You can find my config of switch VLANs bolow.

Снимок экрана 2025-01-17 в 16.36.16.png

For example, when using LAN1, I have no warm logs etc. When I am using LAN2 or LAN3, i have the log below.

WARN [kea-dhcp4.dhcpsrv.0x5f459be12000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface mvneta1, reason: failed to bind fallback socket to address 192.168.103.1, port 67, reason: Address already in use - is another DHCP server running?

Also, when I log in to the admin console, dhcp is down, but after reloading it is OK.

Снимок экрана 2025-01-17 в 17.03.59.png

Please, someone explain it to me.

685ef897-9dfa-4656-81a3-8cb04f4c40f8-image.png

I am aware of the resolver interval, is there a way to bypass one url

example imap.gmail.com always forward to 8.8.8.8 do not save in firewall dns namesever for reuse

thus every time it gets the new ip address google has for the mail server, they change so fast the firewall can't keep up so the mail app at times says error after 5 mins it will resolve but that is unacceptable for modern use.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

But existing and enabled are or should be two different things.

When an interface is not connected (you ripped out the network, or powered down the device or switch on the other side), the DHCP server serving that interface will detect the "DOWN" system / hardware event, and shut down.
pfSense won't even show you your DHCP server instance anymore.
But, no panic, the settings will still be there. And when you connect (power up) the connection, it will auto-start, with the previously known settings.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

One other issues I have come across is that KEA DHCP causes issues throwing PHP errors / crash reports in conjunction with pfblockerng dev.

kea initially, when using 23.09 ? I can't recall, work fine but the implemention'27.2' (and 23.09, 24.03, before 24.11 came out) was, for my needs, to minimalist.
You can use Kea, if you validated your requirement first.

Here they are : Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

As you can see, the details are here - published November 2023 :

15493662-314e-4f6b-a7b1-21d126113858-image.png

So, you need "static MAC DHCP leases" ?
Ok, fine. Stick with ISC for the moment.

Right now, 24.11 adds static DHCP leases, DNS registration, but is still limited about adding your own DHCP options.
The upcoming 2.8.0 will have the same Kea support.

Btw : kea by itself was and is rock solid for me. It had to stick with ISC because I wanted to keep my DHCP mac leases, my DHCP special options etc, but since 24.11 became available, I switched to kea. Options were still missing but with some copy and paste instructions from the source' (redmine) I could add what I needed.

Btw : kea has no relations with pfBlockerng.

@jg3

I am seeing the same behavior with random physical clients on my network. Turning off the new DNS registration checkbox seems to make it stop.

@aGeekhere said in ISC DHCP Server Custom DHCP Options 252 for WPAD prevents DHCP Static Mappings custom DNS:

if i use ISC DHCP with Custom DHCP Options

Check if it actually works. Go to packet capturing, enter/set this :

5b09c119-78ee-4da9-8c90-1cfb48875fb5-image.png

and click start.

You will see the DHCP client requests, and the pfSense DHCP server answer. The "Option 252" was send to the client ?

@vf1954 you can't really change a clients IP on a whim from just pfsense, you can sure give it a reservation and then if you reboot it or release renew its lease etc it would get the new IP.

Same goes if you changed your IP range, clients wouldn't get an IP from the new lease unless the client was asking for an ip, etc.

I do this pretty much any time I bring a new device online - I let it get an IP, then I change it to reservation and have the client then reboot or release/renew so it now gets the reservation.

If the device was poe, you could prob force the IP change by cycling its ethernet port on your switch.

How fast a client would move over to a reservation or would depend on the length of the lease you gave it to start with - if your lease is like the default of 2 hours... Then 2 hours later all devices would be on the new iP range or be using a reservation you set for them, it could be faster.. But for sure you would know 2 hours all devices would have a new IP.

If your lease was like 8 days - then yeah it could take up to 8 days to move to the new IP without intervention on your part at the client.

@johnpoz

Thanks for the information.
So it's not as critical as expected.

Thank you.

Best,

@wc2l what would be slick is if they integrate that right into pfsense. I think it might play nice with their new multisystem management stuff they are working on.. But yeah I would someone if not currently will put a docker for it ;)

@patient0 said in ISC DHCP does not save Local time setting:

@Dyk-Evans

Are other settings saved? Like (just for testing) "disable ping check"?

Yes, the two below do save no issues:

Enable Monitoring
Ping Check

I too have an SG-3100.
Only since I updated the version to 24.11 from 24.08 has my network been flaking out.
All the devices, and I have like 50 wifi lamps, 40 IOT Switches, four Ubiquiti Wireless AP's + Cloud Key ... it's been infuriating not to have wifi to interrogate stuff...

The items with Static Mappings seem to keep their leases.

So my desktop, the router, manage to still talk to one another.

I've switched back to the depreciated ISC, and unticked "warn that that's it's depreciated".
Lets see if that fixes it.

I presumed I was on Kea before the software upgrade, but to be honest, I just can't remember, I don't seem to have full control of home configurations in my 40's with kids , like I used to when I was single in my 20's...

Time to upgrade to 64-bit you say... old thin machine or NUC with some 2.5Gbps interfaces you say...

@Gertjan Thanks, makes sense for it to be higher. It is currently at 1000, but the point is not the value, it's the fact that I can't change it. When I hit the save button to change it to any value, I get that message. I don't mean to take this thread into another topic. I just wanted to point out I have more than one really odd thing going on. So it could be something more than just pfblocker python mode which is broke.

Interestingly, if I go to the log settings tab which is for all logs I thought, I can change the value there. It appears to change if for nearly all tabs, except for System > general, DNS resolver and OpenVPN. The value does not change there and I can't change it via the wrench icon. Again, I'm not looking for a solution to this issue. I can open another thread for that if needed. Just pointing out odd things as I'm seeing them.

Are you able to compare the config before and after upgrade?

Is it repeatable? Assuming you are running ZFS with a 24.03 BE.

@FECambot

👍
No worries. I'm a user just like you.
Critics are not an issue at all. They are the roads to understanding.

Take your time.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

... What's odd is that the "DHCP leases" screen only seems to show one of the static mappings

Not odd, it's a feature, doing otherwise will break RFCs.
As soon as it attributes an IP to a device with MAC 00:11:22:33:44:55 it will refuse to attribute the same IP to a device with MAC 55:44:33:22:11:00.

Also, because you mentioned it : why is an IP marked as online on the leases page ? Because that page uses the ARP protocol, that broadcasts on the network with questions like : "Who has 192.168.1.10" (the IP) ? ARP is used to get one unique reply. It will get 2 .... dono what the reaction will be, but you probably just broke "the Ethernet".
An answer was taken in account, and that MAC lease I is marked as online. The second, thanks for testing 👍 , was disregarded.

If you have the choice between a wired and a wireless, shut down the wireless. Go for the cable. The less radio waves, the better ^^

And take note : you're lucky. I've a printer here that, if wired and DHCP is active, will shut down the wireless interface.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

Is there a way to fix this problem?

You get it by now. The question was wrong, so no fix needed as nothing is broken ^^

Perhaps the solution is to release the lease prior to disconnecting either network.

Unplugging a network connection is different than releasing the lease then disconnecting the cable.

If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

What is your use case for keeping the same ip for both interfaces?

So I managed to achive what I wanted via additional DNS server using dnsmasq. The example setup looks like this:

Isolated DNS server running DNSMASQ: 192.168.10.2
LAN: 192.168.1.0/24
WG0: 10.10.0.50
VPN DNS server: 10.10.0.2

I created two aliases:

vpn_isolation - with networks for each machine that will be forced to use VPN - network aliases can include single hosts with netmask /32 and it's less problematic than to remove 255 entries from an ip alias that expanded whole /24 network :D isolated_dns - this alias only contains 192.168.10.2 - this will make our life way easier if we decide to move the dnsmasq to different subnet

First we create port forwarding rule:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: vpn_isolation
Destination Port Range: DNS / DNS
Redirect Target IP: isolated_dns
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
NAT Reflection: disable
Description: Force DNS to VPN

Next we need same rule for interface on which the dnsmasq works so we can pass all the traffic to VPN from dnsmasq.

Then we need to create a policy routing rule that will match ips/networks from vpn_isolation alias on the LAN interface:

Firewall -> Rules -> LAN
Source: ip address or alias: vpn_isolation
Destination: either * or exclude private networks to allow routing to internal subnets
Gateway: WG0_GATEWAY

Finally we need to spawn a linux box or container with IP 192.168.10.2 that runs dnsmasq. Below is example dnsmasq config:

no-resolv no-poll # we tell dnsmasq to use VPN server=10.10.0.2 # then we tell dnsmasq to use 192.168.1.1 to resolve *.lan and *.myinternaldomain.omgyay # (or any other domain or suffix we need) server=/lan/192.168.1.1 server=/myinternaldomain.omgyay/192.168.1.1 # this is important otherwise dnsmasq won't reply to queries from different network listen-address=192.168.10.2,127.0.0.1

We can test the setup from a machine with IP included in vps_isolation alias:

use https://dnsleaktest.com/ - it should show single DNS or at least DNS different that the one pfsense's DNS Responder/Forwarder uses more imporant - we need to check if we don't leak original WAN subnet via ECS - just issue curl -SL https://test.nextdns.io and resulting JSON should not include "ecs" key with your WAN subnet - this was the biggest problem for me when using DOT from DNS Resolver - if you own a ripe you basically dox yourself this way.

Both port forwarding and policy routing firewall rules have to be added to every interface we want to use vpn isolation and they need to be above any other policy routing rules that might redirect traffic elsewhere and go through clearnet ofc.

With this setup when you want to enable/disable vpn for any host or network behind pfsense all you need to do is edit the vpn_isolation alias and you're done.

CAVEAT: make sure the dnsmasq dns server is on it's own subnet. this makes things easier. I was able to get this working with same subnet for dnsmasq and vpn_isolation, but you have to create an additional port forwarding rule above the one that intercepts DNS traffic that matches traffic from dnsmasq and has "Disable redirection for traffic matching this rule" checked. This will allow dnsmasq to talk to pfsense :)

@PabloAbonia said in KEA DHCP continuously rebooting with error message after 24.11 upgrade and switch from ISC:

COMMAND_SOCKET_ACCEPT_FAIL Failed to accept incoming connection on command socket

Can't be that bad.

See here : https://kea.readthedocs.io/en/kea-2.0.1/kea-messages.html

I propose : stop kill zap all kea process.
Console, or better : SSH : option 8 and then

ps ax | grep 'kea'

and kill them all.

Then, check that you still have this file /var/run/kea4-ctrl-socket (socket actually).
rm it.

Now start all the kea stuff with the GUI.

edit :
When kea starts, and runs fine, you can actually use this socket to talk to the process.

Run this, on the command lie, and you'll see it answers you with loads of information :

echo '{"command":"lease4-get-all"}' | nc -U /var/run/kea4-ctrl-socket | jq