using dnsmasq with unbound and adguard with multiple vlans

Started by jata, July 24, 2025, 05:20:46 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 24, 2025, 05:20:46 AM
Hello all - first of all thanks for all the work for the 25.7 release.

I upgraded from 25.1.12 today and everything went well.

After upgrading to 25.7 I migrated from ISC to dnsmasq following the guide and DHCPv4 with DNS registration example but I have the adgaurd home plugin on opnsense and I think this is where my issue is. My configuration is:

Adguard on port 53
Unbound on port 5335
dnsmasq on port 53053

My main network (VLAN01 192.168.1.1/24) is working fine with adguard - unbound - dnsmasq

My guest network (VLAN20 192.168.20.1/24) I get a dhcp lease/ip correctly but web pages will not load. I think I need to change a setting/option so that the dhcp lease uses dns server / adguard on my main network.

I have tried adding dhcp options in the dnsmasq setting but I can't get it to work.

Any suggestions to try greatly appreciated   
July 24, 2025, 05:52:17 AM #1
A bit of additional info that I think explains why its not working but not sure how to solve it.

If I connect to VLAN20 Guest network on 192.168.20.1/24 - I can no longer ping any ip on the main network 192.168.1.1/24 - so no wonder I don't have internet!

I have not changed any firewall rules and all was working before so maybe this is a routing issue stopping requests being forwarded.

looking at the dnsmasq log i can see this warning message from time to time - no upstream servers configured
July 24, 2025, 07:08:49 AM #2
Maybe a stupid question, but: does dnsmasq provide an gateway for the guest net?
July 24, 2025, 08:36:11 AM #3 Last Edit: July 24, 2025, 08:41:01 AM by frank_p
I am using DNSmasp for DHCP and Unbound DNS for DNS. Several VLAN active. Since update to 25.7 no internal hostnames are provided. But defined in override.
July 24, 2025, 09:47:26 AM #4
Quote from: dMopp on July 24, 2025, 07:08:49 AMMaybe a stupid question, but: does dnsmasq provide an gateway for the guest net?

Not a stupid question. It is me probably stupid :-)

I have tried to add a gateway using dhcp options in dnsmasq but no dice so far...

here they are - not working though





July 24, 2025, 02:35:51 PM #5
Done a bit more digging but I am really stuck. I don't think I can get dhcp options to be applied to an interface.

Using netstat command on my Mac when connected to the VLAN I only see the interface ip of the vlan (192.168.20.1) when I expect the dhcp option to be providing 192.168.1.1


Any ideas or obvious things I can check/do?

here is netstat on my VLAN (guest)

Destination        Gateway            Flags               Netif Expire
default            192.168.20.1       UGScIg                en0       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#11            UCS                   en0      !
192.168.20         link#11            UCS                   en0      !
192.168.20.1/32    link#11            UCS                   en0      !
192.168.20.1       60:be:b4:13:66:ab  UHLWIir               en0   1190
192.168.20.168/32  link#11            UCS                   en0      !
224.0.0/4          link#11            UmCS                  en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0       
255.255.255.255/32 link#11            UCS                   en0      !

and on my main network...

Destination        Gateway            Flags               Netif Expire
default            192.168.1.1        UGScg                 en0       
127                127.0.0.1          UCS                   lo0       
127.0.0.1          127.0.0.1          UH                    lo0       
169.254            link#11            UCS                   en0      !
192.168.1          link#11            UCS                   en0      !
192.168.1.1/32     link#11            UCS                   en0      !
192.168.1.169/32   link#11            UCS                   en0      !
224.0.0/4          link#11            UmCS                  en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI                en0       
255.255.255.255/32 link#11            UCS                   en0      !

July 24, 2025, 04:29:14 PM #6 Last Edit: July 24, 2025, 07:05:56 PM by julsssark
I use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.

Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.
July 24, 2025, 08:29:10 PM #7
One question about this.

Why you are using also Unbound. It will work with dnsmasq and Adguard Home. Config which I use. So now you have three DNS Services running and each service needs the other service.

Doesn't this make more problems then solving?
July 24, 2025, 08:46:13 PM #8
@Devil neither dnsmasq nor AGH can work as a recursive resolver. If you e.g. do not want to use a public upstream, you need a local one.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 24, 2025, 09:07:40 PM #9
@Patrick M. Hausen ah ok yes didn't thought on this.
July 24, 2025, 09:19:41 PM #10
Quote from: julsssark on July 24, 2025, 04:29:14 PMI use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.

Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.

This is what I have done. Using the two dhcp options as you have suggested.

Good that I am on the right track.

Looks like I have another issue where these dhcp options are not being set.

Can you post a screenshot of the gui showing the dhcp options please?
July 24, 2025, 09:36:30 PM #11
Jata please share:

/usr/local/etc/dnsmasq.conf

That way I can tell you if something is configured wrong.
Hardware:
DEC740
July 24, 2025, 09:49:25 PM #12
thanks for helping. Much appreciated.

dnsmasq.conf attached

July 24, 2025, 10:19:36 PM #13
Hello, I see nothing wrong with this config. The manual dhcp options can be removed as theyre automatic (router and dns server will always point to opnsense when no options are set)

I imagine the issue to be dns related, and not dhcp related.
Hardware:
DEC740
July 24, 2025, 10:41:14 PM #14
OK thanks. I will remove the dhcp options as suggested.

Is it expected that when I connect a client to the VLAN20 the dhcp network settings are showing 192.168.20.1 as gateway and for dns? I expected them to be 192.168.1.1 VLAN01 - lan?

What should I be looking for to fix DNS? I followed the dnsmasq and config example precisely (and everything was working correctly with ISC dhcp).

The main difference now is that I have the DNS query forwarding to dnsmasq from unbound - see screenshot attached
Print
Go Up Pages1 2
User actions