@WEAREHEREFORIT

I'll answer in the reverse order :

@WEAREHEREFORIT said in add host to pfsense:

Can i add the host to PFsense somehow?

If, and only f, your pfSense LAN devices are using pfSense as their DNS server (or source), then an easy solution exists :

Goto the bottom of this page : Services > DNS Resolver > General Settings

0365dbef-abd8-469f-8ba0-d61637cbbc39-image.png

(I added 'aa' before the namle so it gets sorted at the top )

Hit save, Then, at the top of the page : Apply and done.
Nearly.
Because now, welcome to your new live : you do things, and then you test them.

Go to some PC on your network :
Enter a dos or command box:
Type :

nslookup galenclinicas.mywebsite.com

and admire the result.

Why does this work ?
Easy.
Type

ipconfig /all

and you'll see something like this :

Serveurs DNS. . . . . . . . . . . . . : 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c 192.168.8.1 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c NetBIOS sur Tcpip. . . . . . . . . . . : Activé

You see the 192.168.8.1 ?
That your pfSense.
So, when you use enter a host name like 'www.facebook.com' or 'galenclinicas.mywebsite.com' on your PC (with a browser, probably) the PC will ask the DNS server 192.168.8.1 to do the resolving.
And that's where the magic kicks in : you told the pfSense Resolver what IPv4 to return when "galenclinicas.mywebsite.com" is used as a host name.

Btw : this isn't a "pfSense" solution. Your ISP router can - most probably - do the same. Any other router out, with DNS capabilities, there do the same.

Btw : If your PC uses some other DNS like 8.8.8.8 or 1.1.1.1 or something else as a DNS source (server) then ..... yeah, you have a problem. [ as you can't call them to say "Hey, if "galenclinicas.mywebsite.com" is asked for, can you please return 192.168.8.12 ? ]

@WEAREHEREFORIT said in add host to pfsense:

but it's not registered in the Cpanel of the domain

And why not ?
( less important, what is a cpanel ? )

If you know something about these 192.168.8.x - it's a RFC1918 network/IP, the you know that these IP addresses are not routable over the Internet.
You have to use your WAN IP as the IPv4.
If your "mywebsite.com" or "www.mywebsite.com" is already accessible from the Internet, you know what to do. The same pfSense NAT rule will be used.

Btw : "NAT rules" isn't a pfSense thing neither. Every router box (ISP etc) on planet earth can do NAT since .... a bit before 1980 or so. I bet your are not new to this 👍

@KB8DOA said in Kea DHCP Server config changes not applied until reboot:

Had it happen again.

If you have some spare moments, run this while using ISC, and Kea :

7526decc-6b7f-44a0-a722-bc7d827070b1-image.png

and hit the start button.

You'll see the DHCP "client" requests in real time, the ones reaching your pfSense DHCP server, and the DHCP server answers.

@skogs - Many thanks for you comments, it's most appreciated.

Recently I have written a script that pings the failing devices every 15 secs and logs the failures and when the connection returns. There's no pattern, unlike yourself, but they generally all fail, and communications return, at the same time which does sound like a network issue of some sort as I would not expect all the devices to intermittently fail at the same time. These disconnects and connects are also seen in the Unifi Network Application.

My present AP is an 8 year old Unifi AC-Lite and I'm going to take your advise and temporarily replace it with a Modem/Router in AP Mode that I have in the cupboard. It's not a new device but it will hopefully shine some light on the issue, one way or another.

My other option is just replace the AC-Lite with the Unifi 6 Plus.

Thanks once again for your input.

Greg

As the original poster, I wanted to supply an update. Somehow the Yealink phone "took over" the identity of the Synology NAS device. (I don't have any more precise of a definition than that right now). The effect is that a Datto Backup Appliance that takes incremental backup of the Synology appliance started erroring out in mid-March. When I looked at the Datto appliance, it was trying to connect to the IP# that was (now) the static number of the Yealink phone to initiate the agent to trigger a backup. It's almost like something was using MAC Masquerade...

Apart from that I have nothing more to share on this. I just wanted to get the things working and move on to other tasks.

@Ramosel said in KEA dhcp not controlling acess as used in previous versions.:

Is this the appropriate venue for this bug report or should this be input elsewhere??

Bug reports should be made to the pfSense Redmine site here: https://redmine.pfsense.org/projects/pfsense. That is the official site where the developers track bugs. Posting on the forum generally will not specifically bring a bug to the attention of the developers.

@JP-IIIT

Go one level up in the forum and check how many are posting about 'unbound hangs' or 'fails' or needs to be 'restarted' ?
Give this a thought : how many 2.7.2 are there out there ? Hundreds of thousands. Does unbound 'fail' for them ? Noop. Why would it for you ?
True, unbound does restart a couple of times per week (?) see these (my) graphs, it shows she memory used. Every time it drops to zero : it was restarted.
It wasn't crashing, it was ordered to restart by 'pfBlockerng', as I use pfBlockerng. Totally normal, as pfBlockerng can reload / update DNSBL, and if the news ones contain new host names, then unbound has to restart so they will be taken i account.
Most of my unbound restarts are actually not pfBlockerng, it's because I change the settings, also know as : messing around with pfSense, trying out new thinks.

About "Service Watchdog" : don't use it. You don't need it. Its a developer package, and can do more harm as help.
Example : Your unbound gets restarted. That's ok, it takes a couple of seconds, no one will notice it ^^
But what happens a fraction of a second later : "Service Watchdog" detects that unbound isn't running.... so it does what it was told to do : it starts unbound .... which was already in the start phase ... now you have two instances running .... and you've just managed to make things 'in-stable' with race conditions, and only lighting up candlers and other scarifies wills ave you know.
( and you'll know now it's the admin creating the issues .... (as always) ^^ )

unbound dying on you 'without notice' niether reason ? Noop. People didn't look, for the reason, that's all.

So, tell us how you use unbound, you you've set it up, and we'll help you locating the issue.

Btw : default 'Netgate' pfSense DNS settings are perfect, you should try it 😊

@jhg OpenVPN has options for DNS have you looked at hard setting them?

@jhg not like everyone doesn't know what the comcast dns servers are - they have been the same IPs for years and years. 75.75.75.75 and 75.75.76.76, ipv6 2001:558:feed::1 and ::2

So don't let dhcp override - and manually set them to hand out to your openvpn in the vpn settings.

@Gertjan I did take your suggestion of switching back to "ALL" outgoing interfaces, and things still work.

So I'm going to chalk this up to the DNS resolver getting itself into a funky state over IPv6, which was corrected by restarting the resolver.

If this happens again I'll crank up logging to see if anything interesting shows up in the logs.

For now the issue is closed.

@arad85 Needed to make sure outgoing n/w interfaces were set to All...

@vf1954 unless your running 25.03 beta and want to report stuff in that section. I see little point in pointing out what might be wrong with 24.11 version of kea. Now if your using what is about to come out, and you see problems - they still might be able to be fixed before release.

Ok. For those who need to fix that error before update comes out, here is an instruction for a solution:

If you are on web interface: Open "Diagnostics" > "Edit File" Open file in /usr/local/pkg/acme/dnsapi/dns_porkbun.sh path Search for line which starts with PORKBUN_Api= (probably row 7) and change its value from "https://porkbun.com/api/json/v3" to "https://api.porkbun.com/api/json/v3" Save the file Rerun acme renewal process If you have access to CLI Open Shell Open vi editor for /usr/local/pkg/acme/dnsapi/dns_porkbun.sh file Search for line which starts with PORKBUN_Api= (probably row 7) Press i to (INSERT) and change value from "https://porkbun.com/api/json/v3" to "https://api.porkbun.com/api/json/v3" Hit Esc and save file with :wq! Go back to Web interface and rerun acme renewal procedure

@Felix-4 said in DDNS does not work:

However, in this case it is necessary to update at least once a month to preserve your DNS name. Therefore, in the setup I have set it to "force update" every 20 days, and due to the certificate problem it fails.

The pfSense 'dyndns' software will do a forced update after some (20 ?) days.
You saw the cache file, it contains the latest successfully updated IPv4 and something else : a time stamp value.
So pfSense knows when the last successful update happened, as it knows when to update based on the elapsed time.

If you can edit the update URL that contains the https://dyndns.dk/....., change it for http://dyndns.dk/ and your issue is gone.
True, now the traffic goes over http so its not encrypted anymore, but, imho, that's not a big deal.

@michmoor said in iCloud Private Relay:

@DefenderLLC

You're trying to get me again.......lol
let me think about this.
The biggest hurdle is converting these firewall rules. Thats a weekend task. Bad enough i have to do firewall migrations for my job but do it at home as well?

I like to use pfSense and UniFi together. In fact, that’s the way I ran it for over two years. They introduced zone based firewall rules now, so things are much more granular than they ever used to be. I guarantee you it wouldn’t take you more than a day.

@johnpoz wow, great, thanks for the quick help! works already, wonderful.

Well, not sure when i switched of to changing my DHCP server backend from ISC to Kea but that resolved it

For who may be wondering why their DHCP is not assigning leases
Step 1: Status > services > check if your dhcpd services are running or not
Step 2: In case they were not (like for me) Advanced > Networking > Set Server backend to ISC

Strange thing is despite using numerous 1-2month old backups, this sitting appears to not changed. I guess its something that isn't backed up?

Anyways, was a fun headscratcher

Hello together.
Seems almost 2 years later still an issue.
I tried out the fix with the route, only change is, that I can now ping the remote-side from the diagnostic menu.
DHCP Relay still not working.
On the remote side the is no switch, it a virtualized network without any further setting possible.
The issue might also be:
You can have only one setting for DHCP-Relay.
So if you have VLANs on the remote-side that need to communicate with the same DHCP-Server on the central side, the packets won't come from the respective VLAN-interface, and will be routed into the wrong scope of the DHCP.
What also is weird, the local DHCP in the PFSense also isn't working, or so to speak only serving the LAN-Interface, not the VLAN-interfaces althoug activated on every interface.

Wow, thanks guys! This helped me get my DHCP leases page working again. I also had reverse lookups redirected to the domain controller DNS via 'Domain Overrides' on the DNS resolver page. Somehow that did time out. I remove the overrides, and now everything works smoothly. Now I just have to figure out how to repair the overrides, or whether I need the reverse lookups for Active Directory at all. Because they obviously didn't work for a while now, and I didn't see any issues so far...

@Gorf Grab it from tcpdump or wireshark. It's truncated in the log. Should look something like this:

a3ae9da6-984e-4f95-a702-54724bd12951-image.png