Uncheck the obscure box on KEA to add the DNS server ... Oh, Come On!

[coffeecup25]

I very recently reconfigured OPNsense to add a 2nd subnet that uses an open port on my router. Adding the interface at the start was easy. Adding the new rules at the end to keep the two subnets apart was easy. (Copy the two LAN rules over to the new interface and change accordingly. Add a new rule at the top that explicitly says keep the new interface out of the existing interface.)

I replaced ISC with KEA and managed to figure out the rather obscure basic configurations. It was not too bad. The CSV auto-load was very nice.

What was impossible to figure out until I Googled the right page on the internet on a Q/A site somewhere was how to add the DNS site for the new interface so traffic could exit onto the internet. Remember, the new subnet is isolated from the original one, as it would be with most subnets on most routers, I assume. That's the purpose of a 2nd subnet.

Why on Earth did you people hide it there? Nobody could figure out to un-check that box without someone telling them. It took over an hour of frustration and then I feel I was lucky to query the right answer board.

KEA works great now.

[Patrick M. Hausen]

But "auto collect option data" does place the interface address into the gateway and DNS server options - what's wrong with that? Each subnet/interface gets its own matching and isolated DNS server address.

[coffeecup25]

But "auto collect option data" does place the interface address into the gateway and DNS server options - what's wrong with that? Each subnet/interface gets its own matching and isolated DNS server address.

The obscure terminology in this case makes your answer difficult to understand.

I also have unbound listening on port 5353 for Adguard Home. I have no idea if that causes problems on the new subnet. It probably did since it appears to apply universally.

I can absolutely assure you that the new subnet could not access the internet until I added 9.9.9.9 to the DNS once I could find out where to type it in. Besides, some people override to separate DNS servers because it is how their setup works. Hiding where to do that is a bad idea. The trial and error I did before finding the right place knocked out the entire Router. I had to sign on to the console, factory reset the router, and reload from a good backup. Writing rules to allow DNS only to flow to and from the new subnet did not work, either.

[Patrick M. Hausen]

The obscure terminology in this case makes your answer difficult to understand.

"Auto collect option data" is exactly what that checkbox you complained about is labelled. So I fail to see what is obscure about my answer.

[pfry]

[...]
I can absolutely assure you that the new subnet could not access the internet until I added 9.9.9.9 to the DNS once I could find out where to type it in. Besides, some people override to separate DNS servers because it is how their setup works. Hiding where to do that is a bad idea. The trial and error I did before finding the right place knocked out the entire Router. I had to sign on to the console, factory reset the router, and reload from a good backup. Writing rules to allow DNS only to flow to and from the new subnet did not work, either.

Did you check the client leases to see what was being assigned? Are your DNS servers for OPNsense itself unsuitable for clients?

I use the overrides by default, and I don't find them particularly obscure. How would you improve the UI? I think greying out the settings rather than hiding them might be a more obvious choice, but I'm not sure if it would fit the interface standard (e.g. availability of the "help" button for a disabled field).

Thanks, by the way, for the reminder - I still had my old test config in place, and needed to update the DNS servers.

I don't follow your last statement, but it may not be relevant.

[coffeecup25]

The obscure terminology in this case makes your answer difficult to understand.

"Auto collect option data" is exactly what that checkbox you complained about is labelled. So I fail to see what is obscure about my answer.

The problem was that box needed to be UNCHECKED to find the missing entry fields. (Probably. I don't have the actual screens in front of me so if it's a different box, You got me.)  This is not an obvious thing to do. These fields are usually openly presented and obvious. Except for you. The rest of us are not so gifted.

[coffeecup25]

[...]
I can absolutely assure you that the new subnet could not access the internet until I added 9.9.9.9 to the DNS once I could find out where to type it in. Besides, some people override to separate DNS servers because it is how their setup works. Hiding where to do that is a bad idea. The trial and error I did before finding the right place knocked out the entire Router. I had to sign on to the console, factory reset the router, and reload from a good backup. Writing rules to allow DNS only to flow to and from the new subnet did not work, either.

Did you check the client leases to see what was being assigned? Are your DNS servers for OPNsense itself unsuitable for clients?

I use the overrides by default, and I don't find them particularly obscure. How would you improve the UI? I think greying out the settings rather than hiding them might be a more obvious choice, but I'm not sure if it would fit the interface standard (e.g. availability of the "help" button for a disabled field).

Thanks, by the way, for the reminder - I still had my old test config in place, and needed to update the DNS servers.

I don't follow your last statement, but it may not be relevant.

Yes. I did all those things that applied. I've never heard of an unsuitable DNS server so they must be rare. Does 9.9.9.9 not work for you?

The last statement about using rules to override DNS ports between subnets was in desperation as nothing else worked. It did not work either. Port overrides are protected fields for unknown reasons.

To improve the situation I would make common fields easy to find and use. KEA needs a lot of work in usability. The actual DHCP server works perfectly  in conjunction with unbound once you figure out the data entry.

As I wrote clearly above, as soon as I entered the override DNS  (9.9.9.9) the subnet popped to life.

Override DNS servers may be easy to find on ISC, but that is depreciated so I chose not to use it. DNSMASQ is too simple to use for my purposes. Override DNS servers are obvious on every retail router I have ever used on the DHCP pages. These fields are generally how someone uses pihole or Adguard Home if they are on outside home servers.

[Patrick M. Hausen]

The problem was that box needed to be UNCHECKED to find the missing entry fields. This is not an obvious thing to do. These fields are usually openly presented and obvious.

You are right and I agree. I made that remark because I read the obscurity as applying to my post, not to the UI.

There would be one way to keep the fields hidden and still easy to find: put that prominent "advanced settings" button at the very top where people expect such a thing because it is in dozens of other dialogs.

And then take an empty field as "auto populate" and an explicit value as exactly that.

Kind regards,
Patrick

[coffeecup25]

The problem was that box needed to be UNCHECKED to find the missing entry fields. This is not an obvious thing to do. These fields are usually openly presented and obvious.

You are right and I agree. I made that remark because I read the obscurity as applying to my post, not to the UI.

There would be one way to keep the fields hidden and still easy to find: put that prominent "advanced settings" button at the very top where people expect such a thing because it is in dozens of other dialogs.

And then take an empty field as "auto populate" and an explicit value as exactly that.

Kind regards,
Patrick

Thank you for your thoughtful reply. They are almost there with it. A little more user orientation and voila. I personally would present all the fields as even most retail routers currently do.

[pfry]

[...]
Yes. I did all those things that applied. I've never heard of an unsuitable DNS server so they must be rare. [...]

Heh. I was hoping you'd specify what was assigned, if anything. I don't recall trying the autocollect setting.
As for unsuitable servers: Specific use, such as a server with:
- Access controls;
- Non-public records;
- Spoofed records.
That sort of thing. Not too common for individual users, but you never can tell. Some of the folks here have pretty complex setups.
My old employer spoofed the record for one of the office supply stores (with a "do not go here" page)... even though it was an official supplier. Whee.

[...]
There would be one way to keep the fields hidden and still easy to find: put that prominent "advanced settings" button at the very top where people expect such a thing because it is in dozens of other dialogs. [...]

That might be the thing: hiding all of the fields and presenting a more prominent unhide option sounds better.

[coffeecup25]

[...]
Yes. I did all those things that applied. I've never heard of an unsuitable DNS server so they must be rare. [...]

Heh. I was hoping you'd specify what was assigned, if anything. I don't recall trying the autocollect setting.
As for unsuitable servers: Specific use, such as a server with:
- Access controls;
- Non-public records;
- Spoofed records.
That sort of thing. Not too common for individual users, but you never can tell. Some of the folks here have pretty complex setups.
My old employer spoofed the record for one of the office supply stores (with a "do not go here" page)... even though it was an official supplier. Whee.

[...]
There would be one way to keep the fields hidden and still easy to find: put that prominent "advanced settings" button at the very top where people expect such a thing because it is in dozens of other dialogs. [...]

That might be the thing: hiding all of the fields and presenting a more prominent unhide option sounds better.

What part of 9.9.9.9 as a DNS server do you not understand? I mentioned it at least twice. If you don't know what that means, you should look it up and then feel embarrassed.

Why does making something easy to use enrage some people?

[pfry]

What part of 9.9.9.9 as a DNS server do you not understand? I mentioned it at least twice. If you don't know what that means, you should look it up and then feel embarrassed.

Why does making something easy to use enrage some people?

? Ah, I see. Vague question. "What was assigned" = assignments provided to your client(s) by the Kea service with autocollect selected. Don't worry about it.

Boy, am I embarrassed and enraged.

[coffeecup25]

What part of 9.9.9.9 as a DNS server do you not understand? I mentioned it at least twice. If you don't know what that means, you should look it up and then feel embarrassed.

Why does making something easy to use enrage some people?

? Ah, I see. Vague question. "What was assigned" = assignments provided to your client(s) by the Kea service with autocollect selected. Don't worry about it.

Boy, am I embarrassed and enraged.

Thank you for your reply.