@Gertjan Unfortunately, there is a problem with this set-up. If it is set up as shown in the pictures so it's work fine.
Pics.png

A solution was found 😊.Pics

@pika
It's in the DNS Resolver settings.
But as mentioned, maybe it's not there and hence not supported, since you've enabled KEA.

@bmeeks I did try that previously but I found the latency to from nextdns to be better, thank you for all your inputs, I will look into this further for some other alternatives

Can confirm iorx's "workaround" works. It seems the tld needs to be added as a domain override pointing to itself when a subdomain of that tld is used for local resolution and another subdomain is used for remote resolution via domain override.

In my case my local network uses main.lan and the remote site uses remote.lan
Only adding remote.lan as domain override to the remote site's DNS server made it work for less than a minute after flushing unbound's cache. Adding "lan" as domain override pointing to 127.0.0.1 made DNS resolution to remote.lan stable.

configured Domain Overrides
Screenshot 2025-01-19 at 20.55.04.png

pfsense version: 2.7.2

Thank you for the reply. Yes I can provide.

Should I message you it to you?

685ef897-9dfa-4656-81a3-8cb04f4c40f8-image.png

I am aware of the resolver interval, is there a way to bypass one url

example imap.gmail.com always forward to 8.8.8.8 do not save in firewall dns namesever for reuse

thus every time it gets the new ip address google has for the mail server, they change so fast the firewall can't keep up so the mail app at times says error after 5 mins it will resolve but that is unacceptable for modern use.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

But existing and enabled are or should be two different things.

When an interface is not connected (you ripped out the network, or powered down the device or switch on the other side), the DHCP server serving that interface will detect the "DOWN" system / hardware event, and shut down.
pfSense won't even show you your DHCP server instance anymore.
But, no panic, the settings will still be there. And when you connect (power up) the connection, it will auto-start, with the previously known settings.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

One other issues I have come across is that KEA DHCP causes issues throwing PHP errors / crash reports in conjunction with pfblockerng dev.

kea initially, when using 23.09 ? I can't recall, work fine but the implemention'27.2' (and 23.09, 24.03, before 24.11 came out) was, for my needs, to minimalist.
You can use Kea, if you validated your requirement first.

Here they are : Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

As you can see, the details are here - published November 2023 :

15493662-314e-4f6b-a7b1-21d126113858-image.png

So, you need "static MAC DHCP leases" ?
Ok, fine. Stick with ISC for the moment.

Right now, 24.11 adds static DHCP leases, DNS registration, but is still limited about adding your own DHCP options.
The upcoming 2.8.0 will have the same Kea support.

Btw : kea by itself was and is rock solid for me. It had to stick with ISC because I wanted to keep my DHCP mac leases, my DHCP special options etc, but since 24.11 became available, I switched to kea. Options were still missing but with some copy and paste instructions from the source' (redmine) I could add what I needed.

Btw : kea has no relations with pfBlockerng.

@jg3

I am seeing the same behavior with random physical clients on my network. Turning off the new DNS registration checkbox seems to make it stop.

@aGeekhere said in ISC DHCP Server Custom DHCP Options 252 for WPAD prevents DHCP Static Mappings custom DNS:

if i use ISC DHCP with Custom DHCP Options

Check if it actually works. Go to packet capturing, enter/set this :

5b09c119-78ee-4da9-8c90-1cfb48875fb5-image.png

and click start.

You will see the DHCP client requests, and the pfSense DHCP server answer. The "Option 252" was send to the client ?

@johnpoz

Thanks for the information.
So it's not as critical as expected.

Thank you.

Best,

@wc2l what would be slick is if they integrate that right into pfsense. I think it might play nice with their new multisystem management stuff they are working on.. But yeah I would someone if not currently will put a docker for it ;)

@patient0 said in ISC DHCP does not save Local time setting:

@Dyk-Evans

Are other settings saved? Like (just for testing) "disable ping check"?

Yes, the two below do save no issues:

Enable Monitoring
Ping Check

Are you able to compare the config before and after upgrade?

Is it repeatable? Assuming you are running ZFS with a 24.03 BE.

@FECambot

👍
No worries. I'm a user just like you.
Critics are not an issue at all. They are the roads to understanding.

Take your time.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

... What's odd is that the "DHCP leases" screen only seems to show one of the static mappings

Not odd, it's a feature, doing otherwise will break RFCs.
As soon as it attributes an IP to a device with MAC 00:11:22:33:44:55 it will refuse to attribute the same IP to a device with MAC 55:44:33:22:11:00.

Also, because you mentioned it : why is an IP marked as online on the leases page ? Because that page uses the ARP protocol, that broadcasts on the network with questions like : "Who has 192.168.1.10" (the IP) ? ARP is used to get one unique reply. It will get 2 .... dono what the reaction will be, but you probably just broke "the Ethernet".
An answer was taken in account, and that MAC lease I is marked as online. The second, thanks for testing 👍 , was disregarded.

If you have the choice between a wired and a wireless, shut down the wireless. Go for the cable. The less radio waves, the better ^^

And take note : you're lucky. I've a printer here that, if wired and DHCP is active, will shut down the wireless interface.

@tzalmaves said in Status -> DHCP leases only shows one static mapping when multiple mappings map to the same IP address?:

Is there a way to fix this problem?

You get it by now. The question was wrong, so no fix needed as nothing is broken ^^

Perhaps the solution is to release the lease prior to disconnecting either network.

Unplugging a network connection is different than releasing the lease then disconnecting the cable.

If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

What is your use case for keeping the same ip for both interfaces?

So I managed to achive what I wanted via additional DNS server using dnsmasq. The example setup looks like this:

Isolated DNS server running DNSMASQ: 192.168.10.2
LAN: 192.168.1.0/24
WG0: 10.10.0.50
VPN DNS server: 10.10.0.2

I created two aliases:

vpn_isolation - with networks for each machine that will be forced to use VPN - network aliases can include single hosts with netmask /32 and it's less problematic than to remove 255 entries from an ip alias that expanded whole /24 network :D isolated_dns - this alias only contains 192.168.10.2 - this will make our life way easier if we decide to move the dnsmasq to different subnet

First we create port forwarding rule:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: vpn_isolation
Destination Port Range: DNS / DNS
Redirect Target IP: isolated_dns
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
NAT Reflection: disable
Description: Force DNS to VPN

Next we need same rule for interface on which the dnsmasq works so we can pass all the traffic to VPN from dnsmasq.

Then we need to create a policy routing rule that will match ips/networks from vpn_isolation alias on the LAN interface:

Firewall -> Rules -> LAN
Source: ip address or alias: vpn_isolation
Destination: either * or exclude private networks to allow routing to internal subnets
Gateway: WG0_GATEWAY

Finally we need to spawn a linux box or container with IP 192.168.10.2 that runs dnsmasq. Below is example dnsmasq config:

no-resolv no-poll # we tell dnsmasq to use VPN server=10.10.0.2 # then we tell dnsmasq to use 192.168.1.1 to resolve *.lan and *.myinternaldomain.omgyay # (or any other domain or suffix we need) server=/lan/192.168.1.1 server=/myinternaldomain.omgyay/192.168.1.1 # this is important otherwise dnsmasq won't reply to queries from different network listen-address=192.168.10.2,127.0.0.1

We can test the setup from a machine with IP included in vps_isolation alias:

use https://dnsleaktest.com/ - it should show single DNS or at least DNS different that the one pfsense's DNS Responder/Forwarder uses more imporant - we need to check if we don't leak original WAN subnet via ECS - just issue curl -SL https://test.nextdns.io and resulting JSON should not include "ecs" key with your WAN subnet - this was the biggest problem for me when using DOT from DNS Resolver - if you own a ripe you basically dox yourself this way.

Both port forwarding and policy routing firewall rules have to be added to every interface we want to use vpn isolation and they need to be above any other policy routing rules that might redirect traffic elsewhere and go through clearnet ofc.

With this setup when you want to enable/disable vpn for any host or network behind pfsense all you need to do is edit the vpn_isolation alias and you're done.

CAVEAT: make sure the dnsmasq dns server is on it's own subnet. this makes things easier. I was able to get this working with same subnet for dnsmasq and vpn_isolation, but you have to create an additional port forwarding rule above the one that intercepts DNS traffic that matches traffic from dnsmasq and has "Disable redirection for traffic matching this rule" checked. This will allow dnsmasq to talk to pfsense :)

So it seems updating pfsense did in fact fix the DHCP issue. I guess something had become corrupted. I haven't had any device fail to connect since updating. I'll still get the ICX7250 ready and swap over to that when I get a chance, seems a good idea to get rid of the cheap unmanaged switch I've been using. It also has a robust POE budget which is pretty cool.

Nevermind, I found a better solution.