@ht1608 said in Not receiving WAN IP via DHCP:

However if I plug my Windows PC directly into the ONT it receives a public IP address straight away and the internet connection work. This is all on the latest version of pfSense Plus.

Could your ISP be MAC-locking? If so try rebooting the ONT after connecting it to your pfSense.

Thanks @SteveITS for your answer

The purpose of my question was whether it is possible to update the DNS (via DDNS) more frequently than the rate of change of the IP address in question (or the default update frequency of 25 days).

I understand that this case is a corner case.

Best

Hello @Gertjan, thanks for your answers.

I finally solved my problem, my issue was that the reverse DNS zone needs to be exactly in the same range as the one defined in the DHCP server.

In my previous configuration:
My Bind DNS reverse a zone for all my subnets like: 2001:xxxx:xxxx:xxxxx/60
Each interface in my DHCP server configuration were define a subnet like: 2001:xxxx:xxxx:xxxxx/64

Now I have defined a reverse zone of each of my /64 subnets in my DNS Bind server and this solves my problem.

Do you by chance have any underscore characters in the host names?

@ik13 your welcome - hope your all sorted now. If not happy to help.

Final reply to this thread for anyone in the future who needs to setup something similar:

I've put the full solution, including the NodeRed flow here: https://gist.github.com/Slyke/7d5b290f1d5695fdd79f5e0a08837c93

@sdugoten said in DHCP server is not releasing expired lease:

@johnpoz said in DHCP server is not releasing expired lease:

@sdugoten yeah I don't think it should be owned by root.

[23.05.1-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db: ls -la total 35 drwxr-xr-x 2 dhcpd _dhcp 6 Jul 9 06:29 . drwxr-xr-x 4 dhcpd _dhcp 4 Feb 14 2022 .. -rw-r--r-- 1 dhcpd _dhcp 25151 Jul 9 06:29 dhcpd.leases -rw-r--r-- 1 dhcpd _dhcp 25841 Jul 9 06:29 dhcpd.leases~ -rw-r--r-- 1 dhcpd _dhcp 581 Dec 9 2022 dhcpd6.leases -rw-r--r-- 1 dhcpd _dhcp 581 Dec 9 2022 dhcpd6.leases~ [23.05.1-RELEASE][admin@sg4860.local.lan]/var/dhcpd/var/db:

This was the steps I did

Stop the dhcp service in LAN interface under service rename the original dhcpd.leases to mydhcpd.leases delete all other files check the checkbox in dhcpd lan interface to enable it again

Files generated as the screenshot above with root ownership.

I think that might be the original problem that not re-using ip address, just a wild guess.

However, I can reproduce this problem on Netgate 6100 with firmware 23.05.1-RELEASE (amd64). Even if you try to press this button alt text to remove all leases, it will blank out the lease file, but the ownership of the file "dhcpd.leases~" will change to root. However, the file "dhcpd.leases" still owned by dhcpd though

@JonathanLee said in Just to clarify the use of DNS over TLS (DOT):

uses a library and needs certificates

Well yeah if its going to serve up dns over "https" its going to need certs.. To use for the https.

"Unbound uses the nghttp2 library to handle the HTTP/2 framing layer"

Not sure where you got the idea that unbound would talk to a doh server - this is downstream only..

"By adding downstream DoH support"

Unbound can act as a doh server..

@JonathanLee when your forwarding? Why would stuff be lame? Lame has to do with delegation and is used when you resolve.

You normally even when resolving shouldn't have stuff there.. Other than maybe edns lame..

Ok, I found the issue. It was pfsense and the firewall/NAT rules. I found several rules that used IPv6 and IPv4 protocols. My network only uses IPv4. I removed that protocol and then tested the printers. BOOM! They both joined the network and all is fine now.

I upgraded pfsense from 2.6->2.7 and the software must handle the IPv6 dhcp requests somehow differently.

Thanks for the help anyway.

@JonathanLee said in AAAA records with IPv4 only ISP:

My goal is to have clamav work better as well as have the url filter get more visibility, I do block DoH my own list and a blacklist of blocks.

I don't use Squid/Squidguard since a long time.
So, what I'm going to say may no longer apply.

Clamav, to be useful, needs to check the payload of the packet.

Nowadays everything is HTTPS, this means that you would need to import custom certificates to all users.

So now, you broke HTTPS and that will definitely cause a lot of problems.

When I was using Squid/Squidguard, I opted by using the Splice all method, which only checks the SNI header and decisions are taken based on it, block or not. This is much less problematic.. But Clamav is useless now (it will only be able to check HTTP packets).
Splice all doesn't require the user to import certificates.

Note that a proxy, by nature, will mess with the packet headers, so this method is also problematic.
Even more problematic when speaking about government sites, financial sites, whatsapp, windows update and etc.

Based on my comments above, even using splice all, you would need a bypass list.

If you opt by using transparent proxy, this bypass list would have to have IP ranges and networks, which changes all the time, so a lot of maintenance and work for the IT team.
Devices such as dongles (chromecast and etc), mobile phones, would be in trouble almost instantly.

If you opt by using explicit proxy (the end user knows about the proxy), you would also need a bypass list.
But this list can have domains, regex, and etc, much easier to maintain and less likely to cause problems.
This method is also far from perfect, new domains, new apps, new redirects and everything else that you might need to tweak this bypass list again.

By doing like this, the client will send to the proxy everything that is not in the bypass list.
Destinations that are in the bypass list, the client will connect directly to the destination, thus not breaking the HTTPS.

So, either way, lots of maintenance and tweaking, forever because the Internet is not static.

I would say that an antivirus solution installed at the client side is a much better solution.

And, If you really need to block things, check if you can do it by using DNS using the method I mentioned above, disabling DOT/DOH/QUIC and etc.

This is my experience with using proxy for a long time, and I can say one thing for sure, people will call you everyday because something is "not working".

@bingo600 Thanks for the reply, that was exactly what I wanted. Now the DNS requests are forwarded to the regular DNS server. Thank you very much!

d75c7ed4-b43c-4e38-b8e9-950c34d5a018-image.png

@JonathanLee Ok, ill let u know.

For now is working.. not a single error.

@johnpoz
I will check and see if that will work. I have a Windows Server installation doing updates right now, so cant try it just yet. But, thanks for getting back to me. Outside of that one setting, I have gotten most of the system up and running. Now it is down to getting all of the functionality I want. I am really happy with the Netgate purchase so far.

I would like to take you up on your other off to help me get the right settings in NETGATE. I might start a new thread in a different area if that is best.

Basic architecture:
Negate 6100 connected to Cisco 8 port managed business switch with 1 trunk line (right now) with teh following downstream:

Dell R640 - Windows Server 2019 Active Directory VM and File Server VM. Both installations are virtualized on HyperV Server and managed from my computer. 4 NICs. Dell R630 - Ubuntu Server with immutable backup from File Server via VEEAM. 4 NICs. Synology NAS - Secondary Backup from file server. Wifi - Ubiquiti Amplifi Local Computer - on LAN downstream of Netgate not WiFi. Local Printer Remote employees VPN into AD to access file server. Only files - no VMs. i have multiple unmanaged switches available.

My goals:

Dell R630 Ubuntu never sees the internet. Only internal communications from R640 fileserver VEEAM for daily backups. Dell R640 access the internet for VPN, Windows Updates, Antivirus updates. Keep both iDRACs for Dell servers isolated from internet and only accessible internally for management purposes - which should be minimal. Synology NAS has access to internet - only for Synology services. Minimize VLAN/PVLANs. Use L2TP/IPSec for VPN service for ease of remote worker deployments.

If you have any thoughts on setting these up properly, I would be grateful. I have sketched it out, but, have not figured out all of the inner workings.

Thanks very much!!

@aagaag

You mean this one had red indications ?
edit : the DHCP log file would (should) have shown 'issues'.

Another vote here -- do not dump Active Directory DNS and DHCP unless you are actually moving totally away from Active Directory and moving your Windows boxes out of AD.

The unbound resolver in pfSense won't like some of the required Active Directory DNS records, so you will likely not be able to dump the AD DNS server(s) unless you are moving completely away from Microsoft's AD infrastructure all together. So, if you have to keep the AD DNS box, why not just retain the DHCP, too?

Microsoft's DHCP/DNS implemention is much better than what pfSense currently offers because the Microsoft server allows dynamic DNS updates WITHOUT having to restart the DNS server every time a DHCP lease renews and/or a client registers its hostname. You can also configure automatic DHCP failover scopes in the Microsoft environment as well.

@johnpoz fantastic! many thanks!!!

Just to clear things up: the issue has been resolved. I just still don't know what was going on. I manage two networks with Netgate 1100's and both were at 22.05 at the time and both exhibited this behaviour. After upgrading to 23.05 the issue was gone.

cloudns.net