@IBP You can isolate ports to create different networks: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

@johnpoz said in KEA DHCP Dont resolve a.ntp.br: prob even wager my left nut ;) hahah oh man dont do that

(Already made a separate thread, when I saw this thread, just to be complete adding my crash here also) With 2.7.1. release I have switched to KEA DHCP and today it it crashed. The only thing I can trace back (logs have 500 max entries) that service watchdog detected service kea-dhcp4 stopped. Restarting kea-dhcp4 (KEAS DHCP server) and this is repeated so many times that it clogged the logs, until I did a reboot of pfSense.

@JustAnotherUser talking about the arp table on pfsense - the router.. did you notice the different IPs for what came back from my snmpwalk.. And that is just the small section of it.

@ndemarco Uh, this is resolved. I had chosen, for the DDNS provider CloudFlare v6 not realizing the fairly obvious fact that "v6" portion wasn't the version of CloudFlare DDNS protocol. It is a short reference to IPv6. After selecting the correct CloudFlare for IPv4, all my problems are in the past . Now, to impement IPv6 on my internal network...

I've followed all recommendations from @Gertjan and @johnpoz, but unfortunately I'm also still facing the issue of Unbound not completing a restart once every two weeks or so. Same behavior since updating to 2.7.1 I have no idea how to pinpoint the issue, besides this being an issue I'm facing since 2.7

@vinny147 said in Local DNS Issue: DNS_PROBE_FINISHED_NXDOMAIN: reading release notes? huh? ;) Exactly https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea [image: 1701291083134-kea.jpg]

Ahem... I read the instructions. Services >> Router Advertisement >> pick correct item .... leases show up....and traffic works...

@nasheayahu, Don't use KEA DHCP. KEA is not production ready. The pfSense team should have never provided it in stable for 2.7.1. KEA should have been provided in a development branch until it is ready for stable. And ignore the warning pfSense is displaying to you about ISC DHCP. As you know, KEA is not ready for production, so you can't move away from ISC DHCP.

@cribbageSTARSHIP said in Pfsense + HAProxy + Cloudflare: getting 522&503 errors and DNS host override not working: I'm pulling out my hair here. If I set my SSL/TLS encryption mode on cloudflare to Flexible and go to my https dot com I get a "Connection timed out Error code 522". If I set the SSL/TLS encryption mode on cloudflare to Full it says "503 Service Unavailable. No server is available to handle this request." If these settings have any impact on the connection, I assume that it still goes over Cloudflare. Consider the DNS cache.

@mathiasringhof https://redmine.pfsense.org/issues/15011#note-14 "The fix will be included in 23.09/2.7.1 in the next ports build, after which running pfSense-repoc; pkg upgrade will pick it up." Sounds like it will be slipstreamed in for those who haven't upgraded yet...?

@t0m77 I have been using unbound on pfsense since it when it was just a package, before it got fully integrated. And I don't recall any such issues.. It has been rock solid to be honest.. Did you upgrade to the 1.18.0_1 ? CE 2.7.1 has this - but you can update it in 23.09 as well https://forum.netgate.com/post/1137464

Manually copying the openssl 3.0 libraries from a pfsense CE 2.7.1 system to /usr/local/lib on the 2.7.0 system fixed the issue for me. This isn't ideal but ISC BIND is working on pfsense CE 2.7.0 now: [2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ls -l /usr/local/lib/lib*.so.30 -rw-r--r-- 1 root wheel 4588560 Nov 23 10:00 /usr/local/lib/libcrypto.so.30 -rw-r--r-- 1 root wheel 694560 Nov 23 10:00 /usr/local/lib/libssl.so.30 [2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ldd /usr/local/sbin/named-checkconf /usr/local/sbin/named-checkconf: libjson-c.so.5 => /usr/local/lib/libjson-c.so.5 (0x2fde82caf000) libprotobuf-c.so.1 => /usr/local/lib/libprotobuf-c.so.1 (0x2fde83cbc000) libfstrm.so.0 => /usr/local/lib/libfstrm.so.0 (0x2fde84396000) libssl.so.30 => /usr/local/lib/libssl.so.30 (0x2fde8579e000) libcrypto.so.30 => /usr/local/lib/libcrypto.so.30 (0x2fde861d3000) libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0x2fde84451000) libz.so.6 => /lib/libz.so.6 (0x2fde84ceb000) libuv.so.1 => /usr/local/lib/libuv.so.1 (0x2fde86bbb000) libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x2fde8711e000) libthr.so.3 => /lib/libthr.so.3 (0x2fde87801000) libc.so.7 => /lib/libc.so.7 (0x2fde8849e000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0x2fde8931d000) libm.so.5 => /lib/libm.so.5 (0x2fde894f9000) libelf.so.2 => /lib/libelf.so.2 (0x2fde8a3a7000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2fde8be5a000) libmd.so.6 => /lib/libmd.so.6 (0x2fde8a578000) [vdso] (0x2fde821ab620)

@eriksalo said in Migrating to KEA broke my network: You should not have to understand packet capture [ . . . ] Wouldn't you agree? i would, and that was but merely one possible troubleshooting suggestion. @eriksalo said in Migrating to KEA broke my network: If there's some procedure I need to complete to make this work, I'd be happy (and able) to do it. you might try to actually configure Kea—and include any such information with any future request for free help—should you choose to move away from a now-deprecated application again.

@Jarhead OMG! that was it... Now I feel really stupid.... Thanks for the quick response!

@RobbieTT said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.: @bmeeks Ok, didn't realise there was a dpinger setting at play - TVM! Presumably you mean this one: [image: 1700583777501-2023-11-21-at-16.19.55.png] I've not noticed a delay with pfBlockerNG although that may be due to having a small list or just a decent CPU & bandwidth to mask it. Yes. That setting will disable the "restart all packages" and "cycle the interface" actions. That may or may not be desirable depending on your situation.