Problem solved : It was the default gateway for IPv4. It was using the IPv6 gateway.
I think the new version applies a more strict policy.
;)

Welp turns out this whole ordeal had nothing to do with Verizon or my ONT. I did the packet capture and the mystery device sending DHCP signals to the WAN was the pfSense box's own baseboard management controller. My board's BIOS has an option to disable the IPMI function which is supposed to disable BMC networking along with it, but evidently that doesn't work as explained, or is broken. And even though I'd never connected that network interface to anything, the BMC wants a DHCP lease. I logged into the IPMI GUI, set a static config, and I'm now nearing 24 hours of uninterrupted uptime. The 0.0.0.0:67 - 255.255.255.255:68 entries haven't shown up again in packet captures or the firewall logs.

I'm very happy this was smoothed out and thank you @Derelict for the tip to look at the MAC addresses.

@dtruesdale For anyone else in this situation, a few more tips:

You can just set an IPMI address, netmask, and gateway in the BIOS. This is all that's really necessary so you don't actually need expose the BMC to the network.

If you fully configure IPMI and intend to leave it network-accessible, you'll of course want to change the default ADMIN/ADMIN username and password. Through significantly more trial and error than it should have taken, I found that even the latest version of my board's IPMI firmware is so old that it doesn't allow special characters in the user passwords. Despite Supermicro support pages saying that the max pw length is 20 characters, I wasn't able to use more than 16. There's also a handful of service ports that are enabled by default so check those out.

This site has easy instructions to reset the admin pw for if (when) you lock yourself out: http://tcpip.me/2018/06/23/how-to-recover-forgotten-ipmi-credentials-on-pfsense/

No.

You can "update" by backup'ing your configuration and installing 2.4.4 from USB/Image/ISO medium though. If you put that configuration either on the stick or installing over the current installation (and choose recover config in the installer) you should get a 2.4.4 installation with your current configuration. But WAN/internet access is required after installation to correctly re-install packages etc.

Thank you..

Thanks Steve!

@dtruesdale Wow, that was fast. I just posted the topic! I'm going to review this right now- thanks!

Same problem or same question?

I've just experienced this bug, as well. I'm currently running 2.4.4-RELEASE-p1 (amd64).

To resolve, I had to kill filterdns and re-save the affected alias table.

The affected fqdn entry was a local host (dhcp) and also manually entered in dns resolver. nslookup on the hostname worked fine, but the IP address wouldn't populate in the alias table. Once I killed filterdns and re-saved the alias table, all is working again.

I already had the firewall table size increased to 400k, so that wasn't the issue for me.

no i dont thing so i could update and install just fine from cli!!!it was just after the pfbkocker-devel update before that it was working just fine i dont know that is what actually caused the problem because i updated pfblocker and left then came the next day ours apart and tried to install another package but couldnt. Tried the same package from cli and it installed just fine. i could pkg update no errors and pkg upgrade no errors only on the webgui it was not working.

You speak the truth, Sir John.

Kom! Or anyone, really.....
I am not satisfied and need to make some slight adjustments, if you would assist, please.

First, pfsense was kindly loaded on this device for me before shipping. It is 2.4.4 but.... I like to load my own software, call me paranoid. The first issue is, not familiar with much UNIX or really not yet cozy with anything non-Windows unless we go back to DOS of early 90's, I hesitate to download from the pfsense site, to memstick (USB thumb drive, AMD64, New York will be my choice) and booting from this to my mini-pc, which already has pfsense. I wonder, if I should format this SSD first. Also, I wonder even more (just kidding, I'll be doing this) if my Bios is set to boot from USB... I'll be sure.
But, should I wipe this SSD? then re-load pfsense?

Let me note that I had no cozy installer at any point, the thing went right to work and wanted 1 of 16 options because they apparently made choices for me and there was ZERO literature in the mini-pc box. Nothhing. Not a scrap of info or explanation, and let me back up a sec....

ISP's modemwith no Wifi, (WAN from the Great Wide World)
to----->Mini-pc with pfsense to----->New switch with Wifi, 4 lan ports
(formerly known as Asus rt ac3200, now a sad expensive WAN disabled switch.... Or is WAN disabled? Hmm...)

There was a possible conflict. Address conflict.

Forgive if subnet is incorrect but it appears ISP's modem was my WAN---->re0---->v4/DHCP4---->blah.168.0.101/24

(not alarmed by this)

my LAN----->rl0---->v4----->blah.168.1.1/24

and the problem was, if there was one, is that the WAN- disabled Asus wifi router (now sad switch with wifi) has a default address stamped on the bottom exactly like my LAN which should be the mini-pc's LAN (or rl0) and even though the WAN is disabled, Idk if it's a problem.

This configuration happened after I, moments before, didn't want any vlan nonsense configured and entered n for no, still ok but it naturally pfsense wanted to know what re0 was because:

"Network Interface Mismatch-running interface assignment option."
re0- link state changed to down
r10-link state changed to down

and so, I did this unplug trick instead of 'a' for auto because someone said to.

I did a thing in college once, because someone said to, and wound up at the infirmary with a... well never mind that story. Sorry.

Anywho, it wanted a WAN interface name so when I unplugged:
re0 link state changed to down,
and when I plugged back in....
re0 link state changed to up
Therefore I concluded I was in the right hole. I could comment further on that but won't in mixed company
.
I entered re0 for WAN to confirm.

Then, it wanted LAN interface name so i did the unplug trick on the cable going to the poor demoted Asus wifi router and upon unplug,-> link state down, and plugged back in,-> link state up, therefore I declared myself clever. 2 holes in 1, Although I had 4 holes to choose from. Yet now, this conflict as stated above:

WAN---->re0---->v4/DHCP4---->blah.168.0.101/24
and
LAN----->rl0---->v4----->blah.168.1.1/24

and default IP on Asus: blah168.1.1 remember, so at this point I'm worried a bit...

Mini-pc with pfsense should be my LAN (rl0) with blah168.1.1/24 and then from pfsence mini to switch (Asus wifi being the switch with 4 LAN ports and 1 forever empty deactivated WAN), nothing but a thing with 4 LAN ports with WiFi, that I can theoretically plug 3 clients (laptops, say) and said clients would have an Ethernet connection, and my iPhone there would have a WiFi connection, and all 4 devices protected by my nice mini pc router/pfsense firewall/DHCP server. Knowing I disabled the WAN on ASUS I had to assign DHCP duty to pfsense so option 2 let me set and configure 2 interfaces (re0 and rl0) and I believe I should now set a new LAN ipv4 (rl0) to blah168.1.2/24, not worry about any new WAN upstream gateway nonsense (ENTER for none) or any ipv6 stuff (ENTER for none) then 'y' for hellyes when it asks if I want to enable DHCP on the LAN (pfsense mini pc).
Then give it a range of (24?) IP addresses. I say blah168.1.3 as starting point, taking any worry about the Asus's default IP being 1.1 (although it should not matter if I disabled the WAN in the Asus anyway, should it?) and an ending point...
Umm I'm not sure what to put. Blah168.1.24?

This would give:
WAN---->re0---->v4/DHCP4---->blah.168.0.101/24(ISP)
LAN----->r10---->v4/ipv4----->blah.168.1.2/24(mini pc)

before I change DHCP duties to pfsense.

Wifi router just a switch with wifi, and 3 Ethernet client ports with IP's between blah168.1.3 and blah186.1.24. or .26 or .27, idk I'm asking what that end range number should be, as ISP is .0
end range must be blah168.1.24. Correct?

Alternately, nothing plugged into the Wifi router but the line from mini pc, and everything could be on Wifi until I ran so slow nothing did anything, or 1 laptop plugged in Ethernet port on switch, 1 empty port, and whatever Wifi devices I choose until no more speed at all..

This is perfectly reasonable, yes? I'm not hooking any client up either way until I know, and when I know, I still need help knowing how to properly re-download pfsense and boot from that USB stick, download to SSD, and configure as above.

So I've taken my Asus wifi router, disabled WAN, and have a 4 port LAN switch with Wifi. I took the default Asus IP out of the picture just in case and there is no blah168.1.1 on my network.

I don't know what that end IP range should be, which pfsense will be handling now as DHCP server,

And before this I want to re-download and start over, but don't know if I should format my 128 gb SSD on the mini after checking the BIOS to make sure the mini will boot from USB stick,

and last but not least.... Use entire 128 GB for pfsense? using the whole drive is recommended. But is this an OS where I can put a Bitdefender anti-virus and Nord VPN? or at least Nord OpenVPN (I doubt Bitdefender will run on anything but Windows or some Linux and I don't want Microsoft anything on my pfsense mini but Nord should not need Windows or even a Linux distro should it?)
So I'm stuck bro. I might want other nifty programs on the mini running with pfsense, certainly OpenVPN, other cool stuff, but do I need to put a different OS on there, partition the drive, or what?
Definately not CS101 questions. But I'm so close here, I have a working pfsense plan running with a crappy switch that is now unacceptable and going in the trash, this non-WAN Wifi router should be no different, I just need to re-download what some stranger from China loaded on and not waste all my SSD space I want later for OpenVPN and extra cool programs that compliment pfsense.

It took me a long time to write all that. yet, one more thing I forgot....

I do have a spot for an HDD drive on the mini too if I want. Just have to plug on in. See the chord sticking up left side beyong the SSD? HDD ready. Have a couple laptop drives right over in the drawer in fact.

FullSizeRender.jpg

Whew my brain hurts.

Then just change your wan from dhcp to static and put in the info.. You will have to create the gateway then, etc.

As far as I know it's a FreeBSD issue, it may have been fixed already in 12. It could also be the BIOS reporting incorrectly to FreeBSD. Manufacturers love to test in Windows only and then ship!
It would be tough for us to disable anything there by default as some systems boot from SD card. It's a relative minority of boards that are affected.

Steve

Thank you so much!

Ok. See my reply on your other thread for disabling that.

Steve

Clarification:

The LAN is a routed, isolated subnet ==> WAN is private network ==> Edge router ==> internet

Thanks ChrisMacMahon...

currently we plan just to renew all drives as caution measure... does the FreeBSD of PFsense 2.4.4 support SSD trimming?

Thanks!

Pedreter.

ppc0: cannot reserve I/O port range

That's a very common warning shown on many if not most systems. It's not an indication of a problem.

It sounds like you may be describing the problem with unsupported sdhci issue some boards have. Like this for example:
https://forum.netgate.com/post/752747

You can interrupt the boot loader and set those at the loader prompt even on the installer if required.

Steve

Wow! That did the trick. Thank you very much!

Is the terminal set to 115200bps? If it's set to 9600 or 38400 then that would be all you would see.

Otherwise yes you can always re-install:
https://docs.netgate.com/pfsense/en/latest/solutions/vk-t40e/reinstall-pfsense.html

That will ensure you have a clean install. It's quick and easy if you have an mSATA drive. If you are booting from SD card you can install directly to it but you should remove the swap partition at install and move /var and /tmp to RAM after setup.

It doesn't look like you were running Nano though so it's probably not booting SD.

Steve