New user currently using ISC DHCP - now what?

[coffeecup25]

I completed a successful install of OPNsense and Adguard Home in a new router PC. It works well. My former router PC is now a backup and a hobby machine.

My install includes about 30 static DHCP reservations using the ISC DHCPv4 menu selection. I think it was the default.

I later read that DNSmasq should have been used for my small home install because ISC is end of life. I took a look and decided I have no idea how to properly configure it or how to migrate or install my current static reservations. The documentation makes no real sense to me. On pfSense, all I had to do to change DHCP backends was check off a box.

So, what is the recommended path and if it involves changing over to DNSmasq, can the DHCP reservations be moved automatically? My DHCP pool is 256 devices but only about 50 are auto-congif and the rest are for static reservations if needed. The ISC page was easy to understand. The Other 2 are not.

Thanks.

[Monviech (Cedrik)]

Right now the documentation on Dnsmasq is ahead in time, the DHCP feature has not been released yet. It reflects what is available in System: Firmware: Settings: Type: Development" branch of the repository, not the community branch.

There is no issue with still using ISC for now, just wait a bit and the new Dnsmasq features will be released, probably in 25.1.6. If you want to try them early switch to the development branch.

Dnsmasq has an "import and export csv" feature which can import the static host reservations.

[chemlud]

Dnsmasq has an "import and export csv" feature which can import the static host reservations

Hi, no offence intended, but as the OP wrote: in pfSense it was just a tick box to switch to new DHCP. No "export/import". If the export/import works reliably, just do it with the tick box and the community will be happy!

[meyergru]

Actually, all three DHCP services (Kea, ISC and DNSmasq) could be served from the same stock of static reservations which consist of:

• Static ARP
• MAC address
• IP address
• Hostname
• Description

I had the migration problem for ISC -> Kea DHCP in a similar way. It would be way easier to switch if there were no separate sections in the config.xml. Not everyone is capable to do these things with XSLT like this:

Code Select Expand

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:output method="xml" indent="yes"/>

    <xsl:template match="/">
        <reservations>
            <xsl:apply-templates select="//staticmap"/>
        </reservations>
    </xsl:template>

    <xsl:template match="staticmap">
        <reservation>
            <!-- UUID wird in Python ersetzt -->
            <xsl:attribute name="uuid">PLACEHOLDER_UUID</xsl:attribute>
            <subnet>PLACEHOLDER_SUBNET_UUID</subnet>
            <ip_address><xsl:value-of select="ipaddr"/></ip_address>
            <hw_address><xsl:value-of select="mac"/></hw_address>
            <hostname><xsl:value-of select="hostname"/></hostname>
            <description><xsl:value-of select="descr"/></description>
        </reservation>
    </xsl:template>
</xsl:stylesheet>


Code Select Expand

#! /usr/bin/python
import uuid
import sys
from lxml import etree

# Prüfe, ob eine Subnet-UUID als Argument übergeben wurde
if len(sys.argv) < 3:
    print("Bitte gib eine Eingabedatei und eine Subnet-UUID als Parameter an!")
    print("Beispiel: python transform.py input.xml 39a4a48d-4ed6-43d3-9b54-d44dd7397221")
    sys.exit(1)

subnet_uuid = sys.argv[2]  # Subnet-UUID aus dem Argument übernehmen
xml_input = sys.argv[1]

# XML- und XSLT-Dateien
xslt_file = "transform.xslt"
output_file = "output.xml"

# Lade das XML-Dokument und das XSLT-Stylesheet
xml_tree = etree.parse(xml_input)
xslt_tree = etree.parse(xslt_file)
transform = etree.XSLT(xslt_tree)

# Wende die XSLT-Transformation an
result_tree = transform(xml_tree)

# Ersetze Platzhalter für UUIDs
output_str = str(result_tree)

# Setze die zufälligen UUIDs für jede Reservation
while "PLACEHOLDER_UUID" in output_str:
    output_str = output_str.replace("PLACEHOLDER_UUID", str(uuid.uuid4()), 1)

# Setze die Subnet-UUID an der richtigen Stelle
output_str = output_str.replace("PLACEHOLDER_SUBNET_UUID", subnet_uuid)

# Speichere das transformierte XML in eine Datei
with open(output_file, "w", encoding="utf-8") as f:
    f.write(output_str)

print(f"Transformation abgeschlossen. Ergebnis gespeichert in {output_file}")


[Monviech (Cedrik)]

dnsmasq supports multiple mac addresses and multiple ipv4 and ipv6 addresses per single reservation entry. So its a bit different in its capabilities.

Also partial ipv6 addresses that get automatically constructed via dynamic prefix on interfaces.

Overlap is not quite there regarding the other available services.

[chemlud]

Hmmm, but if only the new (DNSmasq) option is more feature-rich, then there is no problem with moving to this option, right? Or are you refering to the use of a single "DHCP"-section in config.xml for all three DHCP servers?

[meyergru]

I did not mean DHCPv6, only DHCPv4. I would always argue for SLAAC with IPv6 unless you have a static prefix.

Even if DNSmasq offers multiple IPv4s per MAC, there is nothing forcing the GUI to offer that feature - I fail to see why it is useful, UNLESS these IPs are in different subnets/VLANs - and that is well possible in ISC DHCP.

As for feature incompatibility for IPv6 with dynamic prefixes, this would probably be only an interpretation of the upper 64 bits? IDK DNSmasq, but I imagine that if you use something like ::1111:2222:3333:4444, it is interpreted as "use interface prefix"?

[Monviech (Cedrik)]

It also offers multiple MAC addresses per single IPv4 address, eg if your laptop traverses between lan and wifi.

And of course also multiple IPs in different subnets in a single host.

Read the man page of dnsmasq, its pretty awesome :)

(dhcp-host)

[Seimus]

I use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.

[cookiemonster]

dnsmasq supports multiple mac addresses and multiple ipv4 and ipv6 addresses per single reservation entry. So its a bit different in its capabilities.

I missed this when I moved to OPN. I was a dnsmasq user on dd-wrt. My use was the dhcp reservation for freebsd jails that were not vnet, back when vnet wasn't much known. So I could have various IP-to-same-mac assignments, with a different attribute to distinguish, like a hostname.
Still useful.

[Monviech (Cedrik)]

I use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.

There is no native sync but we have thought about HA scenarios and implemented something that allows to skip configuration sync for DHCP and use a DHCP reply delay.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-for-small-ha-setups

[Seimus]

I use dnsmasq as a standalone DHCP server for dozen of VLANs (Pihole as DNS + unbound and chrony as NTP) and its pretty good, never had a problem with that. The only feature I am missing on it is a HA or a native sync because I run two of them.

There is no native sync but we have thought about HA scenarios and implemented something that allows to skip configuration sync for DHCP and use a DHCP reply delay.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-for-small-ha-setups

Nice! Basically you are using the dhcp-reply-delay=x, where x = seconds, option that is supported by dnsmasq.

I am using this as well on dnsmasq to make sure primary is mainly giving out the IPs. While still syncing the DHCP static reservation list ;)
This way with keepalived, I can assure devices reach the Primary for DNS+DHCP+NTP and in case of failure Secondary overtakes this functionality.


Glad to see you actually thought about this already.

Regards,
S.

[coffeecup25]

It also offers multiple MAC addresses per single IPv4 address, eg if your laptop traverses between lan and wifi.

That's a nice idea. My current reservation list has several duplicates for wireless vs wired pcs and 5ghz vs 2.4ghz on cell phones. I'll take a closer look.

[OPNenthu]

Is there any magic sauce in dnsmasq that will allow IPv6 SLAAC addresses to be resolved to hostnames in OPNsense logs?  I know that's where DHCPv6 can be helpful but really hoping for a solution for SLAAC client traceability.

[Monviech (Cedrik)]

Yes, check out the

ra-names

directive in the dnsmasq man page. Its also supported in the new GUI that comes.