specific gateway on my OPNsense the WG clients must use
• OPNsense version 24.7.11_2

WireGuard instance on my OPNsense:


Example of a peer configuration on my OPNsense:


Example of a WireGuard configuration of one of my clients:



WAN firewall rule to allow inbound WireGuard connections from WAN:


WireGuard firewall rules:



I tried this configuration, but all I could achieve so far is getting a connection between my OPNsense and the WG client, so that the WG client could access the internet from my OPNsense over the default gateway (but that's not what I want) and that only with IPv4. The LAN net isn't accessible at all.

Looks like I'm too blind to see why it isn't working. Would appreciate some help from more experienced people to tell me what I did wrong.

Thanks in advance.

I think firwall rules are ignored. Until I find a solution, I'm just gonna use my NAS in my LAN as exit node. This way everything works. But still, I'd prefer to use my OPNsense as endpoint.