Help With DHCP, IPv6 and DNS Please (OPNsense Newbie)

Started by WiteWulf, June 28, 2026, 12:02:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 28, 2026, 12:02:01 PM
Hi folks, first time poster. I've recently moved to OPNsense (26.1.10, running as a VM on Proxmox) from OpenWrt. The migration went really well for the most part, but there's one thing I can't figure out and would like help with please.

I have a PiHole running on my network (in docker on a different device to OPNsense), and use DHCP Option 6 to tell my clients to use it as their DHCP server, with Unbound on the OPNsense device as the fallback. This was all I had to do on OpenWrt to get all LAN client DNS queries to go via my PiHole and I replicated this in dnsmasq on OPNsense. My IPv6 clients didn't receive an IPv6 DNS server with OpenWrt.

Since moving to OPNsense I noticed that some of my devices had started showing ads again, but saw that PiHole was still serving (some) requests on the LAN.

OPNsense is configuring the IPv6 clients on the LAN to use it's Unbound service for DNS over IPv6, so I added DHCP Option 23 with the Pihole and Unbound servers' IPv6 addresses on dnsmasq hoping that would override whatever default setting was being applied.

My clients are acting on the DHCP Option 6 and configuring the PiHole and OPNsense as their IPv4 DNS servers, but ignoring the DHCP Option 23, and only configuring the OPNsense device for DNS over IPv6. Both DHCP Options are set to 'Force'.

Consequently:
a) IPv6 enabled devices prefer to use DNS over IPv6, and are only using Unbound on OPNsense (thus bypassing the PiHole)
b) IPv4 only devices are correctly using the PiHole as instructed via DHCP Option 6

I've tried both renewing DHCP leases and restarting my clients with no change in behaviour. I've checked that the PiHole is serving queries over IPv6.

How do I correctly tell my IPv6 clients to use the PiHole server?
June 28, 2026, 12:50:35 PM #1 Last Edit: June 28, 2026, 02:25:47 PM by meyergru
Some IPv6 clients act in an unexpected way w/r to DHCPv6 and its options. For example, Android devices cannot use DHCPv6 at all but use router advertisements (RA) instead. Some can use the RDNSS option.

That being said, I use RA in "unmanaged" mode for many reasons, but mainly because that is guaranteed to work, but I do not use IPv6 DNS servers - those are not strictly needed if your clients can also do IPv4, because the IPv4 DNS server will also serve IPv6 adresses. This is all described here.

I would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.

Alas, I cannot give much info about how to do it with DNSmasq, because I use Kea and Unbound. All I know is that DNSmasq has restrictions on its builtin RA mechanism, however, you can disable that and use RADVD instead.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 28, 2026, 01:39:53 PM #2
Thank you, that's gone some way to explaining a previous problem I had.

When I initially set the OPNsense device up I tried setting my 'LAN IPv6 Configuration Type' to 'Identity Association' (as per some docs I found), but my LAN clients didn't receive an IPv6 configuration. Changing that to 'Track Interface (legacy)' "just worked", so I left it at that. It seems that this automatically configures a DHCPv6/RA for the LAN, and I suspect this ignores any changes made in the dnsmasq settings UI.

I assume, then, that I need to manually configure an RA or DHCPv6 range when using 'Identity Association'? I'll have a detailed read of your article you linked to and have a go at that. Thanks again.
June 28, 2026, 10:20:34 PM #3
Quote from: meyergru on June 28, 2026, 12:50:35 PMI would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.
Horrible idea :
The Pi-Hole Query Log will only show the Router IP Address as the Client instead of each Client on your network with it's own IP Address !!

The one and only right way is to tell all your Clients that they should talk to Pi-Hole directly as their only DNS Server.
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
June 28, 2026, 10:24:03 PM #4
Who wants to look at a DNS query log and for what purpose? And even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 28, 2026, 10:31:07 PM #5
Quote from: meyergru on June 28, 2026, 10:24:03 PMWho wants to look at a DNS query log and for what purpose?
To check what's going when you need to block something that's not blocked by the current Blocking Lists and/or to see who has been naughty by calling home :)

QuoteAnd even if you do, why not look at OpnSense's DNS logs, if you care about who asks for what?
Because I have Pi-Hole + Unbound running on a seperate Server for many years now and like to keep it that way so I have completely Disabled Unbound @ OPNsense right after the first boot.

My OPNsense does Routing/NAT/Firewall/DHCP and that's all it needs to do for me :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
June 28, 2026, 10:36:17 PM #6
O.K., I never had the need to look at those logs. I do adblocking using browser plugins.

If you normally use OpnSense for all things network-centric, you may be better off to have everything pertaining to logging and things there. Also, if you have DNS problems because of excessive blocking, you can switch centrally on OpnSense only this way, because otherwise you would have to wait for your clients to pick up the alternative DNS server IP.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 29, 2026, 05:11:48 PM #7
Thanks folks, to echo @nero355's response, allowing all clients to query OPNsense, then forwarding those to PiHole breaks my setup in two ways:
- I do client/group specific filter lists on pihole, so need to know who's making the query
- like to have two different DNS servers configured on all clients in case one fails. Pihole has failed a few times for me, so having the DNS service on my router available to clients as a fallback is important to me
Today at 05:59:18 PM #8
Quote from: meyergru on June 28, 2026, 10:36:17 PMO.K., I never had the need to look at those logs. I do adblocking using browser plugins.
I do too, but as you know you can't block everything that way just like you can't block everything on DNS level :)

And then there are also modified Clients for certain services...

You simply need all the options you can have these days to stop all the advertising crap bugging you :(

QuoteIf you normally use OpnSense for all things network-centric, you may be better off to have everything pertaining to logging and things there.
Actually I think that a lot of people overload their OPNsense with too many Services these days and because of that have a lot of unnecessary issues when you look at some topics here on the forum :)

QuoteAlso, if you have DNS problems because of excessive blocking, you can switch centrally on OpnSense only this way, because otherwise you would have to wait for your clients to pick up the alternative DNS server IP.
That's not needed most of the time :
- Pi-Hole Query Log has excellent filtering for everything.
- A lot of stuff can be changed instantly.
- And you can even simply DISABLE just the Ads Blocking part for a certain amount of time :)

Quote from: WiteWulf on June 29, 2026, 05:11:48 PMThanks folks, to echo @nero355's response, allowing all clients to query OPNsense, then forwarding those to PiHole breaks my setup in two ways:
- I do client/group specific filter lists on pihole, so need to know who's making the query
I totally forgot to mention that too!

VERY IMPORTANT indeed !! :)

Quote- like to have two different DNS servers configured on all clients in case one fails.
Pihole has failed a few times for me, so having the DNS service on my router available to clients as a fallback is important to me.
Just avoid having one DNS Server blocking ads and one DNS Server not blocking ads but both of them being used by your Clients at the same time and you should be fine.

There are also options to run two Pi-Hole instances at the same time with one VRRP IP Address being shared by them by the way ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 06:02:15 PM #9
Thanks for the tips, I now have a system I'm happy with after:
- changing the 'IPv6 Configuration Type' back to 'Identity Association'
- adding a Router Advertisement entry in 'Unmanaged' mode with DNS disabled (you have to enable 'advanced mode' to make this tick box visible)

NB. with DNS enabled, but no DNS servers specified, it still sends out the OPNsense device's IPv6 address as a DNS server. You have to explicitly disable DNS in the RA entry to stop this. Not a helpful default in my case.

My clients are now only receiving the IPv4 addresses for my PiHole and OPNsense Unbound, in that order, and will fallback to the OPNsense server if the PiHole goes away for whatever reason.
Today at 07:04:32 PM #10
Quote from: WiteWulf on Today at 06:02:15 PMMy clients are now only receiving the IPv4 addresses for my PiHole and OPNsense Unbound, in that order, and will fallback to the OPNsense server if the PiHole goes away for whatever reason.

AFAIK, this is a common misconception: There is no guaranteed order if you specify multiple DNS servers. A client may choose to send out the DNS queries in parallel and take the first answer. Thus, the order is arbitrary, so this is not a "fallback" in its strict sense. This exact behaviour can be detrimental for DNS blocking.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
Print
Go Up Pages1
User actions