Dnsmasq - doesn't work for ip4

GreenMatter · March 03, 2026, 05:38:50 PM

I've just configured (in 26.1.2_5) HA - CARP VIPs for WAN and all my vlans. I made sure that VIPs have correct netmask (same as respective vlan).
I use Dnsmasq DNS & DHCP as DHCP server (ip4, ip6 in RA mode: slaac and ra-names).
And once I switched over to VIPs I had lost ip4 DHCP connectivity. I verified VIPs netmasks, in dnsmasq there's no any relevant option except selecting interfaces and strict binding - which doesn't help.
When I manually assign in client ip4 address - all works fine, connectivity is flawless even with switching over between master and backup...

Have I missed something, how to fix it??

EDIT:
Both opnsense instances are virtualised - Proxmox VM

nero355 · March 03, 2026, 06:27:31 PM

If you are running a HA setup then you need KEA DHCP Server : https://docs.opnsense.org/manual/dhcp.html ;)

GreenMatter · March 03, 2026, 07:28:52 PM

Quote from: nero355 on March 03, 2026, 06:27:31 PMyou need KEA DHCP Server

Thanks, just migrated to dnsmasq a few months ago... I also use wifi enterprise and freeradius.
For test purposes I configured KEA on one vlan (stopped dnsmasq), as per https://docs.opnsense.org/manual/kea.html, have added standby and primary HA peers (firewall rules as well) did synchronisation. KEA receives heartbeat but still nothing - I can't get assigned ip4 address in client.

GreenMatter · March 03, 2026, 09:52:44 PM

As far as I can see, even KEA sends dhcp offers from interface address and not VIP. Is it correct?

Seimus · Reply #4 - Re: Dnsmasq - doesn't work for ip4

Yes that is correct, that's how DHCP works.

You can have the Clients to reach the VIP, but the response for DHCP offer will come from the interface IP and not VIP.
You can only bind the listening interface/IP but not the responding.

I am running two DHCP servers based on DNSmasq on linux servers. They are both active, as DNSmasq doesnt support HA, so I have set on the second one a delay in response. Meaning the first server always is the one respond first.

Regards,
S.

GreenMatter · Reply #5 - Re: Dnsmasq - doesn't work for ip4

Quote from: Seimus on Today at 12:24:19 PMYes that is correct, that's how DHCP works.

Ok, I understand. But still, once HA (vlans carp vip) is activated, dhcp clients in lan don't receive ip4 address. FW rules have been created automatically...

Seimus · Reply #6 - Re: Dnsmasq - doesn't work for ip4

You should review your secondary DHCP server then as well live log if you see anything blocked or dropped.

Regards,
S.

GreenMatter · Reply #7 - Re: Dnsmasq - doesn't work for ip4

The issue shows up once VIPs are set. Even with backup instance completely off, I'm not able to obtain ip4 address. In dhcp logs, I can see offers being sent, maybe auto FW rules are not correct?

nero355 · Reply #8 - Re: Dnsmasq - doesn't work for ip4

Quote from: GreenMatter on March 03, 2026, 07:28:52 PMFor test purposes I configured KEA on one vlan (stopped dnsmasq)

OPNsense does not support a different DHCP Server per Interface so if you want to test then you need to move EVERYTHING to KEA sadly !!

Dnsmasq - doesn't work for ip4

GreenMatter

March 03, 2026, 05:38:50 PM Last Edit: March 03, 2026, 06:17:57 PM by GreenMatter

nero355

March 03, 2026, 06:27:31 PM #1

GreenMatter

March 03, 2026, 07:28:52 PM #2

GreenMatter

March 03, 2026, 09:52:44 PM #3

Seimus

Today at 12:24:19 PM #4

GreenMatter

Today at 02:59:19 PM #5

Seimus

Today at 03:12:31 PM #6

GreenMatter

Today at 03:20:56 PM #7

nero355

Today at 09:14:47 PM #8