@johnpoz You're correct - I mis-spoke. Just finished setting up cloudflare - pretty easy to do. I had overlooked that they had a free offering for just DNS.

Thanks for the feedback.

@maverickws said in Status / DHCP Leases:

Wouldn't it make sense to add a default sort option here?

Indeed it would. I suggest you submit this as a feature request or flag it as a possible bug.

Ted

@johnpoz Currently I have it set up so every client gets filtered by pfblocker then uses CloudFlare DNS specified in general settings.

What I am trying to accomplish is for this particular client to get filtered by pfblocker, then use a different DNS server than CloudFlare (say Google for testing purposes). I still want everyone else to use CloudFlare.

If possible, I would also like this particular client to not use unbound to resolve any cashed DNS queries but still have pfblocker filter it.

@SteveITS Sadly same issue on the old backend as well.

@IzaacJ

I am using cloudflare ddns - I just did a forced update of one of them, and don't see any issues.

cloudflare.jpg

^ exactly..

While I am a fan of longer lease times in my setup, why would you want more traffic for no reason.. I think I have my lease currently at 7 days..

Lets say you have 200 IPs to hand out.. How many clients do you have? If only a few it shouldn't ever be a problem, even if you had a 2 hour lease, and some box was off for 6 months.. Now if you have in total 210 clients, then yeah you can have problems if your leases are too long, or you could get clients switching Ips.

Once a device gets a lease, it should maintain that IP going forward, since it will just renew it at the 50% mark of its lease..

And lets say you turn that off for long time, when it comes back that lease should still be there even if it expired and the client should get that same IP back, even if doesn't specifically ask for that IP in its request..

The only time you could see a problem is if you have a bunch of clients, more than your pool size and you have some lease that expired and some new client comes on and the dhcpd says oh shoot I don't have any free leases, let me start handing out expired leases..

Normally dhcpd will run through all its free leases before it starts to look into expired leases to re-issue.

You should notice this as your IPs either count up from the low end of the lease 1, 2, 3 etc.. or it counts down 254, 253, 252 etc.

One problem I can see with really long leases, is client normally not going to get any changes or new things you might of added to the dhcp scope.. Lets say you had a 30 day lease, and you say changed the dns server your clients should use.. Possible you have clients that don't get that new info for 15 days..

Also I am a fan of reservations - if I want to make sure client X always has 1.2.3.4, I just set a reservation for that client. Doesn't matter if he off 1 hour, or 30 days.. That client will always get 1.2.3.4 from the dhcpd.. And the dhcpd will not hand that IP out to anyone else..

@Gertjan Thank You so much for efforts!

BTW, ISC Stork for BIND 9 and KEA services state monitoring looks like great tool!

@SteveITS said in Failover peer IP option on kea dhcp:

@michmoor Tbf the 2.7.2 release notes could say it’s still a preview/alpha and point to the 2.7.1 release notes.

FWIW I did put in doc feedback. The answer was, the "new features" section of the release notes is for "new" features and Kea is not "new" in 2.7.2.

I found the problem 😕

After spending lots of time/effort searching in the wrong direction, I found the problem.

The option ^Block Unown Multicast Address^ in a relative old 1G-switch, in front of my PC, seems to have blocked IPV6.
Strange that I did not notice that in the past

What ever disabeling that option and swithing the NIC off and on fixed the problem.

Not directly linked to NameCheap, but may be useful for most users here:

Dynamic DNS with Cloudflare DNS

@johnpoz Do I need to have a site setup or can I use the local DNS suffix for the domain? Also, how do I check if my DNS is unbound?

@Lace pfSense will do incoming and outgoing in much more detail and with more advanced filtering options than USG will ever do ;-)
If you use the assistance of pfBlockerNG, you can GEO block countries, lists of know offenders and what not in both inbound and outbound directions.

But sure you can use both - allthough it is a compliccated setup with more failure options.

@darcey Looking at unbound_add_host_entries() and unbound_generate_zone_data() in /etc/inc/unbound.inc:
If I am not mistaken, dns records are first generated for hostnames that have the system domain. Therefore, the ptr will always be assigned the first hostname encountered with a system domain. If so, that explains the behaviour I see and the order of entries in /var/unbound/host_entries.conf.

These regular log, every 12 hours or so, lines are normal for unbound lines :

@jason001 said in New Update Package DNS problem:

Feb 5 07:39:54 unbound 48775 [48775:1] info: generate keytag query _ta-4f66. NULL IN
Feb 5 07:39:54 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN
Feb 5 19:22:11 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN
Feb 6 07:11:56 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN
Feb 6 18:13:22 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN

what they mean : the DNSSEC 'main' key is refreshed. See it as the hart beat of unbound.
I've the same thing ( reverse order ) :

fa207075-c832-4f58-bbc0-660508bdcfb1-image.png

When unbound is told to restart, you see this :

Feb 6 19:45:53 unbound 48775 [48775:0] info: service stopped (unbound 1.18.0).

and right after this line you see a lot of statistics (more or less useful) logged.

Keep in mind that pfSense never stops unbound, as this leaves the system without DNS.
pfSense always a stops it - then there is a 10 sec (or so) wait period, and then it starts it.
This sequence is a restart.
The admin could stop unbound, for whatever reason, using the GUI, for example by using this button :

bc31b106-b092-4457-8df8-781a52ebf8de-image.png

A reason might be : stop unbound, and set up dnsmasq, the forwarder, and use that one instead.

To inform pfSense that unbound shouldn't be (re)started anymore, during boot or at any time, you have to uncheck this option :

08ffc90e-ae56-4acf-95df-58a21f8ff320-image.png

and then set up the forwarder, dnsmasq :

2c956d3e-1389-4210-8d88-46b10314cc9a-image.png

So, your logs you've shown above don't show everything, as it ends while unbound was dumping statistics to the log.
It should be followed by a

2024-02-12 00:15:28.241637+01:00 unbound 51151 [51151:0] info: start of service (unbound 1.18.0).

if this - as shown :

e1150537-8f36-4143-821d-6eef1316848c-image.png

was really the end of the logs, nothing more was added, then something really bad has happened.
Like unbound process died on the spot. That's not normal at all.

@JKnott I see what you're saying and I suppose I could say that I don't have an actual need for DHCPv6 but I'd like to be able to handle address allocation from one central location. So setting up addresses on all my devices from DHCP is the logical way to go. I've implemented a somewhat predictable (for me anyway) scheme for addresses across this network so relying on SLAAC doesn't fit that model.

@cd said in dhcp issues 2 ip addresses to same computer on same subnet:

Is that a problem switch?

Yes, though it may depend on the firmware version. I believe @johnpoz can advise better.

@SteveITS Thank you!! I haven't had time to go read it (I will)
I actually just set the Synology to hand out one address to on MAC address.
I will let the 3100 do the rest.
The good news is that I will get the reports from the device.
My guess, the NIC in the device is not up to speed or there is a piece missing in the KEA DHCP services.
Something isn't matching up. Just not sure how I can submit a bug report. I don't have enough info on the board.

@rec-br9 glad to hear, yeah trying to use proxied mode with some non standard port is prob going to be very problematic ;)

@Alek said in Host override & NAT:

I'm trying to do a complete VLAN isolation, no internal traffic allowed.

That makes no sense. If allow client device access to a server it's pretty the same thing if it uses the internal or the public IP.

And, FIDO type keys don't work when I pass by internal IP while they do if I pass by WAN.

Maybe it's bound to a certain IP, what ever...

So first step is to care that the host name resolves to the public IP. You said you did this already, but the recent screenshot shows, that is is resolving to the private one in fact.

@jcyr https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available
“Netgate developers have started the migration to Kea DHCP server from ISC as a replacement for ISC DHCPD for IPv4 and IPv6 DHCP service. Basic functionality is present, but not all features are supported at this time.”