Messages

I am able to update the certificate in place using the APIs as indicated above.  I cannot get opnsense to use the updated certificate, however.  I have tried issuing an API call to restart the webgui and I have tried calling reconfigure in the trust section.  None of these force opnsense to use the new certificate.

These are the API calls I have tried:
POST  /api/core/service/restart/webgui
POST  /api/trust/settings/reconfigure

EDIT:  I did some more investigation and testing and the GUI uses /api/core/service/restart/webgui, but it uses the web sessionid for authentication.  When I call it using the API token, I receive an error - curl: (16) Error in the HTTP2 framing layer.  It doesn't seem like I can trigger a webgui restart using the API from my script.  As a workaround, I am now executing 'configctl webgui restart' from my script using SSH.  This works, but it is not as clean.

I have this working perfectly with pihole.  There are other variations you could do, but this configuration has been stable for me since dnsmasq was implemented in opnsense.

Start with configuring dnsmasq with this document:  https://docs.opnsense.org/manual/dnsmasq.html

Next add pihole address via dns-server [6] in dnsmasq

Point pihole upstream server to opnsense (Unbound)

DNS flow (for local domain) is client -> pihole -> Unbound (opnsense) -> dnsmasq (opnsense)
DNS flow (for internet) is client -> pihole -> Unbound (opnsense)

How do you install the agent?  I attempted to run with the freebsd install script that gets automatically generated.  The process was running, but didn't seem to be listening so something wasn't correct.  It seems that the script may still set things up with beszel as the user.  This is the command I used (ran as root).  I obviously used the token and key that got automatically generated (instead of my_token and my_key).

curl -sL https://get.beszel.dev -o /tmp/install-agent.sh && chmod +x /tmp/install-agent.sh && /tmp/install-agent.sh -p 45876 -k "ssh-ed25519 my_key" -t "my_token" -url "https://beszelhub.mydomain.com" 

Edit:  I was able to solve my own problem.  The process was actually running and listening.  I just had to allow an IP for my reverse proxy.

Unless you have a specific need, you might consider ditching DHCPv6 by using RA-STATELESS (instead of SLAAC).  There really isn't a need to assign addresses if the clients you need to reference are using EUI-64.  While identity association makes firewall rules easier to manage now, having fewer IP addresses is still easier to manage. YMMV

How do I configure this option?

I used the configuration example right out of the dnsmasq documentation (https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples).  The only difference is that I used RA-STATELESS and RA-NAMES for the RA Mode.

RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

I am using dnsmasq with SLAAC and RA-NAMES.  This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.  I find this to be very convenient.  It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.

I assume you have hosts registered in dnsmasq and you want to reference those using a local dns name.  In this case, you would set up query forwarding in Unbound to point queries with this domain to dnsmasq. This documentation contains an example: (https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration).  I've been on dnsmasq for a while now and don't remember how this was done with ISC, but it might have been automatic before.

If my assumption is false and you are trying to do something else, then I don't know.

I use pihole as my primary dns servers for clients with unbound on OPNsense set as the upstream dns server on pihole.  The advantage of this setup is that you get local host resolution since OPNsense is able to get that from the DHCP server (ISC or dnsmasq).

EDIT:  After reading more carefully, I see that you can't reach the pihole directly.  If the default gateway is OPNsense, then maybe you can port forward those DNS requests to pihole.  I am also doing that to force all DNS to pihole.

Unbound on port 53, DNSmasq on port 53053, and set up the Unbound query forwarding in accordance with OPNSense docs:
https://docs.opnsense.org/manual/dnsmasq.html

I followed the examples at that link for my configuration, and it's running flawlessly for me across 5 different interfaces. Unlike the first person who responded to you, I feel like this was a pretty rock solid initial release for a lighter and more efficient DHCP. From what I've gathered between here and Reddit, the majority of the people having issues decided to wing it with their setup and didn't read the guides first.

I followed this guide and it mostly works, however I am having a problem with nslookup for the host overrides (reservations).  I get unable to communicate with DNS error messages when doing nslookup on the hosts that have reserved addresses.  nslookup works fine for the dynamically assigned hosts.  My setup is slightly different in that I am using two pihole DNS servers with unbound on OPNsense as the upstream DNS server.