Messages

The DNS overrides for DHCP reservations over the subnet defaults currently do not work, at least for Kea, see this.

I guess it does not work for Dnsmasq+Unbound either (or I misunderstand what the override feature in Unbound is intended to do.)

I do not know enough about this to determine if this is a bug or if my expectation or configuration are wrong. But I'm happy to have found a solution.

best,

I just accomplished this by going to the host reservation in DNSMASQ, and under the DNS section of the host setup putting in a CNAME Record ...

Yes, that does what I want - thanks!

I guess I missed toe Dnsmasq override feature when making static assignments.

Here are the contents of /var/unbound/host_entries.conf

Code Select Expand

hbarta@OPNsense:~ $ cat  /var/unbound/host_entries.conf
local-zone: "internal" transparent
local-data-ptr: "127.0.0.1 localhost"
local-data: "localhost A 127.0.0.1"
local-data: "localhost.internal A 127.0.0.1"
local-data-ptr: "::1 localhost"
local-data: "localhost AAAA ::1"
local-data: "localhost.internal AAAA ::1"
local-data: "OPNsense.internal A 10.20.0.1"
local-data: "OPNsense A 10.20.0.1"
local-data-ptr: "10.10.0.1 OPNsense.internal"
local-data: "OPNsense.internal A 10.10.0.1"
local-data: "OPNsense A 10.10.0.1"
local-data-ptr: "2601:249:1a7f:7b2e:e251:d8ff:fe19:1495 OPNsense.internal"
local-data: "OPNsense.internal AAAA 2601:249:1a7f:7b2e:e251:d8ff:fe19:1495"
local-data: "OPNsense AAAA 2601:249:1a7f:7b2e:e251:d8ff:fe19:1495"
local-data-ptr: "10.20.13.10 xxxx.localdomain"
local-data: "xxxx.localdomain  IN A 10.20.13.10"
hbarta@OPNsense:~ $ ping -c1 10.20.13.10
PING 10.20.13.10 (10.20.13.10): 56 data bytes
64 bytes from 10.20.13.10: icmp_seq=0 ttl=64 time=0.299 ms

--- 10.20.13.10 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.299/0.299/0.299/0.000 ms
hbarta@OPNsense:~ $ ping -c1 xxxx.localdomain
ping: cannot resolve xxxx.localdomain: Name does not resolve
hbarta@OPNsense:~ $ ping -c1 xxxx
ping: cannot resolve xxxx: Name does not resolve
hbarta@OPNsense:~ $

Note that at present I want the name 'xxxx' to resolve to 10.20.13.10 (which is the host 'glencoe') I'm doing something else with 'mqtt' at the moment to keep my home automation working.

Settings for https://10.10.0.1/ui/unbound/overrides are now: enabled:checked, Host:xxxx, Domain:localdomain, Type:A, IP address:10.20.13.10.

best,

Thanks for sticking with me on this. I will look into that and get back to you in a bit.

You might want to change that "localdomain" to something with at least one dot in it like "mydomain.lan".

Just this morning I noticed that OPNSense web pages show me logged in as "root@OPNsense.internal". That has me wondering if I have a conflict between "localdomain" and "internal". I guess I need to look up where that is set and determine what I need to use for the domain on my home LAN. Thanks for bringing that up. And as a long time Linux user, I think I should not be using "root" for my day to day login.

best,

If mqtt is a DNS alias for glencoe then "ping mqtt" and "ping glencoe" will both result in the same IP address.

Yes, exactly what I want. I have not been able to achieve that with the settings listed in the first post.

best,

Apologies for not being clear. I cannot see how to direct traffic for the alias 'mqtt' to the host 'glencoe'.

I have temporarily fixed that to manage the MQTT issue by renaming that host (in Dnsmasq) as 'mqtt' but that breaks everything else that looks for `glencoe' (such as backups and monitoring.)

best,

Thanks for the reply.

Any suggestion for fixing the unbound alias issue?

best,

Edit: I've worked around this by renaming the host in https://opnsense/ui/dnsmasq/settings#hosts to 'mqtt'. I would like that to be temporary if possible.

Good morning, recent PFSense user here busy configuring OPNSense 25.7.2 to meet my needs. One of these needs is to map a hostname 'mqtt' to a specific server 'glencoe'. In other words I have configured a number of IoT hosts to publish messages to a host named 'mqtt' and in my case, the actual host is 'glencoe'. (I set this up when I was moving the MQTT broker between hosts and didn't want to have to edit settings on each host that publishes.) In Dnsmasq -> Leases I've set the Lease Type for 'glencoe' to static.

I'm using Dnsmasq + Unbound for DHCP and DNS. I've gone to the Unbound -> Overrides page and in Hosts made the following settings:

• Host - glencoe
• Domain - localdomain
• Type - A (IPV4 address)
• TTL = 300
• IP address - 10.20.8.221

In the Aliases section

• Host Override glencoe.localdomain (automatically populated)
• host - mqtt
• Domain - localdomain

When I click "Apply" I see the log message

Code Select Expand

2025-09-04T12:15:30-05:00 | Warning | unbound | PTR record already exists for mqtt.localdomain(10.20.8.221)
I'm sure that hints at what I've mis-configured but I'm equally sure I don't understand what it means. Any suggestions for what I've got wrong are most welcome.

Thanks!

Edit: Just to note, after making these changes, queries to 'mqtt' are not resolved.

With these switches (not truly managed, classified as smart-easy), I'm afraid you should ignore the guidance regarding mixing tagged and untagged traffic.

Thanks for clarifying that. Everything else you described squares with what I've discovered so far and It's nice to have that fleshed out.

Thanks for taking the time to provide a helpful answer.

best,

Edit: I did get replies on Reddit and it seems that I need to add firewall rules to allow traffic between VLANs. I must have misunderstood the suggestions that this would work by default. (I did notice that the LAN subnet could talk to the VLANS by default, perhaps that's what I was reading.)

best,

Good morning

I'm still onboarding with OPNsense (having run pfSense for nearly 10 years.) I've just reinstalled from scratch to avoid any issues lingering from the many configuration changes I've made and unmade (and messed up.)

My H/W is a mini PC presently connected to my home LAN with a TP-Link TL-SG108E switch downstream. I want at a minimum one VLAN to isolate IoT devices. Two principles have guided my VLAN configuration:

* I have read in multiple places that it is bad practice to mix tagged and untagged traffic on the same (host port? switch port?)
* I also have read that by default, traffic is allowed between VLANs.

VLANs have been an incredible challenge for me. It took me too long to figure out that I just needed to copy the config I use for the switch (same as above) to the one connected to the OPNsense host. (Age has its benefits but this is not one of them.) I've also had a *lot* of difficulty losing access to the management web interface, which I usually fix by going to the console and resetting to default config or reassigning interfaces or IP addresses. That's not fun. (BTW, my pfSense install has worked with a single VLAN to isolate IoT devices from my other stuff.)

At present I have the following configuration:

* LAN - the default and where the web UI seems to reside. DHCP for IPv4 configured. One port on the switch remains not assigned to tags 10 or 20. (management port, for now.) Another port (the trunk?) is associated and tagged for both 10 and 20 and is connected to the LAN port on the router.
* IoT - tagged 20, two ports on the switch assigned and untagged. DHCP for IPV4 configured
* main - tagged 10, four ports assigned on the switch and untagged. DHCP for IPV4 configured
* WAN - Gets its IP from upstream (pfSense) via DHCP.e WAN port seems to be getting an IPV6 address but I'm leaving IPV6 for the 'main' VLAN for later.)

Both VLANs seem to be working as expected WRT DHCP. Hosts, the switch and a spare WiFi AP all get IP addresses on either.

Connecting a host to the untagged and unassigned port gets an IP from that respective pool. At the moment this is the only port from which I can connect to the web management site.

I cannot ping between the two VLANs. Worse, hosts on the VLANs cannot access the web configuration. (Aside: I'd be happy to perform configuration from the console but I'm not familiar enough with FreeBSD to be able to do that. And IAC I suspect the closest thing to a sensible way to do this would be to directly edit the config.xml.)

During a previous iteration I tried adding firewall rules to facilitate passage of traffic between VLANs even though they seemed redundant and they seem to make no difference.

My searches on this subject tell me:

* It should just work.
* Driver issues could cause problems (This mini-PC has Realtek Ethernet which otherwise seems to be working.)
* Firewalls or policies on the hosts can block traffic. Both hosts I'm using for testing are running Debian (one on an X86 laptop, the other on a Raspberry Pi) and I'm 99% certain they have no firewall installed. On my existing LAN they both communicate with hosts on the IoT VLAN from the primary LAN.

I'm running out of ideas. One thought I have is to eliminate the 'main' VLAN and just have the IoT VLAN for IoT devices and use the LAN for other stuff, but that seems to go against guidelines I have read.

Any other suggestions are most welcome!