Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suppress message -> ISC DHCP has reached end-of-life

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 8 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @Tacyon
      last edited by

      @Tacyon
      System > Advanced > Networking
      DHCP Options > Server Backend > Ignore Deprecation Warning

      1 Reply Last reply Reply Quote 3
      • TacyonT
        Tacyon
        last edited by

        AWESOME !!

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee
          last edited by JonathanLee

          Turn on KEA it will fix the error for good

          Make sure to upvote

          T TacyonT 2 Replies Last reply Reply Quote 0
          • T
            tgl @JonathanLee
            last edited by

            @JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:

            Turn on kea will fix it

            ... and create more than enough other problems, in my experience. I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".

            johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @tgl
              last edited by

              @tgl said in suppress message -> ISC DHCP has reached end-of-life:

              why pfSense is labeling ISC as "deprecated"

              Because it is ;)

              https://www.isc.org/blogs/isc-dhcp-eol/

              If they didn't - then for sure people would be complaining why didn't they let anyone know. Here is the thing, if you feel uncomfortable with running a deprecated isc, and kea is not to your level of need as of yet.. Run dhcp on something else on your network. But they have let you know..

              The one take away you should take from the above link is this..

              "However, it is time to start thinking about a migration plan to a more modern system that is actively maintained."

              This is what they did with the warning.. Could it have been worded a bit differently? Yeah ok sure maybe, but one thing this has proven yet again is users don't read anything unless its shoved into their face. There was a whole netgate blog entry entry about how kea is "preview" and and all kinds of warnings in the release notes about features that are missing, etc..

              The warning that pops into your face for sure will accomplish the above statement from the isc link ;) You can wait for kea integration into pfsense to be to the level you want.. Or you can run something else, or you can just continue to use isc. But at least you should be aware now.. Maybe it was painful - because again without reading the documentation that was made available, you come to find oh this doesn't work now, or the logging is not to your liking, etc. But it does get you thinking about dhcpd maybe ;)

              But to be honest, for many users - kea is viable.. All they want is an IP to be handed out to their clients. It does that.. So such a warning and in your face sort of thing is one way to get them to move over from the currently EOL isc dhcpd. Because otherwise they wouldn't have a clue and would never switch.. How many users are still running some old version of pfsense? Because for whatever reason it didn't pop up into their face there was a new version.. See it all the time - oh my pfsense said it was the latest version.. I didn't know there was a new version, etc.. Really its been 3 years, and you didn't think there was an update? ;)

              This sort of thing drives me nuts. You chose to run pfsense on your network, because you were not happy with your isp or soho routers feature set, or you thought it was cool, or whatever.. But then you don't pay attention to if there is an update out, or read any of the release notes when new versions come out? I personally don't get it..

              Not saying it couldn't of been done a bit different, or slightly different wording in the warning.. But then again - as the admin of your install, it is your responsibility to keep yourself informed. The information was provided - if you failed to read it.. Who's fault is that?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @tgl
                last edited by Gertjan

                @tgl said in suppress message -> ISC DHCP has reached end-of-life:

                I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".

                Easy. They figured out that when you throw ISC DHCP into whatever search engine, you'll see the author of ISC DHCP saying the same thing for a a couple of years now.

                Btw : don't worry, this info was actually know by everybody that uses ISC DHCP, like pfSense admins etc. Like everybody knows that Windows 7, 8 and 10 shouldn't be used anymore (and half the planet is still knowingly doing so).

                They, ISC, have been working on a new DHCP server KEA for the last several years, and it's production ready.

                The only thing that is 'new' and needs some more polishing, is the GUI pfSense front end. KEA, the server, is very usable. The upcoming 24.x and 2.8.x will addresses outstanding issues like DHCP options etc.

                As the author of DHCP and KEA says : KEA is usable, but there are some conditions.
                So, Netgate decided to relay the info, and have he user base 'play' with them both, and while doing so getting the needed feedback so they know where to prioritize their coding (GUI) attention.

                @johnpoz types faster ^^

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee
                  last edited by JonathanLee

                  ISC DHCP has CVE major issues. VLAN hopping, VLAN leaking unauthorized access. Big issues. Please move to KEA ASAP

                  Says the guy still running 23.09.01 with ISC..
                  If my crypto chip worked in 24 I would be running KEA in a second

                  Make sure to upvote

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @JonathanLee
                    last edited by

                    @JonathanLee and were are these so called major CVEs - please link to them.. I don't see how some application could have anything to do with vlan hoping..

                    https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-17706/ISC-Dhcp.html

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    JonathanLeeJ 1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @johnpoz
                      last edited by

                      @johnpoz I will have to find it. I remember reading something while in college about it. I think it was a metasploit or something, I will look for it and post info.

                      Make sure to upvote

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by

                        @JonathanLee if it was such a major CVE, why would it not be listed on the link I posted too? How could a dhcpd be used to hop vlans? Even if it handed you an IP from the wrong scope - that doesn't get you to another vlan.. Most of the CVEs I have seen about isc dhcpd have been related to crashing dhcpd and causing some sort of dos..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        JonathanLeeJ 2 Replies Last reply Reply Quote 1
                        • JonathanLeeJ
                          JonathanLee @johnpoz
                          last edited by JonathanLee

                          @johnpoz

                          https://www.cisa.gov/news-events/alerts/2024/02/13/isc-releases-security-advisories-bind-9

                          It’s related to bind

                          I have seen something a couple years ago, it was on vulnhub and or a metasploit. Leaking memory and accessing other vlans

                          Trust me it is out there…

                          Older versions of pen testing software something had it.

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee @johnpoz
                            last edited by

                            @johnpoz

                            https://kb.isc.org/docs/cve-2022-2929

                            Leaking memory one, this one too. I don’t think KEA has the same issues.

                            Make sure to upvote

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @JonathanLee
                              last edited by

                              @JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:

                              tps://kb.isc.org/docs/cve-2022-2929

                              And the fix for that is 4.4.3-P1, which is what is currently used in 23.09.1

                              What does bind have to do with users moving to kea? If your going to try and scare people - "ISC DHCP has CVE major issue" "Please move to KEA ASAP"

                              For gosh sake have some actual credible reason..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              JonathanLeeJ 1 Reply Last reply Reply Quote 2
                              • JonathanLeeJ
                                JonathanLee @johnpoz
                                last edited by

                                @johnpoz did it work? Are you using KEA? :)

                                Make sure to upvote

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @JonathanLee
                                  last edited by

                                  @JonathanLee hahaha, no I am not using kea.. You making jokes now - hahah

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    I'm not using Kea on my local router either. Yet. There's nothing exploitable I'm aware of in ISC that I'm worried about. Also yet!

                                    1 Reply Last reply Reply Quote 1
                                    • JonathanLeeJ
                                      JonathanLee
                                      last edited by JonathanLee

                                      Screenshot 2024-03-29 at 14.46.42.png

                                      Screenshot 2024-03-29 at 14.47.19.png

                                      See I fixed it no error :)

                                      Make sure to upvote

                                      1 Reply Last reply Reply Quote 0
                                      • TacyonT
                                        Tacyon @JonathanLee
                                        last edited by

                                        @JonathanLee I was on ISC to start with and someone here suggested it because .. it's going to be depreciated RSN (real soon now)

                                        Then I read (as I was considering going back to KEA since ISC didn't resolve my issue and I read a few reports that going back breaks a bunch of stuff leaving you to do it all over again from the beginning.

                                        Since I'm in sponge mode currently .. I want to resolve all the lil things I have going on and sort out my understanding of firewall rules before "doing it over again"

                                        JonathanLeeJ TacyonT 3 Replies Last reply Reply Quote 0
                                        • JonathanLeeJ
                                          JonathanLee @Tacyon
                                          last edited by

                                          @Tacyon if your on pfSense plus just create a boot environment to test with and after if it doesn’t work just go back to that BE. I really like the BE I play with stuff all the time and I am able to quickly normalize a stable version at the push of a button for my family when they are home

                                          Make sure to upvote

                                          1 Reply Last reply Reply Quote 1
                                          • JonathanLeeJ
                                            JonathanLee @Tacyon
                                            last edited by JonathanLee

                                            @Tacyon ISC was an amazing set of software. I wonder what made that team so successful for so long. It’s got to come down to a great team of people they had. I hope that pfSense can get some of those programmers to help out one day. Who knows why it is depreciated. It worked well for a long time, still does. Again the longer it goes with no updates the more vulnerable it will become.

                                            Make sure to upvote

                                            T bmeeksB 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.