Messages

KEA, ISC and DNSMasq can all be used. Pick the one the that works best for your requirements.

I am not familiar with your switch but looking at the configuration, I think vlan 1 should include ports 1 and 8 with tagged traffic. The devices on port 1 and 8 speak vlan and therefore their traffic is being tagged. Since you've set port 8 in your switch as untagged for vlan 1 and the PVID of port 8 is 1, the traffic from port 8 is likely being tagged as vlan 1 even though some of it is vlan 3.

Mixing tagged and untagged traffic on the trunk to OPNsense is not recommended. See here https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Consider creating another VLAN for management. You will need to configure your switches and AP to use this VLAN.

I am not sure if it matters, but my GeoBlock for inbound connections is setup as an allow list. Ireland is not one of the countries I allow. I am not doing any GeoIP blocking for outbound.

As another data point, I upgraded to 25.1.8_1 without incident. I am running CrowdSec and using a GeoIP blocklist. I am in the U.S.

I use Clients->AdGuard->Unbound for DNS lookups and Unbound->DNSmasq for local queries. I followed the docs to implement it and changed the ports to keep AdGuard using port 53. I am only using IP v4 and my setup has some VLANs.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

I use DNS resolution for Unifi and have never used option 43.

The behavior @Drinyth describes is the same as my experience. I have VLANs that are configured with all 3 scenarios (static only, dynamic only and a mix).

It's been a while since I used ISC, but I would not expect an address to show up as a lease if the DHCP service did not hand the address out.

For issue #4, Proxmox doesn't use DHCP by default and it is not recommended (see here link). Unless you've changed it manually, it is a fixed address that is set within Proxmox. I also have a static reservation set in DNSmasq for that IP so I don't forget that it is assigned, but since Proxmox isn't using DHCP, you won't see a lease. You'd only see a lease if DHCP handed out the IP address (either a static or dynamic address).

For Unifi, I have my controller set to receive its address via a static DHCP reservation and the lease is showing up correctly.

DNS requests come into Unbound. Unbound can then forward internal DNS and internal reverse lookups to DNSmasq. The docs were updated to show that two forwards are needed from Unbound (1 for DNS and 1 for reverse lookups). I have it configured this way it is working fine.

Are you seeing any blocked DHCP traffic on the LAN interface in Firewall->Live View?

If you search for migration from ISC to Kea, you will find multiple threads about how ISC takes over the binding, regardless of whether an interface is not being "used" by ISC.

Do you see any blocked DHCP traffic for the VLANs in the firewall live view?

I could be reading your post incorrectly, but when you say "parent" interface do you mean a non-VLAN subnet? If you mix tagged and untagged traffic on the *same* trunk port, that could be the problem. See here and note the orange box: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

1) I exported the Kea reservations and opened them in Excel. I used all of the column headers as posted earlier (i.e., I left unused entries blank) and left the headers in the same order as posted (the Kea columns are named slightly different and are in a different order). I then copied/pasted the data into the correct columns. Lastly, I saved as CSV format and imported into DNSmasq.

2) Sorry, I did not save the import file. I deleted it after importing.