@Gertjan Thank You so much for efforts! BTW, ISC Stork for BIND 9 and KEA services state monitoring looks like great tool!

@SteveITS said in Failover peer IP option on kea dhcp: @michmoor Tbf the 2.7.2 release notes could say it’s still a preview/alpha and point to the 2.7.1 release notes. FWIW I did put in doc feedback. The answer was, the "new features" section of the release notes is for "new" features and Kea is not "new" in 2.7.2.

I found the problem After spending lots of time/effort searching in the wrong direction, I found the problem. The option ^Block Unown Multicast Address^ in a relative old 1G-switch, in front of my PC, seems to have blocked IPV6. Strange that I did not notice that in the past What ever disabeling that option and swithing the NIC off and on fixed the problem.

Not directly linked to NameCheap, but may be useful for most users here: Dynamic DNS with Cloudflare DNS

@johnpoz Do I need to have a site setup or can I use the local DNS suffix for the domain? Also, how do I check if my DNS is unbound?

@Lace pfSense will do incoming and outgoing in much more detail and with more advanced filtering options than USG will ever do ;-) If you use the assistance of pfBlockerNG, you can GEO block countries, lists of know offenders and what not in both inbound and outbound directions. But sure you can use both - allthough it is a compliccated setup with more failure options.

@darcey Looking at unbound_add_host_entries() and unbound_generate_zone_data() in /etc/inc/unbound.inc: If I am not mistaken, dns records are first generated for hostnames that have the system domain. Therefore, the ptr will always be assigned the first hostname encountered with a system domain. If so, that explains the behaviour I see and the order of entries in /var/unbound/host_entries.conf.

These regular log, every 12 hours or so, lines are normal for unbound lines : @jason001 said in New Update Package DNS problem: Feb 5 07:39:54 unbound 48775 [48775:1] info: generate keytag query _ta-4f66. NULL IN Feb 5 07:39:54 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN Feb 5 19:22:11 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN Feb 6 07:11:56 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN Feb 6 18:13:22 unbound 48775 [48775:0] info: generate keytag query _ta-4f66. NULL IN what they mean : the DNSSEC 'main' key is refreshed. See it as the hart beat of unbound. I've the same thing ( reverse order ) : [image: 1707894064162-fa207075-c832-4f58-bbc0-660508bdcfb1-image.png] When unbound is told to restart, you see this : Feb 6 19:45:53 unbound 48775 [48775:0] info: service stopped (unbound 1.18.0). and right after this line you see a lot of statistics (more or less useful) logged. Keep in mind that pfSense never stops unbound, as this leaves the system without DNS. pfSense always a stops it - then there is a 10 sec (or so) wait period, and then it starts it. This sequence is a restart. The admin could stop unbound, for whatever reason, using the GUI, for example by using this button : [image: 1707894298586-bc31b106-b092-4457-8df8-781a52ebf8de-image.png] A reason might be : stop unbound, and set up dnsmasq, the forwarder, and use that one instead. To inform pfSense that unbound shouldn't be (re)started anymore, during boot or at any time, you have to uncheck this option : [image: 1707894692550-08ffc90e-ae56-4acf-95df-58a21f8ff320-image.png] and then set up the forwarder, dnsmasq : [image: 1707894735555-2c956d3e-1389-4210-8d88-46b10314cc9a-image.png] So, your logs you've shown above don't show everything, as it ends while unbound was dumping statistics to the log. It should be followed by a 2024-02-12 00:15:28.241637+01:00 unbound 51151 [51151:0] info: start of service (unbound 1.18.0). if this - as shown : [image: 1707894403633-e1150537-8f36-4143-821d-6eef1316848c-image.png] was really the end of the logs, nothing more was added, then something really bad has happened. Like unbound process died on the spot. That's not normal at all.

@JKnott I see what you're saying and I suppose I could say that I don't have an actual need for DHCPv6 but I'd like to be able to handle address allocation from one central location. So setting up addresses on all my devices from DHCP is the logical way to go. I've implemented a somewhat predictable (for me anyway) scheme for addresses across this network so relying on SLAAC doesn't fit that model.

@cd said in dhcp issues 2 ip addresses to same computer on same subnet: Is that a problem switch? Yes, though it may depend on the firmware version. I believe @johnpoz can advise better.

@SteveITS Thank you!! I haven't had time to go read it (I will) I actually just set the Synology to hand out one address to on MAC address. I will let the 3100 do the rest. The good news is that I will get the reports from the device. My guess, the NIC in the device is not up to speed or there is a piece missing in the KEA DHCP services. Something isn't matching up. Just not sure how I can submit a bug report. I don't have enough info on the board.

@rec-br9 glad to hear, yeah trying to use proxied mode with some non standard port is prob going to be very problematic ;)

@Alek said in Host override & NAT: I'm trying to do a complete VLAN isolation, no internal traffic allowed. That makes no sense. If allow client device access to a server it's pretty the same thing if it uses the internal or the public IP. And, FIDO type keys don't work when I pass by internal IP while they do if I pass by WAN. Maybe it's bound to a certain IP, what ever... So first step is to care that the host name resolves to the public IP. You said you did this already, but the recent screenshot shows, that is is resolving to the private one in fact.

@jcyr https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available “Netgate developers have started the migration to Kea DHCP server from ISC as a replacement for ISC DHCPD for IPv4 and IPv6 DHCP service. Basic functionality is present, but not all features are supported at this time.”

ok. I have done it with the following broad steps on pfSense create letsencrypt certificate for *.home.mydomain.com create a virtual ip, e.g. 10.255.0.1 (Firewall-->Virtual IP) HAProxy: 3.1 add listening ip:port 10.255.0.1:443 below the WAN Address:443 (where all front-end acl/actions are defined for public subdomains) 3.2 add listening ip:port 10.255.0.1:80 with action http redirect to https below the WAN Address:80 http redirect to https 3.3 add additional certificate created in step 1 for *.home.mydomain.com Services--->DNS resolver: 4.1 Hosts Override: add the first host with hostname the same as one of the public subdomain + home.mydomain.com --->10.255.0.1 4.2 edit the first host above-->additional name for this host-->add more hosts below the first host + home.mydomain.com How this setup works: if enter url: ebook.mydomain.com (public url) look up pfsense dns resolver, no matching domain, then use upstream dns (e.g., quad9 or cloudflare dns or your isp dns servers) quad9 found my wan ip from cloudflare dns (or any authoritive dns server) cloudflare ---> my Wan IP (pfSense) ----> HAproxy --> redirect from http to https ---> front-end --->backend--->local servers enter url: ebook.home.mydomain.com (local url) look up pfsense dns resolver, found hosts override entry ebook.home.chotechai.com --->10.255.0.1 go direct to HAproxy listening ip 10.255.0.1 -->redirect from http to https--->front-end--->backend--->local servers I am not an expert and do not claim this is the right way, but it works for me. Any recommendations are welcome. Update: I found that by using Virtual IP, my tailscale clients can't reach hosts on home.mydomain.com. Instead, using Lan Address on Haproxy front-end, and LAN interface IP, e.g. 192.168.1.1 for host override have solved the problem. Services --> Acme [image: 1707175649571-c2d5adeb-9eeb-4e1b-820f-cbb698406cac-image.png] Firewall --> Virtural IPs [image: 1707175699233-a2730963-4f6f-4c1c-ae67-d79f17f27b4e-image.png] Services --> HAProxy --> Front-ends [image: 1707185753669-8efbc8df-f334-485d-853b-75704e91f8fa-image.png] DNS Resolver --> Hosts Override [image: 1707176035609-6864a9b1-22bd-490d-aa35-afb46feb18a0-image.png]

@johnpoz said in pfSense using DNS Servers Not Listed in Config: @mdt your more than likely looking in the wrong place - look to your browser.. That your running your dns leak test from.. Sniff the lan interface of pfsense when you go doing this dns leak test.. Browsers love to do doh on their own to circumvent your local dns.. So you can see exactly what your client is asking for and who they are talking too.. That was it. Thank you!

@r2the3rd said in Pinging local computer name resolves to WAN IP.: I am using my purchased domain name in general setup. That is going to be problematic out of the gate with caveats that have to be taken into account.. Registering dhcp clients has always been problematic since it requires a restart of unbound on every dhcp event. if you want host.domain.tld to resolve to a local IP, create a local entry is the most sure fire way to make sure the fqdn resolves to the IP you want. If you switched over to the kea then registration isn't a thing yet..

@reberhar So the problem with DNS was the FO modem. It was a really weird problem. Both the primary server and the secondary server were connected to the FO modem via a switch. They both came in through one port from the switch. The primary was getting DNS fine. The secondary was not although connected with the ability to ping numbers. Moving the secondary to the second port on the modem gave DNS. Of course this should not be. Perhaps there is a bug in the software of the modem. I moved between ports and saw DNS go away on the secondary and come back when I moved the ethernet cable connection. DNS was lost and regained accordingly, but I never lost Internet connection. It sounds like a firewall problem on the modem, but there doesn't seem to be any way to access the modem firewall.