[SOLVED] 25.1.11 - Dnsmasq tries to bind DHCP although all Interfaces are [no dhcp]

Started by phaze75, July 16, 2025, 12:08:19 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 16, 2025, 12:08:19 PM Last Edit: July 18, 2025, 02:51:15 PM by phaze75
I just updated to 25.1.11 and my network is shot. Dnsmasq service won't start, throwing the error ,,failed to bind DHCP Server socket: Address already in use".

It tries to bind its DHCP socket although all interfaces are configured [no dhcp] within Dnsmasq Gerneral settings. I still use ISC DHCPv4, hence the conflict.

I guess this might be a bug in this release. Anyone else experiencing this?
July 16, 2025, 12:37:12 PM #1
I think the reboot did it. The rest is configuration. Maybe you stopped ISC manually to let Dnsmasq run.


Cheers,
Franco
July 16, 2025, 04:04:49 PM #2
Unfortunately the issue persists after a reboot.
July 16, 2025, 04:42:03 PM #3
That's exactly what I meant.


Cheers,
Franco
July 16, 2025, 05:01:55 PM #4
As soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.

no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.
Hardware:
DEC740
July 16, 2025, 06:36:05 PM #5 Last Edit: July 16, 2025, 06:38:33 PM by phaze75
Quote from: Monviech (Cedrik) on July 16, 2025, 05:01:55 PMAs soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.

no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.

Thanks, that must be it! I have had a DHCP-range defined, because I wanted to switch from ISC-DHCP to dnsmasq-DHCP some time ago. I have stopped in midcourse and have left the DHCP-range as defined. I just have set [no dhcp] for all interfaces.

So I guess I will spend this evening and finally finish what I have started... ;-)
July 17, 2025, 10:00:25 PM #6 Last Edit: July 17, 2025, 10:04:00 PM by phaze75
Quote from: Monviech (Cedrik) on July 16, 2025, 05:01:55 PMAs soon as a dhcp-range is defined in dnsmasq, it will try to bind port 67 to either all interfaces, or the interfaces defined with the strict interface setting in advanced mode.

no dhcp will just ignore DHCP packets, but it will not unbind from port 67 as long as there are defined dhcp-ranges.

You were right. I needed the better part of yesterday's (late) evening to confirm this. Btw: Is this behavior intentional? It seems a bit unintuitive not to say awkward tbh.

Anyway, at first, I tried to finish my half-baked migration from ISC DHCPv4 to dnsmasq DNS & DHCP, but although following the documentation by the word, recreating all hosts, DHCP ranges and DHCP options, I ended up in a complete mess. dnsmasq's DNS & DHCP service was running, debug logs were flawless, but it persistently failed to serve my hosts - whether connecting via LAN or WLAN. I must have checked, set and unset the [no dhcp] flags at least a dozen times, I restarted the service, I restarted the firewall. Nothing. Around midnight my frustration had grown that big, that I have eradicated all changes made to dnsmasq DNS & DHCP and set the [no dhcp] flags again for all adapters. So, I could at least confirm your solution.

Now I am running again my rock solid ISC DHCPv4 + dnsmasq combination - either I am simply too untalented or the dnsmasq DNS & DHCP service is really as confusing to configure and troubleshoot as it feels.

July 17, 2025, 10:47:41 PM #7
There was quite some noise when dnsmasq DHCP was first introduced but there is not much going on lately so I assume it must indeed work for most people who use it.

In your case, you were probably unlucky or under stress, frustration is pretty much guaranteed in failure.

Just try it again sometime without pressure and things will work. Maybe give it another go on 25.7. I know for a fact dnsmasq works as I use it fully featured and developed quite some things for its current implementation in OPNsense.
Hardware:
DEC740
July 17, 2025, 11:38:58 PM #8 Last Edit: July 17, 2025, 11:51:50 PM by phaze75
You are right again - frustration is never a good companion. Couldn't help it though.

Anyway, I am currently trying again. Unfortunately, with the same result. I simply can't get DHCP to serve my hosts. They won't get an IP assigned, only 169.x.x.x.

I have a 192.168.0/24 network with .253 assigned to my access point. Did I miss something to enable on the DHCP side in order to serve the hosts querying through the AP?

July 18, 2025, 06:37:11 AM #9
Can you share your /usr/local/etc/dnsmasq.conf
Hardware:
DEC740
July 18, 2025, 09:18:35 AM #10 Last Edit: July 18, 2025, 09:20:08 AM by phaze75
Here it is - my little nightmare.

Code Select
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#

rebind-localhost-ok
stop-dns-rebind

# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/xxxx.yyy/

# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases

dns-forward-max=5000
cache-size=10000
local-ttl=1

conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf

dhcp-range=tag:igb1,192.168.0.1,192.168.0.99,86400

domain=xxxx.yyy,192.168.0.1,192.168.0.99

dhcp-host=xx:xx:xx:xx:24:21,192.168.0.101,host1
dhcp-host=xx:xx:xx:xx:8e:7f,192.168.0.102,host2
dhcp-host=xx:xx:xx:xx:ba:5e,192.168.0.106,host3
dhcp-host=xx:xx:xx:xx:ca:1c,192.168.0.110,host4
dhcp-host=xx:xx:xx:xx:8a:1e,192.168.0.111,host5
dhcp-host=xx:xx:xx:xx:25:6e,192.168.0.112,host6
dhcp-host=xx:xx:xx:xx:72:df,192.168.0.113,host7
dhcp-host=xx:xx:xx:xx:d9:d4,192.168.0.103,host8
dhcp-host=xx:xx:xx:xx:16:cb,192.168.0.109,host9
dhcp-host=xx:xx:xx:xx:1d:e6,192.168.0.253,accesspoint

dhcp-option=3,192.168.0.254
dhcp-option=6,192.168.0.254
dhcp-option=15,xxxx.yyy
dhcp-option=81
dhcp-option=42,192.168.0.254
dhcp-option=1,255.255.255.0



no-ident
July 18, 2025, 11:05:58 AM #11 Last Edit: July 18, 2025, 11:12:48 AM by Monviech (Cedrik)
I cannot see a line like this

interface=vlan0.1,vlan0.2

Can you check "Services: Dnsmasq DNS & DHCP: General: Default: Interface" and choose the interfaces there that DHCP should work on?

In your case igb1. That also generates the DHCP firewall rules.

Also you don't have to define any DHCP options if 192.168.0.254 is your router and your dns server (and its the OPNsense), it will work automatically.

Here is my current working configuration for you to compare to:

Code Select
root@opn03:/usr/local/etc # cat /usr/local/etc/dnsmasq.conf
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#

rebind-localhost-ok
stop-dns-rebind

port=53

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=vlan0.1,vlan0.2,vlan0.3,vlan0.12,vlan0.13,vlan0.14

dhcp-fqdn
domain=lan.internal
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/lan.internal/
local=/admin.internal/
local=/ad.internal/
local=/gast.internal/
local=/dmz.internal/
local=/dns.internal/
local=/docker.internal/
local=/captive.internal/

dhcp-authoritative
enable-ra

# Never forward addresses in the non-routed address spaces.
bogus-priv

server=/*/127.0.0.1#53053
rebind-domain-ok=/*/
server=/facebook.com/127.0.0.1#53053
ipset=/facebook.com/dnsmasq_facebook_com
rebind-domain-ok=/facebook.com/
server=/youtube.com/127.0.0.1#53053
ipset=/youtube.com/dnsmasq_youtube_com
rebind-domain-ok=/youtube.com/
server=/microsoft.com/127.0.0.1#53053
ipset=/microsoft.com/dnsmasq_microsoft_com
rebind-domain-ok=/microsoft.com/
server=/google.com/127.0.0.1#53053
ipset=/google.com/dnsmasq_google_com
rebind-domain-ok=/google.com/

# Never forward to servers in /etc/resolv.conf
no-resolv

# Never forward plain names (without a dot or domain part)
domain-needed

# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases

dns-forward-max=5000
cache-size=10000
local-ttl=1

conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf

dhcp-range=tag:igc0,192.168.11.100,192.168.11.110,86400

domain=admin.internal,igc0
dhcp-range=tag:vlan0.1,172.16.0.100,172.16.0.199,86400

domain=ad.internal,vlan0.1
dhcp-range=tag:vlan0.2,172.16.1.100,172.16.1.199,86400

domain=gast.internal,vlan0.2
dhcp-range=tag:vlan0.12,10.0.0.20,10.0.0.29,86400

domain=dmz.internal,vlan0.12
dhcp-range=tag:vlan0.13,10.1.1.250,10.1.1.250,86400

domain=dns.internal,vlan0.13
dhcp-range=tag:vlan0.14,10.16.1.101,10.16.1.110,86400

domain=docker.internal,vlan0.14
dhcp-range=tag:vlan0.1,::,::ff,constructor:vlan0.1,slaac,ra-names,64,86400

domain=ad.internal,vlan0.1
ra-param=vlan0.1,60,1200

dhcp-range=tag:vlan0.2,::,::ff,constructor:vlan0.2,slaac,ra-names,64,86400

domain=gast.internal,vlan0.2
ra-param=vlan0.2,60,1200

dhcp-range=tag:vlan0.12,::,::ff,constructor:vlan0.12,slaac,ra-names,64,86400

domain=dmz.internal,vlan0.12
ra-param=vlan0.12,60,1200

dhcp-range=tag:vlan0.13,::,::ff,constructor:vlan0.13,slaac,ra-names,64,86400

domain=dns.internal,vlan0.13
ra-param=vlan0.13,60,1200

dhcp-range=tag:vlan0.14,::,::ff,constructor:vlan0.14,slaac,ra-names,64,86400

domain=docker.internal,vlan0.14
ra-param=vlan0.14,60,1200

dhcp-range=tag:vlan0.3,::,::ff,constructor:vlan0.3,slaac,ra-names,64,86400

domain=captive.internal,::,::ff
ra-param=vlan0.3,60,1200

dhcp-host=XX:16:a8:XX:1b:bb,10.0.0.25,host1
dhcp-host=XX:89:ab:XX:51:f7,172.16.0.77,host2
dhcp-host=XX:a1:59:XX:b9:f6,172.16.0.121,host3

dhcp-option=option6:23,[::]

# default dns mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0

no-ident

Hardware:
DEC740
July 18, 2025, 12:16:52 PM #12
Quote from: Monviech (Cedrik) on July 18, 2025, 11:05:58 AMI cannot see a line like this

interface=vlan0.1,vlan0.2

Can you check "Services: Dnsmasq DNS & DHCP: General: Default: Interface" and choose the interfaces there that DHCP should work on?

In your case igb1. That also generates the DHCP firewall rules.


You are my hero! Choosing "LAN" as interface did the trick. But why doesn't it work if it is set to "All"? Is this intentional?
July 18, 2025, 02:33:49 PM #13 Last Edit: July 18, 2025, 02:36:36 PM by Monviech (Cedrik)
Yeah right now it works as expected. Firewall rules will only be created for explicitely selected interfaces there.

https://github.com/opnsense/core/blob/2d6795c1477a0cb4a8d5f3d2c00e2ea955aa43a0/src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.php#L432-L447

In the main docs it says it here in the main setup tutorial:

https://github.com/opnsense/docs/blob/8b9ae8e47871cf5925738fe45046e52dd9072e8f/source/manual/dnsmasq.rst?plain=1#L504

Great that it works for you.

Hardware:
DEC740
July 18, 2025, 02:50:36 PM #14 Last Edit: July 18, 2025, 02:58:20 PM by phaze75
QuoteInterface

Interface IPs used to responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

Looking at the OPNsense documentation Dnsmasq DNS & DHCP this is imho not entirely clear. Maybe it should be added, that the relevant interfaces must be explicitly selected and the selection must not be "All".  This information would have helped me a lot. What do you think?
Print
Go Up Pages1 2
User actions