• Adding Custom Configuration in Kea DHCP Server with pfSense+ 25.03

    Pinned
    26
    4 Votes
    26 Posts
    11k Views
    G
    @Gertjan Thank you brother. All you suggestions worked great. I joined the forums just to tell you so.
  • HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox

    Pinned
    85
    17 Votes
    85 Posts
    58k Views
    kiokomanK
    @Bob-Dig idk it's not my phone, if it's "Private DNS" settings than it was probably on by default, my family does not know what dot / doh is @johnpoz exactly
  • Can get host address, can't ping device

    9
    1
    0 Votes
    9 Posts
    74 Views
    TangoOverswayT
    @johnpoz It's working fine now, which makes me think it's some kind of caching issue. I find it weird that Chrome could connect to palantir-02 yesterday, immediately, and the command line tools could not. I use iTerm2, which is a 3rd party terminal program that, so far, as exceeded the functionality of Apple's Term program, but I can't help but thinking that there might be some DNS caching being done somewhere that impacts the term programs and that Chrome doesn't deal with. I have several learning disabilities and it's an attention span thing. It takes me longer to dig into something than it does for most people. There's a line and when I cross it, and dive deep into something, I can get a clear understanding of everything in it, but six months later, if I haven't kept working with that material, I can forget it all - unless I do another deep dive. So I've dealt with this kind of stuff before, but long enough ago, that I've forgotten all that's involved. I probably should have looked up the command to clear the Mac's networking cache, but didn't think of it yesterday, when it would have helped. I did consider just rebooting, but didn't have the time while I was at the computer. (I figured that'd clear any DNS caching it may have done.) I have been able to resolve anything with ping in the past - never an issue. I'm in a rural setting, so there are times I lose internet. I have a simple alias: alias icheck='ping -c 5 8.8.8.8;echo;ping -c 5 www.google.com;echo;echo' or something close to that, you get the idea. When I seem to be having connectivity issues, I always run that to see if our internet is down. I did run it just as a quick check (yesterday, when the issue was happening) and it did work.
  • 0 Votes
    2 Posts
    36 Views
    S
    @badjoodani see https://forum.netgate.com/topic/184226/psa-kea-dhcp-does-not-like-dns-names-breaks-isc-to-kea-migration/10
  • 0 Votes
    8 Posts
    87 Views
    GertjanG
    @richardsago said in How to block internet access for client operating system's DNS over HTTPS: But there was no choice for "Null Block (logging)" "Null Block (logging)" works only when Python mode is enabled. @richardsago said in How to block internet access for client operating system's DNS over HTTPS: When I set Firewall > pfBlockerNG > DNSBL > DNSBL Mode to "Unbound python mode" we lose internet connection so I returned it to "Unbound mode" That's not a normal situation at all. You have a DNS issue then. Consider flipping everything back to default first. This is part of 'default' : [image: 1761299980769-cbdc6616-9081-4278-9c79-4bdfe0c1bbb6-image.png] In a nearby future, 'unbound' mode might as well be removed. You can see "python mode" as a plugin or addon to unbound. It's a script file that unbound uses Unbound uses 'python' as the interpreted script file language , and that's why we call it 'python mode'. It could have been a shell script, LUA, or whatever. This Unbound Python script has now been tested a couple of multiples of trillions times (every DNS request executed by every pfSense using pfBlockerng out there). It's a save bet that to say that there are no more known issues with it. About : [image: 1761299470957-65695ff4-201b-4cc3-9e67-c698baf3c661-image.png] You might as well remove all these. pfSense, the resolver, doesn't need any DNS servers (that you've assigned). It doesn't use them. Unbound is a resolver, which means it resolves using the official (root) DNS servers. No need to use some commercial offer from anybody. 8.8.8.8 and 8.8.4.4 are also revolvers btw. But why would you hand over your private DNS requests to these commercial entities ^? ^
  • Host overrides in DNS Resolver

    5
    0 Votes
    5 Posts
    91 Views
    GertjanG
    @IanMcLeish said in Host overrides in DNS Resolver: Perhaps they are now not required No need to be unsure. Fact check. Question : what are the host names the my pfSense can resolve for me (knows about) ? : Answer : [image: 1761200903195-8fd4565d-732f-4eab-b7d8-79863fd657e9-image.png] and hit Execute.
  • HE.NET dyndns client stopped working

    5
    0 Votes
    5 Posts
    73 Views
    N8LBVN
    Any thoughts on this?
  • 0 Votes
    4 Posts
    113 Views
    GertjanG
    @OsiMosi said in VLAN with dedicated VPN tunnel, DNS isolation, and kill switch — best practice?: PfBlockerNG ... can only interface with unbound. So your private DNS needs are covered/handled by PfBlockerNG, not polluted with the isolated network DNS requests, which are handled by dnsmasq.
  • Unbound issue when set in resolving mode (pfSense Plus - crashing?)

    5
    0 Votes
    5 Posts
    199 Views
    M
    So it lasted longer without issue but out of the blue it stopped responding again. Unluckily I couldn’t debug when happened so I don’t have further info to share. I will try again to make it happen and see what I get from the logs
  • DNS resolver failed to resolve some addresses

    17
    0 Votes
    17 Posts
    401 Views
    patient0P
    @martinez said in DNS resolver failed to resolve some addresses: server that is authoritative for the org tld It is indeed one of the ORG authoritative servers: dig -x 199.19.57.1 ... ;; QUESTION SECTION: ;1.57.19.199.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.57.19.199.in-addr.arpa. 3274 IN PTR d0.org.afilias-nst.org. ... $ dig +trace wikipedia.org @1.1.1.1 ... ;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 5 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 26974 8 2 ... ;; Received 779 bytes from 2001:500:a8::e#53(e.root-servers.net) in 4 ms wikipedia.org. 3600 IN NS ns1.wikimedia.org. wikipedia.org. 3600 IN NS ns2.wikimedia.org. wikipedia.org. 3600 IN NS ns0.wikimedia.org. ... ;; Received 655 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 21 ms wikipedia.org. 180 IN A 185.15.58.224 ;; Received 58 bytes from 198.35.27.27#53(ns2.wikimedia.org) in 15 ms
  • Seeing Kea DHCP Issues after upgrade to 24.11

    28
    1
    1 Votes
    28 Posts
    4k Views
    S
    @cmcdonald FWIW as of pfsense 2.8.1 this still seems to be happening. I had everything running fine for years with ISC and today opted to get rid of the KEA nag and it all just fell apart. Most of my Ring devices just get this: Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL_CLASSES [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: Failed to allocate an IPv4 address for client with classes: ALL, pool_lan_0, UNKNOWN Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: failed to allocate an IPv4 address after 41 attempt(s) Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: failed to allocate an IPv4 lease in the subnet 10.3.2.0/24, subnet-id 1, shared network (none) Going to switch back to ISC for a bit and see if anything changes. Config looks legit to me and I can't imagine a subset of Ring cameras (all the same make/model) would have a bug - it's a pretty common vendor really.
  • DNS Issues After Upgrading to 25.07

    24
    0 Votes
    24 Posts
    5k Views
    C
    @xana I am having the same exact issue. It will just suddenly stop working, the service is running but failing to respond. I have disabled DNSSEC and do not have ntop installed. The only way to restore service is to restart the unbound service. I am using encrypted DNS but that is the only difference from standard setup, I followed the pfsense docs closely when setting it up. Was not a problem until this version, but there are things in this version I need elsewhere so I cannot go back.
  • KEA Multi-Threading - reduce number of threads

    13
    0 Votes
    13 Posts
    286 Views
    GertjanG
    @4o4rh said in KEA Multi-Threading - reduce number of threads: The problem was I had a malformed json Yeah ... the concept solution is always easy. Then writing it correctly using the JSON format, that always needs a lot of trial-and-errors before you get it spot-on I'm adding a lot of settings already in the JSON Configuration bbox, for DHCP options, lease logger options, etc.
  • DDNS can not fiqure out my WAN IP Address

    ddns cloudflare comcast
    7
    2
    0 Votes
    7 Posts
    238 Views
    S
    @jake9wi I'm glad that worked. I just went through hell to figure that out myself. It seems to be a new problem caused by a recent update. I'm not sure why some have the issue and others do not.
  • ISC vs KEA - KEA always wrong

    18
    4
    0 Votes
    18 Posts
    919 Views
    U
    @Vollans Nice!
  • DHCPv6 on LAN offering IPs from different interface

    4
    13
    0 Votes
    4 Posts
    179 Views
    A
    @Gertjan Yep, good call. Done! I do think the behavior I saw in the original post might be a bug, though.
  • Unable to configure DHCP

    3
    1
    0 Votes
    3 Posts
    90 Views
    AndyRHA
    @kj32 PEBKAC - Interesting, I always say it is a picnic.
  • Change IP to Static Using pfSense?

    14
    1
    0 Votes
    14 Posts
    275 Views
    johnpozJ
    @nasheayahu said in Change IP to Static Using pfSense?: and where did this user How set static IP for LAN Client in Pfsense get these column's from Looks like that post is from Updated on July 31, 2021 So yeah those screenshots are from an OLD version.. Now normal leases show their start and end time.. [image: 1760129920623-oldleases.jpg] And reservation would show na for start/end Those are old leases in my screenshots - like I mentioned most everything on my network has a reservation. That green up arrow just means that devices is currently in the arp table - so online. If it falls out of the arp table then pfsense would mark it with a down arrow, neither of those for sure 100% mean the device is online or offline - just means its either in the arp table or not.. The arp cache on pfsense expires by default 20 minutes.
  • 0 Votes
    9 Posts
    210 Views
    S
    @Gertjan steaig copy from pfSense. I'll post a screenshot when I get back home for proof
  • 0 Votes
    5 Posts
    3k Views
    S
    @cs08 I just encountered this issue and the root cause was the gateway monitor IP. I set it to 8.8.8.8 and the Check IP Service now works and the Dynamic DNS Clients are updating like they used to.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.