ISC DHCP to dnsmasq Migration: NAS VLAN loses internet access while other VLANs

[JustNo1]

After migrating from ISC DHCP to dnsmasq DHCP on my OPNsense firewall, my NAS VLAN (10.32.13.0/24) stopped having internet access. Devices receive IP addresses from dnsmasq but cannot reach the gateway (10.32.13.1) or external addresses like 8.8.8.8. Interestingly, this only affects the NAS VLAN – my WLAN and other VLANs continue to work fine with dnsmasq. Before the migration, internet access worked on all VLANs.

Current Configuration (NAS VLAN):

dnsmasq DHCP Range Settings:
Interface: NAS
Start Address: 10.32.13.2
End Address: 10.32.13.6
Subnet Mask: automatic
Mode: Nothing selected
Lease Time: 86400
Domain: (empty)

dnsmasq Global Settings (relevant):

Interface [no DHCP]: Nothing selected
DHCP FQDN: ✅ Enabled
DHCP local domain: ✅ Enabled
DHCP authoritative: ❌ Disabled
Router advertisements: ❌ Disabled
DHCP register firewall rules: ✅ Enabled

Firewall Rules (NAS):

IPv4 → NAS address (Zugriff NAS)
IPv6 → ! RFC4193_Networks (IPv6 Internet)
IPv4 → ! RFC1918_Networks (IPv4 Internet)

Comparison with Working VLAN (WLAN):

The WLAN VLAN works perfectly with dnsmasq and has these settings:
Start Address: 10.32.11.3
End Address: 10.32.11.62
Subnet Mask: 255.255.255.192

Firewall Rules: Similar structure with internet access enabled

Troubleshooting Performed:
✅ Firewall rules exist for internet access
✅ Devices receive IP addresses (DHCP works)
❌ Ping to gateway 10.32.13.1: 100% packet loss
❌ Ping to 8.8.8.8: 100% packet loss
✅ Devices can ping each other within the VLAN
✅ NAS VLAN interface and VLAN configuration unchanged since migration
✅ Other VLANs with dnsmasq work fine

Observations:

The issue appears to be DHCP-related (ISC DHCP worked, dnsmasq doesn't for this VLAN)
Gateway/Router and DNS Server options are not explicitly set in the dnsmasq DHCP range configuration
DHCP authoritative is enabled – could be causing conflicts
Subnet mask is set to 255.255.255.248 (/29)

Questions:

Why does this only affect special VLANs while most work fine?
Any help would be greatly appreciated. I can provide additional screenshots or configuration details if needed.

System Info:

OPNsense 25.7.10
Multiple VLANs (NAS, WLAN, Banking, DNS, etc.)
Migrated from ISC DHCP + Router Advertisement to dnsmasq

Edit: Nameserver and interface address (both 10.32.13.1) getting recognised by the Clients

[muchacha_grande]

Hi JusNo1.
I guess it is the firewall rules.
Can you show in detail the NAS rules?

[Stormscape]

DHCP should be set to authoritative unless there is another DHCP server on the network. It won't fix it, but it should be set anyway so that new devices don't have to be known to get an IP address.
What do the firewall logs show?

[JustNo1]

Can you show in detail the NAS rules?

I dont think its a Firewall issue since its works fine the moment I switched back to ISC DHCPv4 and RA also the Firewall rules didnt change from what I describet in the Post 3 Rules, one IPv4 and one IPv6 Rule for internet traffic and one so devices can access the Interface address.

What do the firewall logs show?

There is nothing logged in the Firewall for this Interface that something got blocked.

[muchacha_grande]

Ok, just take into account that if you are using an alias in your "NAS allow" firewall rule and that alias takes its IP from DNS, that could be the problem because switching to Dnsmasq could make the alias table to not populate anymore with the NAS IP.
That's what I wanted to make sure.

[julsssark]

It's so weird that you can't ping the gateway. Are you sure ISC is disabled completely? Are you mixing tagged and untagged traffic on the switch port connecting the NAS devices on the VLAN?