pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS

Gertjan

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

@Gertjan cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 hrv-zotac3

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

I meant the /etc/hosts file on pfSense as I was presuming pfSense is your DNS server ( and hrv-zotac3.home.arpa should be known on pfSense )

hernanirvaz

@Gertjan cat /etc/hosts
127.0.0.1 localhost localhost.home.arpa
::1 localhost localhost.home.arpa
192.168.8.25 hrv-zotac1.home.arpa hrv-zotac1
2001:8a0:fcfb:ae00:201:2eff:fea0:88d4 hrv-zotac1.home.arpa hrv-zotac1
192.168.8.25 hrv-zotac1.home.arpa hrv-zotac1
192.168.8.28 hrv-zotac2.home.arpa hrv-zotac2
192.168.8.31 hrv-zotac3.home.arpa hrv-zotac3
192.168.8.34 hrv-zotac4.home.arpa hrv-zotac4
192.168.8.37 hrv-intel5.home.arpa hrv-intel5
192.168.8.40 hrv-intel6.home.arpa hrv-intel6
192.168.8.100 hrv-zen.home.arpa hrv-zen
192.168.8.101 hrv-lenovo.home.arpa hrv-lenovo
192.168.8.103 lgwebostv.home.arpa lgwebostv
192.168.8.104 dreamevacuumr2364a.home.arpa dreamevacuumr2364a
192.168.8.105 lgwebostv0.home.arpa lgwebostv0
192.168.8.110 pixel-9-pro-xl.home.arpa pixel-9-pro-xl
::1005 hrv-intel5.home.arpa hrv-intel5
::1006 hrv-intel6.home.arpa hrv-intel6
::1004 hrv-zotac4.home.arpa hrv-zotac4
::1002 hrv-zotac2.home.arpa hrv-zotac2
::1007 hrv-zen.home.arpa hrv-zen
::1008 hrv-lenovo.home.arpa hrv-lenovo
::1009 lgwebostv.home.arpa lgwebostv
::100a pixel-9-pro-xl.home.arpa pixel-9-pro-xl
::1003 hrv-zotac3.home.arpa hrv-zotac3

hernanirvaz

deleted ::10?? entries from /etc/hosts to test but after reboot they are there again.
some internal process is editing the wrong hosts.
any idea how to fix this?

Gertjan

@hernanirvaz

Bingo !

Do you know who put these line there ?
Why they are there ?

You understand that these are plain wrong (yep : as said : imho : bug)

This :

Problem Description: dig AAAA hrv-zotac3.home.arpa gives incomplete answer (only gives ::1003)

is now solved.
unbound isn't an AI.
You ask : what is the AAAA (IPv6) of 'hrv-zotac3.home.arpa'.
Unbound, among other sources, uses the known local hosts as an info source.
The source says : the last line :

::1003 hrv-zotac3.home.arpa hrv-zotac3

and yeah "::1003" isn't a valid IPv6 answer. A whole part is missing : the prefix ! unbound cant' invent by magic that prefix part. beieve it or not, unbound doesn't even know what IPv6 is ^^ (because if it did, it would know what ::1003 isn't a valid IPv6, it's at best a fragment of IPv6)

By any chance, did you create ( under Services > DHCPv6 > Server > LAN ) any "DHCPv6 Static Mappings" entries ?
Show one please.
If so, re create (edit) them with the fully expanded (with prefix) IPv6 instead of accepting the "::1003" entry.
You'll says : what ? hard code the prefix ? That can (and will) go wrong in the future, as the prefix is generated not by you (pfSense) but by the upstream ISP equipment.
And you'll be right ^^

hernanirvaz

@Gertjan
I did not put the ::10?? entries in hosts, pfSense did.
yes I have Static Mapping for hrv-zotac3 based on DUID
yes I know they are incomplete but I did not put them there and if I delete them and reboot, they appear again

cat /var/unbound/leases/leases6.conf

31cd0ce2651cc797

Automatically generated! DO NOT EDIT!

Last updated: 2025-10-08 17:31:47

local-data: "hrv-zotac2.unknown.home.arpa. 2400 IN AAAA 2001:8a0:fcc9:d800::1002"
local-data: "2.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 2400 IN PTR hrv-zotac2.unknown.home.arpa."
local-data: "hrv-zotac3.unknown.home.arpa. 0 IN AAAA 2001:8a0:fcc9:d800::1003"
local-data: "3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 0 IN PTR hrv-zotac3.unknown.home.arpa."
local-data: "hrv-zotac4.unknown.home.arpa. 2400 IN AAAA 2001:8a0:fcc9:d800::1004"
local-data: "4.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 2400 IN PTR hrv-zotac4.unknown.home.arpa."
local-data: "hrv-intel5.unknown.home.arpa. 2400 IN AAAA 2001:8a0:fcc9:d800::1005"
local-data: "5.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 2400 IN PTR hrv-intel5.unknown.home.arpa."
local-data: "hrv-intel6.unknown.home.arpa. 2400 IN AAAA 2001:8a0:fcc9:d800::1006"
local-data: "6.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 2400 IN PTR hrv-intel6.unknown.home.arpa."
local-data: "hrv-lenovo.home.arpa. 2400 IN AAAA 2001:8a0:fcc9:d800::1008"
local-data: "8.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.9.c.c.f.0.a.8.0.1.0.0.2.ip6.arpa. 2400 IN PTR hrv-lenovo.home.arpa."

has you can see pfSense works fine for hrv-lenovo (a ubuntu desktop)
but all other ubuntu servers it register them with unknown.home.arpa - this makes the all problem. the static mappings where made the same way using GUI make static mapping.
the only relevant difference, that I can detect, is: the correct one is a desktop with networkManager, the incorrect ones are all ubuntu servers with netplan/networkd.

hernanirvaz

said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

AAAA 2001:8a0:fcc9:d800::1003

the problem is, how can I create a static mapping based on DUID but not mentioning the delegated prefix that changes every reboot because it is given by the ISP.?

TheNarc

@hernanirvaz I've started playing with IPv6 a bit too and have the same problem, because I want to make firewall rules to only allow certain clients to pass IPv6 traffic. And while I could easily be wrong (and indeed would like to be proven wrong) based on the information I've found, there is no reliable way to get the hostnames for DHCPv6 static mappings to include the ISP delegated prefix.

I did find some suggestions that you do NOT want to enable Early DNS Registration, as it will always or at least more often exclude the delegated prefix. But even without that option enabled, for me it seems to only work sometimes, and I don't know what determines when it does versus does not work.

And of course another consideration is that - again as far as I know - it will never work anyway for devices that don't support DHCPv6 and only do SLAAC. Apparently that includes all versions of Android, unless perhaps it has changed in the newest versions.

So that's a lot of words to say that I have the same problem and don't know how to definitively fix it, if doing so is even possible. But it's not just you!

hernanirvaz

@TheNarc you are correct, this DNS registration problem only happens with certain types of clients. In my experience - android, LG tv, ubuntu servers with systemd-networkd. But for ubuntu desktops clients with NetworkManager, it works perfectly.

In my tests, kea-dhcp6 logs a WARN message even for non-static mappings and with no Early DNS Registration:

WARN [kea-dhcp6.alloc-engine.0xcb30a817400] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:02:00:00:ab:11:52:73:8c:86:e8:81:de:8a], [no hwaddr info], tid=0xc9a891: no pools were available for the lease allocation
WARN [kea-dhcp6.alloc-engine.0xcb30a817400] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:02:00:00:ab:11:52:73:8c:86:e8:81:de:8a], [no hwaddr info], tid=0xc9a891: failed to allocate an IPv6 lease in the subnet 2001:8a0:fcc2:6600::/64, subnet-id 1, shared network (none)

• It identifies the delegated prefix from the ISP correctly,
• It has pools available - because kea2unbound, for ubuntu desktop clients, registers correctly on home.arpa.
• but, for ubuntu server clients, the above WARN appears and kea2unbound registers with the wrong domain on unknown.home.arpa

any one knows how to fix this?

Gertjan

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

no pools were available for the lease allocation

Imho : means kea6 received a DCPv6 lease request on a network without a pool.

The second warning : see here ?. Are you dealing with DHCPv6 servers behind pfSense ? Devices connected on pfSense LANs are asking IPv6 leases and/or also entire /64 prefixes ? Your Unbuntu server is asking for a prefix ?
(just guessing here).

hernanirvaz

@Gertjan you were absolutely correct.

• kea-dhcp6 WARN messages had to do with the fact that my ubuntu servers are requesting a Prefix Delegation for their own upstream IPv6 staff. After setting this up with 2001:8a0:fcc2:6610::/60, the WARNs stooped.

But this change did not help with kea2unbound registration with the wrong domain on unknown.home.arpa
This is still only happening with ubuntu servers not with ubuntu desktops!
The only relevant difference between these two - I can point to, is:

• servers (use systemd-networkd) & register on the incorrect domain unknown.home.arpa
• desktops (use NetworkManager) & register on the correct domain home.arpa

can you help with this?

Gertjan

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

did not help with kea2unbound registration with the wrong domain on unknown.home.arpa

You were not far off
Look at the file you mentioned : kea2unbound - it's here : /usr/local/bin/ - line 469

Now you know where where "unknown.home.arp" comes from.
It's seems to be an error condition, and 'should never happen' according to people that know a whole lot more of the subject.

/* Should never get this far */

From what I make of it : kea2unbound asks unbound via the control port (socket) info about registered leases.
I found Seeing Kea DHCP Issues after upgrade to 24.11 ), so :

echo '{"command":"lease6-get-all"}' | nc -U /var/run/kea6-ctrl-socket | jq

All this info comes from the kea DHCP6 server settings pages (global, and lans).
The domain name is set correctly ? - it is, for me, filled in with the default system domain name :

hernanirvaz

@Gertjan said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

The domain name is set correctly ?

confirmed the domain is set correctly and, for me, is set to home.arpa

echo '{"command":"lease6-get-all"}' | nc -U /var/run/kea6-ctrl-socket | jq

used this command to confirm and option-data appears blank for ubuntu servers. ie: registered with unknown.home.arpa

{
  "arguments": {
    "leases": [
      {
        "cltt": 1760023099,
        "duid": "00:02:00:00:ab:11:52:73:8c:86:e8:81:de:8a",
        "fqdn-fwd": false,
        "fqdn-rev": false,
        "hostname": "hrv-zotac3.",
        "hw-address": "00:01:2e:a0:88:ea",
        "iaid": 1448103320,
        "ip-address": "2001:8a0:fcd1:3e00::2000",
        "preferred-lft": 4500,
        "state": 0,
        "subnet-id": 1,
        "type": "IA_NA",
        "user-context": {
          "Netgate": {
            "option-data": {},
            "query6": {
              "iface-name": "re0",
              "remote-addr": "fe80::201:2eff:fea0:88ea"
            }
          }
        },
        "valid-lft": 7200
      },
      {
        "cltt": 1760023472,
        "duid": "00:04:5c:fd:51:49:45:08:6a:81:80:68:c0:b9:ed:a2:b4:57",
        "fqdn-fwd": false,
        "fqdn-rev": false,
        "hostname": "hrv-lenovo.",
        "iaid": 3134327015,
        "ip-address": "2001:8a0:fcd1:3e00::2002",
        "preferred-lft": 4500,
        "state": 0,
        "subnet-id": 1,
        "type": "IA_NA",
        "user-context": {
          "Netgate": {
            "option-data": {
              "domain-search": [
                "home.arpa."
              ]
            },
            "query6": {
              "iface-name": "re0",
              "remote-addr": "fe80::f542:718f:1de7:6e3"
            }
          }
        },
        "valid-lft": 7200
      }
    ]
  },
  "result": 0,
  "text": "2 IPv6 lease(s) found."
}

• hrv-lenovo is ubuntu desktop and has "option-data": { "domain-search": [ "home.arpa." ] }
• hrv-zotac3 is ubuntu server and has "option-data": {}
• also noticed that the servers have hw-address field and the desktops do not - probably because the desktops connect via wifi. Not sure this is relevant info.

help please?

Gertjan

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

After setting this up with 2001:8a0:fcc2:6610::/60, the WARNs stooped.

You assignd that "2001:8a0:fcc2:6610::/60" ?
Prefix should be assigned to you from "upstream".
And a /60 looks really strange. /64, ok

Your LAN is set to DHCPv6 tracking, right ?
Like this :

and the DHCPv6 server on LAN shows the obtained prefix, right ? :

which is always, afaik, a /64.

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

probably because the desktops connect via wifi

Wifi, plain copper Ethernet cable, coax, fibre, it doesn't matter what the transport medium is made of.
IP packets are IP packets. The source and destination MAC "hardware address" must be part of it.

hernanirvaz

@Gertjan said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

Prefix should be assigned to you from "upstream".

yes, you are correct - it is assigned by my ISP, in my case:

Delegated Prefix: WAN/0 (2001:8a0:fcd2:6600::/56)/64

pfSense then uses the first /64 from that /56 (i.e., 2001:8a0:fcc2:6600::/64) for its LAN interface (this is what WAN/0 signifies when configuring a LAN to "Track Interface" on WAN).
This leaves 255 other /64 subnets within that /56 available for pfSense to delegate to other devices on my network that request their own prefixes. These available subnets range from 2001:8a0:fcc2:6601::/64 up to 2001:8a0:fcc2:66FF::/64. This is in fact the next setting on pfSense:

Prefix Delegation Pool

this is the pool that pfSense uses to delegate downstream to other, eventual, DHCPv6 servers, and this was the complaint (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) I initially was seeing in the logs.

my problem still remains the same all with latest ubuntu OS & IPv6 DNS Resolve registrations:

• servers (use systemd-networkd) & register on the incorrect domain unknown.home.arpa
• desktops (use NetworkManager) & register on the correct domain home.arpa

can you help with this?

Gertjan

@hernanirvaz

Where did you see this :

on the DHCP server LAN page ?

edit :

@hernanirvaz said in pfSense 2.8.1: Kea DHCPv6 IPv6 Static Lease Allocation Fails (ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET) for Known Client, Inconsistent DNS:

pfSense then uses the first /64 from that /56 ...

When I visit my ISP upstream router, it tells me :

which should be the same as you.

My IPv6 pfSense WAN IP is in the '00' prefix range, and then "46d4:54ff:fe2a:3600"
For whatever reason, my pfSense obtained the "e2" prefix for my pfSense LAN.

It shows "e2" even when I see this on my LAN settings âge :

where "0 to 0" probably means : get one.

Btw : My ISP (a "Livebox 6" router from Orange (France)) is IPv6 buggy as it only allows 1 prefix per attached device (like pfSense). I can't request a second prefix for a second LAN.

I'm telling all this because

looks .. dono, strange to me.

hernanirvaz

@Gertjan I do not actually have access to my ISPs upstream router. That is why I decided to install a pfSense box and (by phone) asked my ISP to put their router in bridge mode.

When my pfSense WAN DHCPv6 Client Configuration has "DHCPv6 Prefix Delegation size 64" then my ISPs router gives me the Delegated Prefix: WAN/0 (2001:8a0:fcc2:6600::/56)/64, that means:

• my ISP is delegating a /56 prefix to my pfSense. This is the 2001:8a0:fcc2:6600::/56 part - the big block of addresses my ISP is giving me to work with.
• my pfSense is specifically configured to request a /64 for its WAN interface and also to handle the delegation of a /64 (the WAN/0 part refers to the first /64 out of the delegated /56) to its LAN.

This means that out of the 2001:8a0:fcc2:6600::/56 block my ISP gives me:

• 2001:8a0:fcc2:6600::/64 (mine is 00 you e2) is being used by my pfSense LAN interface (as indicated by WAN/0).
• This leaves 2001:8a0:fcc2:6601::/64 through 2001:8a0:fcc2:66FF::/64 available within that /56 block for further delegation to pfSense clients upstream.

So, I have plenty of /64 subnets remaining from the /56 to delegate, for pfSense to give to my internal clients.

But that stuff is all good for me, my problem still remains the same; my internal machines, all with latest ubuntu OS & IPv6, get DNS Resolve registrations wrong:

• servers (with systemd-networkd) & register on the incorrect domain unknown.home.arpa
• desktops (with NetworkManager) & register on the correct domain home.arpa

can someone help with this?