@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

But existing and enabled are or should be two different things.

When an interface is not connected (you ripped out the network, or powered down the device or switch on the other side), the DHCP server serving that interface will detect the "DOWN" system / hardware event, and shut down.
pfSense won't even show you your DHCP server instance anymore.
But, no panic, the settings will still be there. And when you connect (power up) the connection, it will auto-start, with the previously known settings.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

One other issues I have come across is that KEA DHCP causes issues throwing PHP errors / crash reports in conjunction with pfblockerng dev.

kea initially, when using 23.09 ? I can't recall, work fine but the implemention'27.2' (and 23.09, 24.03, before 24.11 came out) was, for my needs, to minimalist.
You can use Kea, if you validated your requirement first.

Here they are : Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

As you can see, the details are here - published November 2023 :

15493662-314e-4f6b-a7b1-21d126113858-image.png

So, you need "static MAC DHCP leases" ?
Ok, fine. Stick with ISC for the moment.

Right now, 24.11 adds static DHCP leases, DNS registration, but is still limited about adding your own DHCP options.
The upcoming 2.8.0 will have the same Kea support.

Btw : kea by itself was and is rock solid for me. It had to stick with ISC because I wanted to keep my DHCP mac leases, my DHCP special options etc, but since 24.11 became available, I switched to kea. Options were still missing but with some copy and paste instructions from the source' (redmine) I could add what I needed.

Btw : kea has no relations with pfBlockerng.

@jg3

I am seeing the same behavior with random physical clients on my network. Turning off the new DNS registration checkbox seems to make it stop.

@aGeekhere said in ISC DHCP Server Custom DHCP Options 252 for WPAD prevents DHCP Static Mappings custom DNS:

if i use ISC DHCP with Custom DHCP Options

Check if it actually works. Go to packet capturing, enter/set this :

5b09c119-78ee-4da9-8c90-1cfb48875fb5-image.png

and click start.

You will see the DHCP client requests, and the pfSense DHCP server answer. The "Option 252" was send to the client ?

@johnpoz

Thanks for the information.
So it's not as critical as expected.

Thank you.

Best,

@wc2l what would be slick is if they integrate that right into pfsense. I think it might play nice with their new multisystem management stuff they are working on.. But yeah I would someone if not currently will put a docker for it ;)

@patient0 said in ISC DHCP does not save Local time setting:

@Dyk-Evans

Are other settings saved? Like (just for testing) "disable ping check"?

Yes, the two below do save no issues:

Enable Monitoring
Ping Check

Are you able to compare the config before and after upgrade?

Is it repeatable? Assuming you are running ZFS with a 24.03 BE.

@FECambot

👍
No worries. I'm a user just like you.
Critics are not an issue at all. They are the roads to understanding.

Take your time.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

... What's odd is that the "DHCP leases" screen only seems to show one of the static mappings

Not odd, it's a feature, doing otherwise will break RFCs.
As soon as it attributes an IP to a device with MAC 00:11:22:33:44:55 it will refuse to attribute the same IP to a device with MAC 55:44:33:22:11:00.

Also, because you mentioned it : why is an IP marked as online on the leases page ? Because that page uses the ARP protocol, that broadcasts on the network with questions like : "Who has 192.168.1.10" (the IP) ? ARP is used to get one unique reply. It will get 2 .... dono what the reaction will be, but you probably just broke "the Ethernet".
An answer was taken in account, and that MAC lease I is marked as online. The second, thanks for testing 👍 , was disregarded.

If you have the choice between a wired and a wireless, shut down the wireless. Go for the cable. The less radio waves, the better ^^

And take note : you're lucky. I've a printer here that, if wired and DHCP is active, will shut down the wireless interface.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

Is there a way to fix this problem?

You get it by now. The question was wrong, so no fix needed as nothing is broken ^^

Perhaps the solution is to release the lease prior to disconnecting either network.

Unplugging a network connection is different than releasing the lease then disconnecting the cable.

If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

What is your use case for keeping the same ip for both interfaces?

So I managed to achive what I wanted via additional DNS server using dnsmasq. The example setup looks like this:

Isolated DNS server running DNSMASQ: 192.168.10.2
LAN: 192.168.1.0/24
WG0: 10.10.0.50
VPN DNS server: 10.10.0.2

I created two aliases:

vpn_isolation - with networks for each machine that will be forced to use VPN - network aliases can include single hosts with netmask /32 and it's less problematic than to remove 255 entries from an ip alias that expanded whole /24 network :D isolated_dns - this alias only contains 192.168.10.2 - this will make our life way easier if we decide to move the dnsmasq to different subnet

First we create port forwarding rule:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: vpn_isolation
Destination Port Range: DNS / DNS
Redirect Target IP: isolated_dns
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
NAT Reflection: disable
Description: Force DNS to VPN

Next we need same rule for interface on which the dnsmasq works so we can pass all the traffic to VPN from dnsmasq.

Then we need to create a policy routing rule that will match ips/networks from vpn_isolation alias on the LAN interface:

Firewall -> Rules -> LAN
Source: ip address or alias: vpn_isolation
Destination: either * or exclude private networks to allow routing to internal subnets
Gateway: WG0_GATEWAY

Finally we need to spawn a linux box or container with IP 192.168.10.2 that runs dnsmasq. Below is example dnsmasq config:

no-resolv no-poll # we tell dnsmasq to use VPN server=10.10.0.2 # then we tell dnsmasq to use 192.168.1.1 to resolve *.lan and *.myinternaldomain.omgyay # (or any other domain or suffix we need) server=/lan/192.168.1.1 server=/myinternaldomain.omgyay/192.168.1.1 # this is important otherwise dnsmasq won't reply to queries from different network listen-address=192.168.10.2,127.0.0.1

We can test the setup from a machine with IP included in vps_isolation alias:

use https://dnsleaktest.com/ - it should show single DNS or at least DNS different that the one pfsense's DNS Responder/Forwarder uses more imporant - we need to check if we don't leak original WAN subnet via ECS - just issue curl -SL https://test.nextdns.io and resulting JSON should not include "ecs" key with your WAN subnet - this was the biggest problem for me when using DOT from DNS Resolver - if you own a ripe you basically dox yourself this way.

Both port forwarding and policy routing firewall rules have to be added to every interface we want to use vpn isolation and they need to be above any other policy routing rules that might redirect traffic elsewhere and go through clearnet ofc.

With this setup when you want to enable/disable vpn for any host or network behind pfsense all you need to do is edit the vpn_isolation alias and you're done.

CAVEAT: make sure the dnsmasq dns server is on it's own subnet. this makes things easier. I was able to get this working with same subnet for dnsmasq and vpn_isolation, but you have to create an additional port forwarding rule above the one that intercepts DNS traffic that matches traffic from dnsmasq and has "Disable redirection for traffic matching this rule" checked. This will allow dnsmasq to talk to pfsense :)

So it seems updating pfsense did in fact fix the DHCP issue. I guess something had become corrupted. I haven't had any device fail to connect since updating. I'll still get the ICX7250 ready and swap over to that when I get a chance, seems a good idea to get rid of the cheap unmanaged switch I've been using. It also has a robust POE budget which is pretty cool.

Nevermind, I found a better solution.

I 100% agree with @johnpoz here. With a Microsoft Active Directory shop, you want everything DHCP and DNS related to be handled by Microsoft products in my opinion. Most definitely DNS! And because of the seamless dynamic DNS updating performed by Microsoft's DHCP server, it is better and easier to run DHCP there instead of on pfSense.

And handing out two different DNS servers each of which may have some zones unknown to the other server is sure to cause an issue as described by John. Clients do NOT use multiple DNS servers sequentially until one of them finds an answer. They ask one of the servers randomly, and if that server says NXDOMAIN (non-existent domain), then the client does not ask the next server because it has already gotten an answer. The only time clients try one server and then move on to the next in a multiple DNS server configuration is when the first server is completely dead and does not answer at all.

@aGeekhere Okay, so the real trouble is actually because of the few clients that you want to bypass the DNS filtering done by 1.1.1.3/1.0.0.3

1: Unbound DNS in pfsense by default does caching of all DNS lookups as TTL records allows. This is the same caching as Lancache does unless you start configuring some out of spec extra caching (of invalid records). If that is your reason to keep lancache in the loop configure Unbound to do the same (out of spec) caching of stale records - it can be done in the advanced settings.

2: Configure Unbound in pfSense to use forwarding instead of the default root recursive resolution. Then Unbound will do all lookups by forwarding to the DNS servers in "SYSTEM -> GENERAL -> DNS Servers"
It will still cache all records, so just hand the clients your pfSense DNS and drop the lancache server.

Using forwarding mode prevents us from exempting specific clients from being DNS filtered pr. the forwarding servers filters. So to have a few clients NOT being filtered things become a little more troublesome. For this you could:

1: Keep the lancache servers for those clients - make a DHCP reservation with a DNS override to hand them the lancache server as the only DNS
2: Configure Lancache to use your preferred public DNS as forwarding servers (1.1.1.1/1.0.0.1).
3: Create a stubzone on Lancache for you internal domain name for clients (the domain name used for your overrides in pfSense), and point that stubzone to forward to pfSense instead of 1.1.1.1/1.0.0.1

This will create the scenario you are looking for.

@johnpoz Thanks on Safari I was able to figure out!!: Screenshot 2025-01-02 at 04.34.24.jpg I had to delete this and then it clears all domains entries in the local storage with .home.arpa!

@johnpoz I admit the setup isn't ideal, however somehow despite the error messages the system seems to work -- clearly I don't really understand all the underpinnings of how things work.

How should I be constructing things??

Two pfsense installations running unbound with same domain. Each pfsense installation has domain overrides for subdomains running on their installation. Additionally each pfsense answering DNS over DOT on port 853.

domain.com------->>>Pfsense #1 (domain=domain.com) -> Overrides--->test.domain.com --->test2.domain.com --->test3.domain.com ------>>>Pfsense #2 (domain=domain.com) -> Overrides --->test4.domain.com --->test5.domain.com --->test6.domain.com

Each installation can resolve locally, however if pfsense installations connected by vpn, I need name resolution for devices on Pfsense #1 network accessible to devices on Pfsense#2 network -- and vice versa. If VPN is broken or down, local domain overrides will still work.

I'm just making use right now of the unbound domain overrides section similar to this:
Screenshot 2025-01-01 at 5.40.14 PM.png

In terms of DOT -- no I don't need it between the pfsense nodes on either end of the tunnel -- however how do I have it only active for LAN clients but not for the tunnel?

I'm not looking actually to forward DNS requests, rather have unbound "resolve" them and then pass the answer back to the clients. In terms of resolving (not forwarding), how does each unbound server know what DNS server is definitive for a specific local domain that's split? I thought I was accomplishing this by listing the servers within the domain overrrides section.

I put the pfsense into prod today. I have an old unmanaged 10/100/1000 Cisco switch that I plugged into my LAN port, and I have all physical cables plugged into it. I don't love adding another switch in the middle, but it allows me to keep everything flat and on my 192.168.x.x CIDR block. Once its all stable, I can look into whether I want to create separate networks and use more physical ports on the pfsense box.

I have a question about a repetitive entry in my System Log. I am getting: "arpresolve: can't allocate llinfo for 10.x.x.x on igc0". This my WAN port that is plugged into my ISP modem/gateway device, so it is double NAT. If I reset the port, the message stops for a little bit but then comes back. I see it in the logs sometimes multiple times per second.

I do have the boxes unchecked on the WAN port for the Block Bogon and Block private networks.

Should this arpresolve error be happening this much and is it something I can resolve?

Thanx guys, for your reply

@johnpoz I can follow the logic, as you explained it, using the main breaker example.