Thanx guys, for your reply @johnpoz I can follow the logic, as you explained it, using the main breaker example.

Thanks. I've made the change @patient0 suggested. As to @johnpoz, the DNS Server Override was already clear. The Good News is that ipconfig gives my firewall as the DNS for the ethernet connection and 1.1.1.2 for the VPN. Looks like either that change cleared the situation or there was no prob in the first place. Thanks again!

@MarinSNB my understanding is yes some code in the + changed, not sure when but it was for sure before 24.11 this showed up.. My guess is when CE 2.8 drops will see the same thing in CE

@johnpoz Yes, I changed it. thank you for the tips. I ended up spending the rest of the day messing around with cloudflares zero trust platform with their DNS blocking/filtering features now that I finally control the DNS on my network.

@bmeeks said in ISC DHCP Dynamic DNS feature and Kea DHCP?: Your issue is updating secondary DNS servers and not the unbound daemon running on pfSense. Correct. All hosts on my network get IP addresses from pfSense ISC DHCP servers those sends dynamic updates to FreeIPA-integrated BIND DNS servers. Why use FreeIPA-integrated DNS? Because FreeIPA is a great OpenSource identity management software and it also uses ISC DNS service.

I was able to get this working. I now have sites blocked, etc. I still have to make sure that DNS over TLS works and I also need to configure this for IPv6 so a bit more to do. I needed to add the appropriate rules to my firewall as specified in these recipes. I added a total of 3 firewall rules and 1 NAT rule. DNS redirect: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html DNS Blocking: https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html#blocking-external-client-dns-queries [image: 1735399885641-93ee7da2-b049-491f-88d7-e6bafcf4065a-image.png] [image: 1735400006696-79a7645d-3820-433b-9dcf-c25d65f571e0-image.png]

seems a bit brutal to have to default the devices... I've got this in a HA pair - the interface PPPoE is defined on is actually kind of a dummy interface but I've set up a gateway for it to make it into a WAN interface - and its made no difference.... I used to have loads of config on there - but I've paired it right back to try and isolate the problem... this is a real pain in the ar$£.... config file having manually changed it to what I want... { "Dhcp4": { "interfaces-config": { "interfaces": [ "em0.20" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp4.leases" }, "loggers": [ { "name": "kea-dhcp4", "output_options": [ { "output": "syslog" } ], "severity": "INFO" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "ip-reservations-unique": false, "echo-client-id": false, "option-data": [ { "name": "domain-name", "data": "home.arpa" } ], "option-def": [ { "space": "dhcp4", "name": "ldap-server", "code": 95, "type": "string" } ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" } ], "control-socket": { "socket-type": "unix", "socket-name": "/tmp/kea4-ctrl-socket" }, "authoritative": true, "subnet4": [ { "id": 1, "subnet": "10.7.20.0/24", "option-data": [ { "name": "domain-name-servers", "data": "10.7.20.1" }, { "name": "routers", "data": "10.7.20.1" } ], "valid-lifetime": 60485000, "max-valid-lifetime": 60486000, "reservations": [ { "hw-address": "44:19:b6:28:57:37", "ip-address": "10.7.20.31", "hostname": "cam1" }, { "hw-address": "44:19:b6:4f:59:0a", "ip-address": "10.7.20.32", "hostname": "garagecam" }, { "hw-address": "ac:cb:51:3c:97:2a", "ip-address": "10.7.20.35", "hostname": "cam6" }, { "hw-address": "ac:cb:51:3c:97:34", "ip-address": "10.7.20.36" } ], "reservations-in-subnet": true } ], "reservations": [ { "hw-address": "44:19:b6:28:57:37" }, { "hw-address": "44:19:b6:4f:59:0a" }, { "hw-address": "ac:cb:51:3c:97:2a" }, { "hw-address": "ac:cb:51:3c:97:34" } ] } } config file after I tried to start the service... { "Dhcp4": { "interfaces-config": { "interfaces": [ "pppoe0" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp4.leases" }, "loggers": [ { "name": "kea-dhcp4", "output_options": [ { "output": "syslog" } ], "severity": "INFO" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "ip-reservations-unique": false, "echo-client-id": false, "option-data": [ { "name": "domain-name", "data": "home.arpa" } ], "option-def": [ { "space": "dhcp4", "name": "ldap-server", "code": 95, "type": "string" } ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" } ], "control-socket": { "socket-type": "unix", "socket-name": "/tmp/kea4-ctrl-socket" }, "authoritative": true, "subnet4": [ { "id": 1, "subnet": "86.140.132.253/32", "option-data": [ { "name": "domain-name-servers", "data": "10.7.20.1" }, { "name": "routers", "data": "10.7.20.1" } ], "valid-lifetime": 60485000, "max-valid-lifetime": 60486000, "reservations": [ { "hw-address": "44:19:b6:28:57:37", "ip-address": "10.7.20.31", "hostname": "cam1" }, { "hw-address": "44:19:b6:4f:59:0a", "ip-address": "10.7.20.32", "hostname": "garagecam" }, { "hw-address": "ac:cb:51:3c:97:2a", "ip-address": "10.7.20.35", "hostname": "cam6" }, { "hw-address": "ac:cb:51:3c:97:34", "ip-address": "10.7.20.36" } ], "reservations-in-subnet": true } ], "reservations": [ { "hw-address": "44:19:b6:28:57:37" }, { "hw-address": "44:19:b6:4f:59:0a" }, { "hw-address": "ac:cb:51:3c:97:2a" }, { "hw-address": "ac:cb:51:3c:97:34" } ] } }

@Gertjan my computer is using my pfsense DNS but not all is working well. Going to reinstall it anyway on a different device and start the config from scratch.

@chrcoluk said in PSA: If you are using DHCP options with Windows 11 and DHCP/networking ceased to function after upgrading to Windows 11 24H2 ...: , I use option 43 to make sure Netbios is disabled Ah - ok that use case seems like it would be more common on a user machine vlan..

@datpif Actually just found watchdog starts a different service . so the simplest fix i found was to edit /etc/inc/service-utils.inc search for case 'kea-dhcp4': and add case 'kea-dhcp4': exec("rm -f /tmp/kea4-ctrl-socket.lock");

Did you manage to resolve this? I've recently encountered the same problem, and this seems to be the only thing I can find mentioning it. Keen to know if there's an easy fix before I reinvent the wheel.

@Gertjan Thanks Gertjan, I tried it, and it did get rid of that process. I still had the "FAIL" message come back on the same regular basis all on its own though, with varying PIDs. When I finally found an opportunity to reboot pfsense though (30 mins ago) it went away completely though :-) So yes, probably some ghost. Thanks again! Alex

@swemattias The error above doesn't come from HAproxy, rather from Cloudflare. So I don't think, that the hostname resolves properly to your IP. Seems you're using the Cloudflare proxy service.

@whosmatt said in pfSense KEA DHCP problems after reassigning interface: @mcury I'm not sure that's the same issue. I've actually added and removed members from my lagg many times without DHCP being affected. My issue arises when I assign an interface to a different NIC and then back to the original NIC, which just happens to be a tagged interface with a lagg as the parent. I'm not sure the lagg is relevant. hmmmm I think that the ticket issue is related to yours but I got it wrong, the problem was not adding or removing members from the LAG. See, previously I had some VLANs, and the issue happened after I moved them to the LAG interface. At the same time I added a member and that confused me. So, I really think we have the same issue and I got it wrong when I reported. This explains why Netgate team couldn't replicate it.. Edit: It happened three times, guess what ? I have three VLANs..

@TgWaKu I run DHCP off my Cisco layer 3 switch not pfsense. I recommend only 1 DHCP server per local network. Otherwise, you need to limit the scopes.

@lassesj said in openvpn client cannot resolve pfsense dns entries: I have an idea on how to solve this. Use your keyboard ? Normally, you should not be able to use a host name like 'file-server' to reach this device, even it's on your own LAN. The correct way is : fileserver.yournetwork.tld which is the full device location. Like this : C:\Users\Gauche>ping -4 dvr.bhf.tld Envoi d’une requête 'ping' sur dvr.bhf.tld [192.168.1.8] avec 32 octets de données : Réponse de 192.168.1.8 : octets=32 temps=9 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=2 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=3 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=4 ms TTL=64 True, Windows spoiled us a bit by adding a local network domain to the host name. So, start being less lazy ^^, and always use the fill host name with domain name and your done ^^ @lassesj said in openvpn client cannot resolve pfsense dns entries: Or is there anther, better way to do this? You mean : [image: 1734072339690-2284e0f5-7703-44c1-9e0d-a927ce5da562-image.png] ?

@Bob-Dig said in DHCPv6 server - Deny Unknown Clients ignored?: Ops sry, I am using Kea on 24.11. Hmm, I didn't see the edit. That may be the important point. On ISC I have tried again and what I see is weird: If I have it set to allow only known from this interface, and enter an incorrect DUID, no leases happen (during the time I had it running, a while). If I have it set the same but enter the correct DUID, the lease happens but a route isn't set up. Other leases to other routers DO incorrectly happen and routes may or may not be set up (comparing the leases page to the routes page). Now the last part might well be because it was running for an hour or so and not just a half hour but it seems like the other routers should have pulled leases at some point along the way. I have no control over those routers though.

@patient0 Hi, thank you, kia should be listening on all LAN interfaces (and VIP's) it seems to run for a short time then stop, moving back ICS seems to have fixed the issue. I don't understand why irtwould run and then stop,

@guardian said in [SOLVED] Setting up Cloudflare Dynamic DNS without using Global API Key: Zone Resources fill in the domain name to be used (mydomain.co Thank you! I just needed to set this up and all the other tutorials say you need a global key!

Okay, I figured it out. When I stopped Kea via the web GUI, there was still a Kea process listening on UDP 67: sockstat -l | grep :67 So I killed the rouge Kea: kill -9 XXXX Then restarted Kea via the web GUI. Now the binding errors are gone, and my reservations are being honored. Super weird issue, no idea how I ended up with two running instances of Kea.