Messages

Thanks for the helpful replies, I'm just creating static hosts in DNSMasq and tagging those that I wish to direct to AdguardHome DNS that I'm locally hosting.  Each interface has a single DHCP pool and the static hosts have static IPs that are outside those pools.

That gets me to where I want with my home network, but still the question is what is the point of having more than one DHCP range in DNSMasq for an interface?

Is there a way to "direct" a host to get it's IP address from a specific DNSMasq address pool (DHCP range)?

Can't you just use 'Static DHCP Mappings based on the MAC Address' for those hosts with the specific 'DNS Server IP Address' configured in the mapping ?!

I can do that but I was hoping to leave the selection of the IP address to DNSMasq from a specified address pool/range rather than having to decide on the IP address myself, but it looks to me like there's no point having more than one DHCP range, so I define the desired hosts as static with fixed IPs and tag them, then use DHCP option dns-server[6] to specify the Adguard DNS server address.

Normally, that would be a scenario for VLANs and different subnets, not ranges.

When you use static mappings for affected clients, you might as well send a specific DNS server IP with the DHCP option response that is different from the default. So strictly speaking, there does not even have to be a "range" for this purpose.

You're correct, I was trying to avoid specifying an IP address for the static mapping, thinking that by tagging the static mapping it would direct the host to get it's IP from the first pool or range matching that tag, but it just gets it's address from the lowest range.

In ISCv4 I can direct hosts to a particular address pool using MAC address matching so I'd (wrongly) presumed that tags were the DNSMasq way of achieving the same thing.

Which begs the question: what is the point of having more than one DHCP range for an interface?  If I ask Copilot AI, the answer is:

In OPNsense's dnsmasq, DHCP ranges exist so dnsmasq can hand out IP addresses — and you can optionally segment those ranges using tags. 
If you don't use tags, the ranges are just "where DHCP leases come from".
If you do use tags, ranges become "pools" that only tagged clients can enter.

But I've found that's not the case.

Hi all,

Is there a way to "direct" a host to get it's IP address from a specific DNSMasq address pool (DHCP range)?  I want all hosts within that pool to use ADguard DNS so I've tried tagging a host entry with an "dnsfilter" tag and have also tagged the desired pool with the same tag, but it doesn't seem to work in that the host gets it's dynamic IP from the pool that's tagged "static".
I'm guessing my understanding of tags in DNSMasq is very much lacking so I'm looking for some guidance from the experts in this forum.
TIA

Now that ISC DHCPv4 has been deprecated to a plug-in, should I be looking to switch DHCP service on my OPNSense router?  I've looked at DNSMasq and it doesn't appear do everything I'd want, namely the ability specify a specific DNS service for a certain group of devices, for example, pointing all of my smart TV and media devices to Adguard Home or Pi-Hole. Kea seems to have all the features of ISC DHCP but much of it can't be configured via the GUI and requires diving into an SSH shell, so for now I'll continue using ISCv4 for DHCP but the question is, will OPNSense ditch it completely in the near future and if so, will Kea be updated to the degree that everything about it can be configured via the web UI?

Had another chance to take a look at this issue, checked my firewall rules, outbound NAT (set to Auto) and the WAN shows as UP so tried pinging 9.9.9.9 from an SSH session in OPNSense and it worked, so it would appear that the WAN is working fine as far as routing outbound traffic is ocncerned, but doing the same from an SSH session on my PC connected to the OPNSense LAN fails with "host unreachable" errors, even though the PCs ip config shows the correct client IP handed out b DHCP and the gateway being the LAN ip of 192.168.1.1
I've created firewall rules to allow traffic in and out of the LAN but that made no difference.

Yes, the WAN IP as well as the default gateway are on Plusnet. However, neither is reachable from here as well. This looks like a new development area where connectivity is not yet established.

On the other hand, if it works with an Asus router... I would check what WAN IP and default gateway you get with the Asus router. But heck, ask your ISP what is wrong there. Obviously, they give your the PPPoE credentials, so they must be able to deal with a different router.

I can't reach the remote WAN IP 195.166.130.255 but I can reach the local WAN IP 80.229.251.220 (which is my public static IP address). The Asus router doesn't show the default gateway in it's UI, but would the gateway be the remote IP address 195.166.130.255 which shows up in it's logs?

Some ISPs detect a router change and give you a temporary non-routable network in which you can register your new hardware. Some do this for ONTs only, others even want to know when the router changes. Ask them, they must know.

Maybe your WAN IP is now something like 10.x.x.x, which would give an indication.

The WAN is an FTTC connection via a fibre modem whose output is connected to my router, whether it's my Asus router or my OPNSense router (which I'm clearly struggling to get working) and the Asus router connects just fine to the WAN and I can surf the web from any connected clients.

A newly installed OPNsense is not blocking anything from LAN and comes with NAT enabled on WAN. Also it does not block anything outbound from the firewall itself.

Looking closer at your screen shots - why do you have routes for 8.8.8.8 and 9.9.9.9 to your loopback interface? With these active it's natural you cannot ping e.g. 8.8.8.8.

The logfile entries look good.

Those entries are the DNS servers I specified in the general config, I didn't add them to my loopback interface.  Should I remove them?  I have tried pinging 1.1.1.1 and amazon.com to no avail.

So

- PPPoE authentication and IP address assignment works
- ICMP echo (ping) does not

Of course there can be a dozen more things amiss that would prohibit your clients from accessing the Internet but before your OPNsense can ping 8.8.8.8 it does not make sense to look any further.

I'd open a ticket with your ISP. You also wrote you did not receive your assigned fixed IP address, correct? So something is wrong.

Connecting my Asus router to the modem instead of the OPNSense router works fine, so I'm not sure it's worth raising a ticket with my ISP.  The correct (static) IP is returned, according to the logs which state "treating 195.166.130.254 as far gateway for 80.229.251.220/32"

What would I need to look for to see if the firewall is blocking outbound requests from LAN interface clients?

Can you ping e.g. the ISP gateway or 8.8.8.8 from the OPNsense itself?

I didn't try pinging the ISP gateway but pinging 8.8.8.8 or any other well-known public IP fails

If you do not get the IP address you expect per your contract, only your ISP can fix that.

It appears that the IP address 195.166.130.254 is a remote IP address for my ISP which returns a local IP address of 80.229.251.220 which is what I'd expect.

I know the WAN is connecting okay because successful authentication is confirmed in the logs, but the IP address shown isn't the correct static IP address that should be assigned by my ISP.

The IP assignment is part of the PPPoE handshake. You can as well see in the log, which IP is offered to you by the ISP.
So what does the log show regarding the IP?

And which IP do you get in fact? Is it a public one?

The System: Gateways: Configuration page shows WAN_PPOE bound to the WAN interface with an IP Address of 195.166.130.254 and a Monitor IP of the same, with the status icon showing that it's down. If I edit the gateway entry and tick the box Disable Gateway Monitoring then the gateway shows as being UP
If I look at the terminal screen showing the current interfaces details and the menu options, I see that the correct public static IP of 80.229.251.220 is being picked up.

Here are some screenshots from my config, first the WAN interface config, do I need to specify an MTU figure?
You cannot view this attachment.

The PPoE device settings - I'm guessing I only need to specify the underlying adaptor vtnet1 and not the wan interface?
You cannot view this attachment.

The interfaces overview shows my ISP-assigned static IP for the WAN and gateway address 195.166.130.254, the latter which I've never seen before but looking it up shows the following info which does seem to make sense considering my ISP is Plusnet which uses BT infrastructure:

Code Select Expand

Hostname:254.core.plus.net
ASN:6871
ISP:British Telecommunications Plc
You cannot view this attachment.

Finally here are the logs showing the WAN address binding-related messages.
You cannot view this attachment.

With my Asus router connected back to the WAN (OPNSense router unplugged from WAN), I checked it's logs and found entries for "local  IP address 80.229.251.220" and "remote IP address 195.166.130.255", the latter which is in the same subnet as the earlier-mentioned gateway address 195.166.130.254 so I'm guessing that's expected?

Otherwise, what could be causing clients connected to my OPNSense router to not be able to connect to the internet?

Hi all,
I've created a WAN interface associated with a PPoE device that's connecting to an FTTC service that's provided by a modem and connected to my N100-based mini-pc installed with OPNSense in a Proxmox VM to replace my Asus router, but it doesn't work despite the status showing as green in the interfaces overview page, as I'm unable to browse the web via the LAN.  I know the WAN is connecting okay because successful authentication is confirmed in the logs, but the IP address shown isn't the correct static IP address that should be assigned by my ISP. What setting for getting the IP address should I get specifying in the WAN interface itself?

My Asus router uses the following WAN settings to successfully connect:
Connection type: PPoE
Enable NAT: Yes
NAT type: Symmetric
Get the WAN IP automatically: Yes

There is no VLAN requirement from my ISP to connect.