Help With DHCP, IPv6 and DNS Please (OPNsense Newbie)

Started by WiteWulf, June 28, 2026, 12:02:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 28, 2026, 12:02:01 PM
Hi folks, first time poster. I've recently moved to OPNsense (26.1.10, running as a VM on Proxmox) from OpenWrt. The migration went really well for the most part, but there's one thing I can't figure out and would like help with please.

I have a PiHole running on my network (in docker on a different device to OPNsense), and use DHCP Option 6 to tell my clients to use it as their DHCP server, with Unbound on the OPNsense device as the fallback. This was all I had to do on OpenWrt to get all LAN client DNS queries to go via my PiHole and I replicated this in dnsmasq on OPNsense. My IPv6 clients didn't receive an IPv6 DNS server with OpenWrt.

Since moving to OPNsense I noticed that some of my devices had started showing ads again, but saw that PiHole was still serving (some) requests on the LAN.

OPNsense is configuring the IPv6 clients on the LAN to use it's Unbound service for DNS over IPv6, so I added DHCP Option 23 with the Pihole and Unbound servers' IPv6 addresses on dnsmasq hoping that would override whatever default setting was being applied.

My clients are acting on the DHCP Option 6 and configuring the PiHole and OPNsense as their IPv4 DNS servers, but ignoring the DHCP Option 23, and only configuring the OPNsense device for DNS over IPv6. Both DHCP Options are set to 'Force'.

Consequently:
a) IPv6 enabled devices prefer to use DNS over IPv6, and are only using Unbound on OPNsense (thus bypassing the PiHole)
b) IPv4 only devices are correctly using the PiHole as instructed via DHCP Option 6

I've tried both renewing DHCP leases and restarting my clients with no change in behaviour. I've checked that the PiHole is serving queries over IPv6.

How do I correctly tell my IPv6 clients to use the PiHole server?
June 28, 2026, 12:50:35 PM #1 Last Edit: June 28, 2026, 02:25:47 PM by meyergru
Some IPv6 clients act in an unexpected way w/r to DHCPv6 and its options. For example, Android devices cannot use DHCPv6 at all but use router advertisements (RA) instead. Some can use the RDNSS option.

That being said, I use RA in "unmanaged" mode for many reasons, but mainly because that is guaranteed to work, but I do not use IPv6 DNS servers - those are not strictly needed if your clients can also do IPv4, because the IPv4 DNS server will also serve IPv6 adresses. This is all described here.

I would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.

Alas, I cannot give much info about how to do it with DNSmasq, because I use Kea and Unbound. All I know is that DNSmasq has restrictions on its builtin RA mechanism, however, you can disable that and use RADVD instead.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 28, 2026, 01:39:53 PM #2
Thank you, that's gone some way to explaining a previous problem I had.

When I initially set the OPNsense device up I tried setting my 'LAN IPv6 Configuration Type' to 'Identity Association' (as per some docs I found), but my LAN clients didn't receive an IPv6 configuration. Changing that to 'Track Interface (legacy)' "just worked", so I left it at that. It seems that this automatically configures a DHCPv6/RA for the LAN, and I suspect this ignores any changes made in the dnsmasq settings UI.

I assume, then, that I need to manually configure an RA or DHCPv6 range when using 'Identity Association'? I'll have a detailed read of your article you linked to and have a go at that. Thanks again.
June 28, 2026, 10:20:34 PM #3
Quote from: meyergru on June 28, 2026, 12:50:35 PMI would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.
Horrible idea :
The Pi-Hole Query Log will only show the Router IP Address as the Client instead of each Client on your network with it's own IP Address !!

The one and only right way is to tell all your Clients that they should talk to Pi-Hole directly as their only DNS Server.
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
June 28, 2026, 10:24:03 PM #4
Who wants to look at a DNS query log and for what purpose? And even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 28, 2026, 10:31:07 PM #5
Quote from: meyergru on June 28, 2026, 10:24:03 PMWho wants to look at a DNS query log and for what purpose?
To check what's going when you need to block something that's not blocked by the current Blocking Lists and/or to see who has been naughty by calling home :)

QuoteAnd even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?
Because I have Pi-Hole + Unbound running on a seperate Server for many years now and like to keep it that way so I have completely Disabled Unbound @ OPNsense right after the first boot.

My OPNsense does Routing/NAT/Firewall/DHCP and that's all it needs to do for me :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
June 28, 2026, 10:36:17 PM #6
O.K., I never had the need to look at those logs. I do adblocking using browser plugins.

If you normally use OpnSense for all things network-centric, you may be better off to have everything pertaining to logging and things there. Also, if you have DNS problems because of excessive blocking, you can switch centrally on OpnSense only this way, because otherwise you would have to wait for your clients to pick up the alternative DNS server IP.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
Print
Go Up Pages1
User actions