@jaybee32

Something has changed recently ....

You saw this :

cab5bb5f-a430-4633-a13f-60b820c27d8f-image.png

?

I'm not using the CE myself, but what about testing the newer, upcoming 2.8.0 ?

@drhans

This server uses the DMZ interface as the DNS destination ?
Check : can you see DNS coming into the DMZ interface ?

Does the resolver listen on the DMZ interface for DNS requests ?

Do you allow DNS traffic (port 53, TCP and UDP, destination "DMZ Address") on the DMZ interface ?

@SteveITS these aren't actually mobile clients, this is a site to site IPSec.

But yeah I think we agree the way to go here is to specifically assign the DC as DNS one way or another. Since I control DHCP on both sides, that seems to be the way to go in this case.

To add some more information:

I only used configuration settings which are available via GUI. in the dhcp log: I get warnings when kea dhcp service starts: Apr 7 11:33:47 kea-dhcp4 48639 WARN [kea-dhcp4.dhcp4.0xdea3b812000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 16, queue size: 64 Apr 7 11:33:47 kea-dhcp4 48639 WARN [kea-dhcp4.dhcpsrv.0xdea3b812000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Apr 7 11:33:47 kea-dhcp4 48639 WARN [kea-dhcp4.dhcp4.0xdea3b812000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Apr 7 11:33:47 kea-dhcp4 48639 WARN [kea-dhcp4.dhcpsrv.0xdea3b812000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.

@pjaiswal0231 said in Switch Doesn't accept DHCP Lease after Pfsense service gets boot late after the switch is already booted.:

i changed from auto negotiation to 100 full duplex according to my switch

So this dumb switch is also ancient - 100 full duplex.. ouch..

@horsesteroids said in Wireguard not resolving DNS.:

Not able to ping IPs such as 8.8.8.8

That is an ip-address, no DNS involved here. So your problems are bigger than your title is telling. Maybe search for a better tutorial.

@WEAREHEREFORIT

I'll answer in the reverse order :

@WEAREHEREFORIT said in add host to pfsense:

Can i add the host to PFsense somehow?

If, and only f, your pfSense LAN devices are using pfSense as their DNS server (or source), then an easy solution exists :

Goto the bottom of this page : Services > DNS Resolver > General Settings

0365dbef-abd8-469f-8ba0-d61637cbbc39-image.png

(I added 'aa' before the namle so it gets sorted at the top )

Hit save, Then, at the top of the page : Apply and done.
Nearly.
Because now, welcome to your new live : you do things, and then you test them.

Go to some PC on your network :
Enter a dos or command box:
Type :

nslookup galenclinicas.mywebsite.com

and admire the result.

Why does this work ?
Easy.
Type

ipconfig /all

and you'll see something like this :

Serveurs DNS. . . . . . . . . . . . . : 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c 192.168.8.1 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c NetBIOS sur Tcpip. . . . . . . . . . . : Activé

You see the 192.168.8.1 ?
That your pfSense.
So, when you use enter a host name like 'www.facebook.com' or 'galenclinicas.mywebsite.com' on your PC (with a browser, probably) the PC will ask the DNS server 192.168.8.1 to do the resolving.
And that's where the magic kicks in : you told the pfSense Resolver what IPv4 to return when "galenclinicas.mywebsite.com" is used as a host name.

Btw : this isn't a "pfSense" solution. Your ISP router can - most probably - do the same. Any other router out, with DNS capabilities, there do the same.

Btw : If your PC uses some other DNS like 8.8.8.8 or 1.1.1.1 or something else as a DNS source (server) then ..... yeah, you have a problem. [ as you can't call them to say "Hey, if "galenclinicas.mywebsite.com" is asked for, can you please return 192.168.8.12 ? ]

@WEAREHEREFORIT said in add host to pfsense:

but it's not registered in the Cpanel of the domain

And why not ?
( less important, what is a cpanel ? )

If you know something about these 192.168.8.x - it's a RFC1918 network/IP, the you know that these IP addresses are not routable over the Internet.
You have to use your WAN IP as the IPv4.
If your "mywebsite.com" or "www.mywebsite.com" is already accessible from the Internet, you know what to do. The same pfSense NAT rule will be used.

Btw : "NAT rules" isn't a pfSense thing neither. Every router box (ISP etc) on planet earth can do NAT since .... a bit before 1980 or so. I bet your are not new to this 👍

@KB8DOA said in Kea DHCP Server config changes not applied until reboot:

Had it happen again.

If you have some spare moments, run this while using ISC, and Kea :

7526decc-6b7f-44a0-a722-bc7d827070b1-image.png

and hit the start button.

You'll see the DHCP "client" requests in real time, the ones reaching your pfSense DHCP server, and the DHCP server answers.

@skogs - Many thanks for you comments, it's most appreciated.

Recently I have written a script that pings the failing devices every 15 secs and logs the failures and when the connection returns. There's no pattern, unlike yourself, but they generally all fail, and communications return, at the same time which does sound like a network issue of some sort as I would not expect all the devices to intermittently fail at the same time. These disconnects and connects are also seen in the Unifi Network Application.

My present AP is an 8 year old Unifi AC-Lite and I'm going to take your advise and temporarily replace it with a Modem/Router in AP Mode that I have in the cupboard. It's not a new device but it will hopefully shine some light on the issue, one way or another.

My other option is just replace the AC-Lite with the Unifi 6 Plus.

Thanks once again for your input.

Greg

As the original poster, I wanted to supply an update. Somehow the Yealink phone "took over" the identity of the Synology NAS device. (I don't have any more precise of a definition than that right now). The effect is that a Datto Backup Appliance that takes incremental backup of the Synology appliance started erroring out in mid-March. When I looked at the Datto appliance, it was trying to connect to the IP# that was (now) the static number of the Yealink phone to initiate the agent to trigger a backup. It's almost like something was using MAC Masquerade...

Apart from that I have nothing more to share on this. I just wanted to get the things working and move on to other tasks.

@Ramosel said in KEA dhcp not controlling acess as used in previous versions.:

Is this the appropriate venue for this bug report or should this be input elsewhere??

Bug reports should be made to the pfSense Redmine site here: https://redmine.pfsense.org/projects/pfsense. That is the official site where the developers track bugs. Posting on the forum generally will not specifically bring a bug to the attention of the developers.

@JP-IIIT

Go one level up in the forum and check how many are posting about 'unbound hangs' or 'fails' or needs to be 'restarted' ?
Give this a thought : how many 2.7.2 are there out there ? Hundreds of thousands. Does unbound 'fail' for them ? Noop. Why would it for you ?
True, unbound does restart a couple of times per week (?) see these (my) graphs, it shows she memory used. Every time it drops to zero : it was restarted.
It wasn't crashing, it was ordered to restart by 'pfBlockerng', as I use pfBlockerng. Totally normal, as pfBlockerng can reload / update DNSBL, and if the news ones contain new host names, then unbound has to restart so they will be taken i account.
Most of my unbound restarts are actually not pfBlockerng, it's because I change the settings, also know as : messing around with pfSense, trying out new thinks.

About "Service Watchdog" : don't use it. You don't need it. Its a developer package, and can do more harm as help.
Example : Your unbound gets restarted. That's ok, it takes a couple of seconds, no one will notice it ^^
But what happens a fraction of a second later : "Service Watchdog" detects that unbound isn't running.... so it does what it was told to do : it starts unbound .... which was already in the start phase ... now you have two instances running .... and you've just managed to make things 'in-stable' with race conditions, and only lighting up candlers and other scarifies wills ave you know.
( and you'll know now it's the admin creating the issues .... (as always) ^^ )

unbound dying on you 'without notice' niether reason ? Noop. People didn't look, for the reason, that's all.

So, tell us how you use unbound, you you've set it up, and we'll help you locating the issue.

Btw : default 'Netgate' pfSense DNS settings are perfect, you should try it 😊

@jhg OpenVPN has options for DNS have you looked at hard setting them?

@jhg not like everyone doesn't know what the comcast dns servers are - they have been the same IPs for years and years. 75.75.75.75 and 75.75.76.76, ipv6 2001:558:feed::1 and ::2

So don't let dhcp override - and manually set them to hand out to your openvpn in the vpn settings.

@Gertjan I did take your suggestion of switching back to "ALL" outgoing interfaces, and things still work.

So I'm going to chalk this up to the DNS resolver getting itself into a funky state over IPv6, which was corrected by restarting the resolver.

If this happens again I'll crank up logging to see if anything interesting shows up in the logs.

For now the issue is closed.

@arad85 Needed to make sure outgoing n/w interfaces were set to All...

@vf1954 unless your running 25.03 beta and want to report stuff in that section. I see little point in pointing out what might be wrong with 24.11 version of kea. Now if your using what is about to come out, and you see problems - they still might be able to be fixed before release.

Ok. For those who need to fix that error before update comes out, here is an instruction for a solution:

If you are on web interface: Open "Diagnostics" > "Edit File" Open file in /usr/local/pkg/acme/dnsapi/dns_porkbun.sh path Search for line which starts with PORKBUN_Api= (probably row 7) and change its value from "https://porkbun.com/api/json/v3" to "https://api.porkbun.com/api/json/v3" Save the file Rerun acme renewal process If you have access to CLI Open Shell Open vi editor for /usr/local/pkg/acme/dnsapi/dns_porkbun.sh file Search for line which starts with PORKBUN_Api= (probably row 7) Press i to (INSERT) and change value from "https://porkbun.com/api/json/v3" to "https://api.porkbun.com/api/json/v3" Hit Esc and save file with :wq! Go back to Web interface and rerun acme renewal procedure