Messages

I wouldn't know why it worked in the past but you filled in the 'Domain' field very wrong.

The 'Domain' field is for what domain(s) you want to be resolved by the DNS server in the IP field. And in 'Verify CN' you enter the domain of the DoT, e.g. in your case one.one.one.one.

For example if you want somedomain.net to be resolved by 1.2.3.4 and all other with 1.1.1.1:

Domain: somedomain.net, IP: 1.2.3.4, Verify CN: some-dns-server.com
Domain <empty>, IP: 1.1.1.1, Verify CN: one.one.one.one

Maybe this will clarify your confusion:


Edit:
You actually lead me to what was wrong. Of course it worked when I checked on https://one.one.one.one/help/ if it's working. God dammit, this "Domain" setting fooled me big time. Now that it's empty, it's working fine. Thank you very much!

I don't know when it started, I just noticed that my DoT configuration no longer works and my ISP has been getting my unencrypted DNS requests for God knows how long. Great, exactly what I didn't want to happen. Maybe it stopped working since the upgrade to 25.7 (I use 25.7.2 atm), I don't know. What I do know is that it worked just fine before and I didn't touch anything that should have any influence on how my OPNsense sends DNS traffic of any kind to the internet.

Unbound on my OPNsense is my DNS resolver. This is my DoT configuration:


Afaik there's nothing more to it than that, right? In the past this made all outbound DNS requests use DoT. My OPNsense no longer sent unencrypted DNS traffic to the internet. Did something change about that?

For clarification:

• Just "slaac" is SLAAC + stateful DHCPv6.
• "slaac" + "ra-stateless" is SLAAC + stateless DHCPv6.

Hello, what static IP do you have on LAN and network mask?

Only the OPNsense itself (10.0.0.1).

Are you seeing any blocked DHCP traffic on the LAN interface in Firewall->Live View?

No

There's another post on this forum detailing the same issue. It appears the firewall rules are not being created automatically, even after a reboot or reload of the firewall rules.

I have found this one now indeed https://forum.opnsense.org/index.php?msg=237255
It seems that indeed the IPv4 rules for DHCP are not added if you have 'All' selected as interfaces, if you select the specific interfaces, they do get added.

I just noticed that too, but that didn't help either. I see the rules on my LAN interface, but restarting the packet filter didn't help to fix this.



Edit:
For some reason it took a while. My Android client finally has an IPv4 lease. I really don't know why it took a few minutes.

Edit 2:
I noticed something, that might help to find the issue here:
In the general settings tab of dnsmasq DHCP, when no interface is selected, it says "All". This is misleading. When you click on "Select All" right below that menu, it lists all the selected interfaces, but doesn't just say "All". This is what tricked me into believing that DHCP will work on my LAN interface.

A reboot may be required because DNSmasq modifies firewall settings, but these changes don't appear to be fully applied when using the 'Apply' button in the DNSmasq menu. As a result, client requests may not reach DNSmasq.

A reboot of my OPNsense didn't fix the issue.

It's me again, testing dnsmasq DHCP again, now that 25.1.7 is out.

My dnsmasq DHCP configuration didn't change from when I was on 25.1.6, but now on 25.1.7 my clients don't get a new DHCPv4 lease anymore. DHCPv6 is working fine though. In the logs I see the following:

Code Select Expand

2025-05-19T17:20:30 Informational dnsmasq-dhcp DHCP, IP range 10.0.0.20 -- 10.0.0.254, lease time 1dThat indicates it should work, right? I tested it on an Android client and a Linux PC. A reboot of my OPNsense didn't fix the issue.

Here's my range configuration for DHCPv4:


Let me know if I can provide more information to help you fix this.

Thank you. Then just setting "slaac" is the right choice for stateful DHCP + SLAAC. "ra-names" is optional, but a good choice to generate DNS names for SLAAC from DHCPv4 leases, if needed.

Can anybody tell me what combination of RA modes in dnsmasq DHCPv6 is equivalent to "Assisted" in Services > Router Advertisement, please?

I'd rather not use partial IPv6 address reservations, but my ISP gives me a dynamic IPv6 prefix. Thanks for looking into it.

Strange. I just tried it again without changing anything of the dnsmasq settings and it works now (IPv4 and IPv6). Obtaining an IP address takes much longer than with ISC DHCP though.

Edit:
Anything I can do to fix these warnings in the logs? Sounds like something isn't quite right with my IP reservation for this host.

Code Select Expand

not giving name Gaming-Server.home to the DHCP lease of XXXX:XX:XXXX:7c00::3 because the name exists in /var/etc/dnsmasq-hosts with address ::3(I censored the IPv6, because it's a valid lease.)

Even if that is the case, I restarted my OPNsense and that didn't help either.

Firewall rules not set? Automatic rules only work if interfaces are selected or of the LAN pass-all is used.

Not sure which rules exactly you mean. There's an allow any inbound traffic rule on my LAN interface. For DHCP ranges I selected my LAN interface.

Edit:
Ah, you might talk about the firewall rules with port 67 and 68. Yes, they're there.

No success with dnsmasq DHCP - neither with IPv4 nor IPv6. I stuck with the examples from the documentation and only made a few specific tweaks, according to my setup and added a few additional DHCP options. Not sure why all of my devices refuse to get an IP address. I don't even see a request in the logs. A reboot of my OPNsense didn't help either. What a bummer. :(

Since OPNsense 25.1 supports the selection of multiple hosts for firewall rules, I thought it would be a good idea to get rid of my nested aliases, but it's currently not working correctly.

Setup to reproduce:
I have a firewall rule with a nested alias as source and activated the checkbox for source inversion. I use this rule to route all traffic of all hosts through a specific gateway with that firewall, except for the hosts in that nested alias for the source (hence the inversion). With the nested alias everything works as intended, but when I instead multi-select the hosts in the nested alias (instead of the nested alias, which should have the same effect, right?) it does not work. Then even the traffic of the selected hosts in the source of the firewall rule is routed through that gateway. To me it looks like it's a bug, but maybe I'm just misinterpreting the multi-selection?

Remove IPv6-Support completely until IPv4 works flawlessly like you want.   

How would this help? It's not like IPv4 and IPv6 are blocking each other in any way.

And maybe don't use the WireGuard Tab at all and assign an interface for your WG-Server. But that is only an uneducated guess, could be unnecessary but it can't hurt.   

The firewall rules in the screenshot are assigned to the virtual WireGuard interface, that I had to assign in the interfaces settings first.