@kiokoman Thanks. Comcast pushes out the firmware and as far as I know, I have the latest firmware for the device to be used with Comcast. This is what I did: 1) Set pfSense to 192.168.0.1 and DHCP; 2) Set Netgear C7100V to 192.168.2.1 and DHCP to get the WAN address for pfSense. As @JKnott suggested, IP addresses were assigned by pfSense. I now just need to reserve addresses for a bunch that I think need to be reserved.

I don't fancy myself an expert on pfSense failover setups. I have configured them for Nokia firewall appliances and Checkpoint firewalls in the past, but never on pfSense.

Normally in a cluster setup the firewalls can talk to each other and decide who will be "boss". Your test configuration interrupted that to a degree.

Don't need to do anything with MAB or 802.1x to put a device in a different vlan ;)

And no your cheap smart switch is not going to support either of those features. But yeah that $40 smart switch would allow for putting any port in any vlan he wanted to..

Hi and thank you for your reply.

When I stop unbound and check for running processes there is no unbound running.

[2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep unbound 21735 0 S+ 0:00.00 grep unbound [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root:

After stopping all DHCP servers the following processes are running:

[2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep dhcp 4049 - S 0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh 56033 - Ss 618:49.04 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0 14705 0 S+ 0:00.00 grep dhcp [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root:

The DHCP log keeps getting spammed by DHCP6 client:

Nov 5 17:12:53 dhcp6c 97216 Sending Solicit Nov 5 17:12:54 dhcp6c 97216 Sending Request Nov 5 17:12:54 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:54 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:55 dhcp6c 97216 Sending Solicit Nov 5 17:12:57 dhcp6c 97216 Sending Request Nov 5 17:12:57 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:57 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:58 dhcp6c 97216 Sending Solicit Nov 5 17:12:59 dhcp6c 97216 Sending Request Nov 5 17:13:00 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:00 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:13:02 dhcp6c 97216 Sending Solicit Nov 5 17:13:03 dhcp6c 97216 Sending Request Nov 5 17:13:03 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:03 dhcp6c 97216 status code for NA-0: no addresses

My WAN connection uses DHCP6 and I confimed IPv6 connectivity.
WAN has an address and IPv6 is routed as expected.

After killing

97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0

I lost IPv6 connectivity and the spamming of DHCP log by DHCP6 client stopped.
So I reconnected WAN and the spamming was back.

Nov 5 17:26:20 dhcp6c 97216 Start address release Nov 5 17:26:20 dhcp6c 97216 Sending Release Nov 5 17:26:20 dhcp6c 97216 remove an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:26:20 dhcp6c 97216 dhcp6c Received RELEASE Nov 5 17:26:20 dhcp6c 97216 status code: success Nov 5 17:26:21 dhcp6c 97216 exiting Nov 5 17:30:56 dhcp6c 74412 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Nov 5 17:30:56 dhcp6c 74412 failed initialize control message authentication Nov 5 17:30:56 dhcp6c 74412 skip opening control port Nov 5 17:30:57 dhcp6c 74510 Sending Solicit Nov 5 17:30:58 dhcp6c 74510 Sending Request Nov 5 17:30:58 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:30:58 dhcp6c 74510 add an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:30:58 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:00 dhcp6c 74510 Sending Solicit Nov 5 17:31:01 dhcp6c 74510 Sending Solicit Nov 5 17:31:03 dhcp6c 74510 Sending Solicit Nov 5 17:31:07 dhcp6c 74510 Sending Solicit Nov 5 17:31:15 dhcp6c 74510 Sending Solicit Nov 5 17:31:32 dhcp6c 74510 Sending Solicit Nov 5 17:31:33 dhcp6c 74510 Sending Request Nov 5 17:31:33 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:33 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:35 dhcp6c 74510 Sending Solicit Nov 5 17:31:36 dhcp6c 74510 Sending Request Nov 5 17:31:36 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:36 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:37 dhcp6c 74510 Sending Solicit Nov 5 17:31:38 dhcp6c 74510 Sending Request Nov 5 17:31:38 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:38 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:40 dhcp6c 74510 Sending Solicit Nov 5 17:31:41 dhcp6c 74510 Sending Request Nov 5 17:31:41 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:41 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:43 dhcp6c 74510 Sending Solicit Nov 5 17:31:44 dhcp6c 74510 Sending Request Nov 5 17:31:44 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:44 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:46 dhcp6c 74510 Sending Solicit Nov 5 17:31:47 dhcp6c 74510 Sending Request Nov 5 17:31:47 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:47 dhcp6c 74510 status code for NA-0: no addresses

@Gertjan said in DNS Resolver & DHCP Server are constantly restarting:

and thus dhcpleases should not run.
Or, it's that process that restart unbound - see your own logs.

dhcpleases was running because I enabled it again after disabling didn't change the behaiviour.

@Gertjan said in DNS Resolver & DHCP Server are constantly restarting:

Then restart unbound (resolver) and DHCP servers one by one - pause and observe behaviour in logs after each start.

After starting only unbound with DHCP Registration and Static DHCP disabled unbound gets restarted every time dhcp6c is logging "Sending Solicit"

So I checked my WAN settings and compared it to another pfSense firewall I am running with the same ISP (Deutsche Telekom Business).
Under DHCP6 Client Configuration there is an option called Request only an IPv6 prefix (Only request an IPv6 prefix, do not request an IPv6 address).
After enabling the checkbox the spamming of DHCP logs by DHCP6 client stopped and unbound is running without getting restarted.
DHCP servers are also running again with no issues.

I have no idea why it was working fine for 2+ years without the "Request only an IPv6 prefix" option checked.
Maybe the ISP changed some settings on their side.

Thank you very much @Gertjan for pointing me in the right direction.

That will be the upcoming release of 2.5.0 I guess.
That version is based on FreeBSD 12, and will probably include most of the new stuff.

Well you have to split up the last 4 bits (the last hex character) on bit boundaries with a /60. You have:

2 /61s :0c00: and :0c08 (8 /64s each)
4 /62s : :0c00: :0c04: :0c08: :0c0c: (4 /64s each)
8 /63s :0c00: :0c02: :0c04: :0c06: :0c08: :0c0a: :0c0c: :0c0e: (2 /64s each)
16 /64s :0c00: - :0c0f:

You should be able to use, say, 0c00 - 0c07 for tracked interfaces (the DHCP "pool" addresses will be out of the appropriate one on that interface) and set the prefix delegation to /64 or /63 or /62 using aaaa:bbbb:cccc:0c08:: - aaaa:bbbb:cccc:0c0f::

Note I have never tried to do a PD out of a PD.

IPv6 is much easier to grok if you don't have to split individual hex address digits on their inside bit-boundaries. No choice in the matter with such an unreasonably-stingy, clueless ISP.

Personally, I would use an HE.NET tunnel and their /48 routed prefix.

Of course adding this feature to pfBlockerNG is fine too. Google Safe Browsing is one of the most advanced and best Malware lists currently available and it's free. Not using this resource is a complete waste of. Most free blocking lists aren't good and even combining several of them can never reach Google.

@Peter847

Fire up Packet Capture to see what's happening. Then we might have a clue.

Thanks! I followed your second recommendation and just put the resolver in forwarding mode as that seemed the easiest and is working as expected!

So I had a look at how sysctl is set up for arp caching

The cli command:
sysctl -n net.link.ether.inet.max_age

Gives:

net.link.ether.inet.max_age: 1200

So that means that a arp value will stay in cache for 20 minutes to change to 20 seconds:
sysctl -w net.link.ether.inet.max_age=20

Once you reboot it will get reset.

Maybe test with that and see if it along the longs of what you want to do. Otherwise i've completely mis understood and should be ignored.

** I have no idea on what impact doing this would have on the performance of your device **

Reference:
https://www.freebsd.org/cgi/man.cgi?query=arp&apropos=0&sektion=4&manpath=FreeBSD+11.3-RELEASE&arch=default&format=html

The workaround of selecting 'All' interfaces no longer works; pfsense now explicitly adds --server arguments for every interface when 'All' is selected. As such dnsmasq will complain when one or more of those are actually down.

Replying to myself so that others can benefit...

Check Advanced Configuration under DHCP Client Configuration
In the Lease Requirements and Requests section, set the following Request options
subnet-mask, broadcast-address, time-offset, domain-name, domain-name-servers, interface-mtu
I specifically left out the Request option routers so the Lease request will not contain that information, and therefore no default gateway will be received and used.

It is also pretty useless to use DNSSEC when forwarding. Since you don't get signature information all the way from the roots, you are blindly trusting whatever the forwarding server gives you.

@johnpoz said in afraid.org - how to get pfsens update WAN ip:

AWEFHAWFUWHEFIOWHE (the token extracted from the direct ur

@johnpoz Thanks for info. The token from url, I dont find this URL?
I find this:

http://[USERNAME]:[PASSWORD]@freedns.afraid.org/nic/update?hostname=[DOMAIN]&myip=[IP]

(generic, that there is nothing hidden from my copy/paste above)

I’ve been trying to get DoT working today, and 149.112.112.112 gives invalid signatures when checked using https://dnssec.vs.uni-due.de
Only 9.9.9.9 by itself, or servers from cloudflare get a "thumbs up."

This may not be your issue, but "your mileage may vary."

OMG.. That was it! I'm SOO happy that worked!!
THANK YOU SOO SOO MUCH!! The community support here ROCKS!

f7f2b2e4-5cf1-4b68-93bd-e11cf13cec18-image.png