[SOLVED] Want to convert from KEA/Unbound to dnsmasq (for DHCP and DNS), but can't!

[davidfi01]

I have a relatively simple network consisting of:

x.x.1.x LAN
x.x.2.x VLan 1
x.x.3.x VLan 2
x.x.4.x VLan 3

Everything runs fine with unbound and KEA.

I do the following:

1) Disable Unbound and KEA (dhcp4).

2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN
4) I add static ips through "host" tab
5) I enable DHCP ranges using x.x.X.100 thru 150 for each vlan
6)I added server, dns and server search options for x.x.1.1

Can't get dhcp to work.

Is there a write up on how to migrage from unbound/KEA to using dnsmaq and an outside dns provider like 1.1.1.1 or 9.9.9.9?

Thanks in advance,
D

[julsssark]

Do you see any blocked DHCP traffic for the VLANs in the firewall live view? Your post says that you only have firewall rules for the LAN.

[Vesalius]

Can't answer your question, but I am curious why you would want to switch away from a working setup that will continue to be supported and improved by OPNsense in future versions?

[passeri]

Everything runs fine with unbound and KEA.

Sounds like it is not broken, so what are you trying to fix or to improve?

[davidfi01]

1) I would like to move away from Unbound/KEA to dnsmasq as it SHOULD BE a simpler setup, simpler to maintain and use less resources (i.e. more efficient). Further, it should be more understandable for people doing maintenance who are less experienced.

2) Using dnsmasq as exclusive provider for dns/dhcp (with or without VLans) should be a supported configuration

3) With respect to Firewall rules, activating the firewall rules in setup only creates rules for LAN, none of the VLans.  I have added PASS rules for in and out on ports 67/68, on the vlans, but still no dhcp.

**It would be nice if the config option to generate fw rules would do so for all enabled interfaces.  Not sure why it only creates rules for LAN.

D

[Monviech (Cedrik)]

The code automatically creates firewall rules for all chosen interfaces, and even for interfaces chosen in dhcp ranges.

The only thing that must be done is reloading the firewall manually right now to load these new rules.

[Drinyth]

2) I enable dnsmasq on port 53 with Lan, Vlan1, Vlan2, VLan3 interfaces.
3) I enable firewall rules for dhcp - The firewall rules are only created in LAN

This doesn't seem right. So in Services: Dnsmasq DNS & DHCP --> General, under Interfaces you can see all your interfaces selected there (4 in total)?

If that is the case and you have "DHCP register firewall rules" and you applied the settings, the firewall rules should be created for all those interfaces?

For each respective interface, there should be three rules in the "Automatically generated rules" with the Description "allow access to DHCP server".

[davidfi01]

The rules are only being created in LAN, no other vlan gets rules generated!

D

[davidfi01]

Just confirmed that KEA creates 2 firewall rules in all vlans and lan.

When stopped, and dnsmasq started, dnsmasq is only creating 3 rules in LAN.  dnsmasq is NOT creating rules in other vlans.
D

[julsssark]

Do you see any blocked DHCP traffic for the VLANs in the firewall live view?

[djr92]

I have the exact same issue. dnsmasq does not create firewall rules for chosen interfaces. Adding them manually doesn't seem to work and I can find any error messages generated in the logs. Adding floating rules doesn't seem to work either. With firewall rules in place I can see the port 67 and 68 traffic being passed, but no leases are ever negotiated. I gave up after trying a few times. I'll wait until a future update until it's more fully baked.

[davidfi01]

I am confirming that as well.  I see no blocks in the logs.  Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually.  Seems like Dhcp does NOT work if KEA/Unbound were used previously.  Any other ideas to try?

D

[Drinyth]

I am confirming that as well.  I see no blocks in the logs.  Have fully opened Vlan and Lan (pass in/out), tried to create FW rules for vlan manually.  Seems like Dhcp does NOT work if KEA/Unbound were used previously.  Any other ideas to try?

No other things to try here. Weird that your FW rules are getting created in all networks using the KEA toggle, but that it doesn't happen with dnsmasq.

That being said, I can't agree with the statement that dhcp does not work if KEA/Unbound were used previously. I was using KEA/Unbound for months prior to dnsmasq DHCP being released and am now up and running with DHCP and DNS services exclusively via dnsmasq.

[meyergru]

This is not the case here. I used ISC DHCP before and the rules get created as "pfctl -vvsr | fgrep -i 'bootp'" clearly shows.

However, as the help text for the DHCP firewall rules says:

"Automatically register firewall rules to allow dhcp traffic for all explicitly selected interfaces, can be disabled for more fine grained control if needed. Changes are only effective after a firewall service restart (see system diagnostics)."

I have not tried to the contrary, but I selected the interfaces explicitely (first field on the general tab) and I restarted my firewall after enabling the checkbox.


I also verified that the service actually starts and does not hit a misconfiguration, which is still easy to achieve because of some missing validations. I made sure that none of the other DHCP services were still active, thus preventing DNSmasq from starting. Also, there were still some glitches that have been hotfixed in the latest version 25.1.6_4, so I run that.

[davidfi01]

FWIW, I migrated from ISC->KEA and now trying to get dnsmasq to work.  Not sure what is preventing fw rules from being created w/dnsmasq.

@Drinyth - are you running multple Vlans.  If you disable dnsmasq, re-enable kea dhcp4 does kea re-insert fw rules in vlans? After resetting back to dnsmasq, does dnsmasq reinstall fw rules on vlans?

D