"
Nothing to see here
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
25.1, 25.4 Series / Re: Ramblings on switching to dnsmasq from isc
May 24, 2025, 05:57:09 PMQuote from: grind on May 24, 2025, 01:00:41 PMI've seen that the competition released a new version that has KEA with hostname registration in unbound. Is that also planned for opnsense? I ask because it feels wrong to have 2 DNS servers running at the same time just for DHCP hostname registration, which would be the case with dnsmasq.
I believe KEA has dns registration for static hosts now? I don't believe it did initially, or at least when I first looked ? Not sure if that is the case for hosts destined for 'dynamic' pools.
... another gripe was dnsmasq's use of the term static for range types, misleading when trying to intuit the purpose of a static range type; given the normalized meaning of the term makes them sound redundant.
#3
25.1, 25.4 Series / Re: Ramblings on switching to dnsmasq from isc
May 24, 2025, 07:52:00 AM
From :https://docs.opnsense.org/manual/dhcp.html
From : https://docs.opnsense.org/manual/dnsmasq.html
There has been mention for some time in the patch notes about ISC's deprecation (it will apparently still be around for a while). As for what persuaded me to do it now? I had the time to do it.
QuoteDnsmasq is the new default DHCP server in version 25.7 and supersedes ISC. It is recommended for small and medium sized setups up to a thousand clients. Read more about the deployment differences between KEA and Dnsmasq here: Dnsmasq
QuoteKEA is the correct choice for large HA (High Availability) setups with more than a thousand clients in many different DHCP ranges. Dnsmasq can be used for smaller HA setups as alternative, though it does not offer lease synchronization like KEA.
From : https://docs.opnsense.org/manual/dnsmasq.html
QuoteIt is considered the replacement for ISC-DHCP in small and medium sized setups and synergizes well with Unbound DNS, our standard enabled forward/resolver service.
There has been mention for some time in the patch notes about ISC's deprecation (it will apparently still be around for a while). As for what persuaded me to do it now? I had the time to do it.
#4
25.1, 25.4 Series / Ramblings on switching to dnsmasq from isc
May 24, 2025, 02:30:25 AM
A couple nights ago I went ahead and tried to migrate over from ISC to Dnsmasq rather than KEA for reasons already stated in manual.
Had a few ( and still am ) issues in the process.
Had difficulty understanding VLAN setup. After a while figured out that didn't need to use set/match tags for my setup (automagic interface matching, which somehow I missed in the first reading of opnsense's online doc). Having the 'sort by interface' feature on the Hosts page tripped me up a bit. I can guess why it's there, my guess it shouldn't be (tag only no ?) A concrete VLAN example in the docs would definitely help people experiencing temporary brain farts.
I am running with Unbound forwarding local queries to dnsmasq as per the doc, but am occasionally experiencing timeouts, SERVFAIL and weird situations where FQDNs will resolve but shortnames won't. Usually when the timeout occurs I see the requests in the Unbound logs, but not in dnsmasq. Occasional bursts of 'reply query is duplicate' which I wish was a bit more verbose, as I'm unsure if this is business as usual or something to panic about.
Also had issues where static mappings were not registering seemingly until the client requested a lease. Which discovered while chasing down why aliases weren't working.
Noticed there are already a couple patches which may or may not address some of the things I'm experiencing (although my default assumption is always: operator error), but I can't say the transition to dnsmasq is something I'd regard as 'pleasant' or 'straightforward' or something to attempt while sitting down on a quiet relaxing evening with a bottle of some preferred libation.
Had a few ( and still am ) issues in the process.
Had difficulty understanding VLAN setup. After a while figured out that didn't need to use set/match tags for my setup (automagic interface matching, which somehow I missed in the first reading of opnsense's online doc). Having the 'sort by interface' feature on the Hosts page tripped me up a bit. I can guess why it's there, my guess it shouldn't be (tag only no ?) A concrete VLAN example in the docs would definitely help people experiencing temporary brain farts.
I am running with Unbound forwarding local queries to dnsmasq as per the doc, but am occasionally experiencing timeouts, SERVFAIL and weird situations where FQDNs will resolve but shortnames won't. Usually when the timeout occurs I see the requests in the Unbound logs, but not in dnsmasq. Occasional bursts of 'reply query is duplicate' which I wish was a bit more verbose, as I'm unsure if this is business as usual or something to panic about.
Also had issues where static mappings were not registering seemingly until the client requested a lease. Which discovered while chasing down why aliases weren't working.
Noticed there are already a couple patches which may or may not address some of the things I'm experiencing (although my default assumption is always: operator error), but I can't say the transition to dnsmasq is something I'd regard as 'pleasant' or 'straightforward' or something to attempt while sitting down on a quiet relaxing evening with a bottle of some preferred libation.
#5
25.1, 25.4 Series / Re: Unable to delete orphaned certificate
March 13, 2025, 03:22:46 AM
Given no response on this topic; is there a bug tracker, or an issue ticket system I can submit this too ?
Its not blocking type issue, but perhaps the plugin maintainer might be interested, or maybe the UI team for better dealing with orphaned items.
Its not blocking type issue, but perhaps the plugin maintainer might be interested, or maybe the UI team for better dealing with orphaned items.
#6
25.1, 25.4 Series / Unable to delete orphaned certificate
March 08, 2025, 08:41:35 PM
This is 25.1.2
Setup HAProxy to trial something. In the process created a certificate for the public service.
Decided not to use HAProxy, made sure to delete the service/pool/server manually first (probably not required, karma if anything).
Then uninstalled the HAProxy.
Went to go remove the certificate from trusts, but it is throwing an error.
Not sure how to remediate this, please advise, thank you.
Setup HAProxy to trial something. In the process created a certificate for the public service.
Decided not to use HAProxy, made sure to delete the service/pool/server manually first (probably not required, karma if anything).
Then uninstalled the HAProxy.
Went to go remove the certificate from trusts, but it is throwing an error.
Code Select
Item in use by
HAProxy - ####### service {HAProxy.frontends.frontend.8677cf50-aa25-4cc7-b8d1-b9c3131de795}
Not sure how to remediate this, please advise, thank you.
Pages1
