@SteveITS One more Great Thanks! You directed me in a right way of solving the problem! after manual configuring from scratch actual version of pfSense troubles are went away like a nightmare, pfSense is working fine as usual

@Rockyuk said in So many Issues with Kea DHCP: After reading some posts in here and from my own experiences trying to use Kea DHCP this is not production ready at all. I tried using it with a fresh install of pfSense and while streaming and gaming it just shutdown and stopped providing traffic to my VLAN's. After reviewing the logs it kept restarting constantly which stopped all traffic. I switched back to ISC DHCP (Deprecated). Which was stable and have had no issues since. If developers are reading these posts please do not stop ISC DHCP (Deprecated) until Kea DHCP is just as stable. At the moment it seems a long way off. Kea DHCP is having some issues right now. It's best to use ISC DHCP, which works well until Kea gets better and is as stable as ISC.

@Gertjan said in KEA DHCP issue with PXE boot using FOG: My estimation : 2028 ? Or 2029 ... I'm not sure. This is good enough. Hopefully, Kea will be ready by this time.

@JKnott No, I have a basic NETGEAR POE four port switch. Although, my Ruckus APs support VLAN.

@SteveITS said in Modify unbound rebind protection: Might be the first time I’ve seen it used. I was completely clueless and it hadn't affected any other incoming mail as far as I am aware. So I guess it is an infrequently used SPF mechanism. Thanks for the help here and elsewhere.

@N8LBV In the default config DNS Resolver goes straight to the root servers and looks up the hostname (name server for .com, then name server for example.com, then www.example.com). Since the root servers don't know about your internal domain they would presumably return that it doesn't exist. If you enable forwarding then it contacts the configured DNS server(s) only. In your case since that server knows about your internal domain it can answer. I misunderstood this was an internal/second-level (whatever the name) router I think. a Domain Override would apply in a situation like a Windows Server domain and pfSense has "local.lan" pointing to the Windows Server IP for DNS.

@Gertjan said in No Internet access to LAN2: So, set up pi-hole that it should consider both 192.168.1.0/24 and 192.168.100.0/24 as 'local' +++need set local CIDR! [image: 1713023956650-200df62e-13a8-406b-8177-beaf45964f69-image.png] 192.168.0.0/16

Unfortunately, the PHP warnings were a red herring. The Kea server still doesn't run after fixing PHP. I don't see any messages in the /var/log files from kea. In case others are having the same PHP issue, here's how I fixed it: It looks like the PHP issue was a problem updating icu during the upgrade from 23.09 to 24.03. I resolved the PHP warnings by reinstalling icu from the terminal. pkg unlock icu pkg delete -f icu pkg install -yf icu During the uninstall, it became clear that version icu-73 was still installed. Once reinstalled, I had the proper icu-74 version.

@Gertjan i resolv with change dns resolver trasparent in static

Thanks both. That has been the pointer I needed! Looking back in my pcaps, I do see that there is a "Client ID" set in all of the discovers and that it's the same in every one! These VMs are not clones, they are unique OVA deploys. However, some further digging has unearthed that this OVA is based on Ubuntu which generates it's DHCP Client ID from /etc/machine-id which has mistakenly not been blanked in the OVA disk image! Easy enough bug to fix as it's an OVA we build.

@saxandl I found the bug! This option this option only works in ISC DHCP - mode, NOT in new Kea DHCP[image: 1712833966580-bildschirmfoto-2024-04-11-um-13.10.12.png]

@talm said in Unable to see clients DHCP leases: Currently I can't see the DHCP leases of the wireless clients on the pfSense Status -> DHCP leases tab Get a device, disconnect the wifi, and re connect the wifi. While doing this, look at the place where you can find the answers : Status > System Logs > DHCP Example : I connect my phone, and refresh the DHCP log page : [image: 1712821798276-16741ac7-5e42-4785-934e-1ee6146b615d-image.png] The MAC of my phone is shown, and the IP my phone obtained. Btw : if you see nothing of all this, then that's also a valid answer. It means that the DHCP request never reached pfSense,, and that some other DHCP server handled the request. This is typically not what you want of course. Have a talk with the admin of the aruba device ^^ @talm said in Unable to see clients DHCP leases: switch are not shown as up/active This info isn't showing if the device is using it's IP - is active - but more if pfSense has the IP in its active ARP cache. See : Diagnostics > ARP Table

@Gertjan Yes, the PC is connected to the WAN, not NordVPN. My public IP address is the real one. However, DNS queries are sent to NordVPN's DNS servers via the NordVPN gateway per the DNS resolver. Below is the results of DNS leak test for this PC. [image: 1712763198691-sidekick_hqxrto3od3.png] When I ran this DNS leak test on the PC that is connected to the NordVPN gateway, I got the same results. Anyhow, for whatever reason, Evernote won't load on my PC (connected to the WAN interface). However, if I turn on the NordVPN desktop app, which is set to split tunnel and only the Evernote app is routed through the VPN, it starts to work. This makes no sense to me, since I assume the NordVPN desktop app will use the NordVPN DNS servers once it connects to the VPN. FYI, I went into the DHCP static settings for my echo devices and set the DNS servers to Google, and they are all up and running now. I can only assume that these are lingering issues with NordVPN per the link you previously provided.

@pfsense57352 I agree the wording could have been different. It is labeled as a feature preview in the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available

@SteveITS -- thanks! I upgraded to 2.7.2 and disabled DNSSEC and everything is looking good so far. Much appreciated!!

@Zosh-0 If you have DNS Resolver set to forward, uncheck DNSSEC. It can cause false failures if forwarding. reference: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/#instructions

@viragomann Thanks for that! Been struggling with the Nord setup for days now - hadn’t used this system in a year and after nords forced change of password and username - the vlan VPN stopped working - openvpn was connected but probably having a dns issue Finally got it working - except for the correct dns server - like everyone else - I found the Nord support- not very supportive. All I required is that the Nord VLAN to use the Nord DNS as set in the general settings (but any changes I made to fix it just stopped it working ) I just get Comcast dns responding Nord is ignored. So nowhere near a solution Thanks for the link

@morrisonken-a said in Netgate 6100 LAN switch config: How then might I configure so that clients on either of the 4 LAN are visible to each other? Can a VLAN span all four ports? The only way of doing that is to configure a bridge, which I don't recommend. I would just connect a switch to one of the SG-6100 ports and set the vlans there. SG-6100 would route between VLANs, such as a router on a stick topology. You can set a LAGG group between the switch and the SG-6100 also.

@Antibiotic No, I just use pfBlockerNG on pfSense with a view lists.

Just in case anyone else is interested, I found pfsensible, seems to work well.