@patient0
This is a linux vm running latest openSuSE doing DHCP:

313127d4-3034-4d66-ac5f-be94c1114359-image.png

Meanwhile, it seems some IP address leases were in fact working:
They weren't last night but seems to have kicked in sometimes later.

a0baca10-75c8-47f8-a590-16b44bccd439-image.png

They are all for Windows Server VM's running on Virtual NIC's.
Here they can be seen in the DNS server:
31387948-d34e-4ff8-8d17-f1563be9a1fe-image.png

@dennypage Hasn't been a problem.

loopstats.jpg

@JonathanLee We disable the stream alerts as I recall. Lots of false positives.

Have seen the direction one, I suspect it’s a side effect of the legacy processing mode which looks at copies of the packets.

@maximushugus

I tried to compile pimd for actual FreeBSD15 current, however I am facing issues which I can, given my limited knowledge of c, git and pimd internals, not solve.

At least I did not manage that up to now despite significant effort.

starting a tool like ^script^ and then compiling the source etc, you can see the warnings and some errors in the script generated file. In the file warnings and an error

related to e.g. not longer supported macro's and and a fatal error related to ^man^ which should be an absolute path
I tried to fix the ^man^ error using ^ConfigureOptions="--mandir=/usr/local/share/man",

That does remove the error but not in such a way that there are man8 packages in the stage directory / distribution file or package.

For that reason I did build a package without man files, and installed that pimd package on actual pfSense plus version.
It does not work. Main problem it can not find the interfaces see pfsense systemlog

I would have prefered to test on a fresh pfSense system, however netgate does not make an iso available :( I do not like that, however I do understand netgate!

Troglobit has a significant newer pimd version ^pimd-dense^ which can perhaps been an pimd alternative.
I do not know the difference in functionality!

So ^we have a problem^ !!

Some options:

support from someone with higher c and git knowledge able to solve the actual warnings and man issue in the code try to compile pimdd which because more recent probably has less compile issues and perhaps even has a freebsd ports creating a couple of VM's with the media player. One for each VLAN which needs media files

@Zermus said in crowdsec:

It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.

I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.

pfSense CE is based on an open source project and thought that this would come come some moral obligations. I understand that it may not be a legal obligation to offer a stand-alone installer, and I assume that the source code is public tot he degree required. I no longer pay attention to this as the source has never been in a form where it could be compiled by a user.

Netgate 3100, 24.11-RELEASE (arm)

Hi,

Networking newbie here. Wow, that was scary! The network access for all the members in our coworking space went down when KEA DHCP spontaneously died. This required a panicked emergency rush to figure out what caused this sudden network access meltdown smack in the middle of a business day. No error messages at all in the DHCP system log to provide any guidance.

We transitioned from the old ISC to KEA because of a message encouraging us to do so due to ISC deprecation. "Kea DHCP is the newer, modern DHCP distribution from ISC that includes the most-requested features."

Just goes to show that newer can be way worse, even when the vendor you trust is pushing you to do so. Rock-solid reliability, "No alarms and no surprises" should be the expectation in a business router. I have to say that my faith in Netgate/PfSense has been shaken.

It occured to me that something like this could affect other subsystems. Eg, OpenVPN has to dynamically assign IPs to clients. It appears that OVPN handles this independently from DHCP via the "IPv4 Tunnel Network" setting, is that correct? If not, then if DHCP goes down that could jeapordize OVPN and any other services that might to require DHCP for assigning IP #s dynamically, no?

If OVPN were to be dependent upon DHCP, then a downed DHCP would jeapordize remote access via OVPN, and consequentially remote troubleshooting. Which would argue for also keeping an SSH connection on to the outside world in addition to OVPN, so as to ensure remote access availability to the router, no?

Are there other remote access services that one should be concerned could be affected by the abscence of DHCP?

Gong back to ISC to avoid nightmares...

@plicplic yeah when you block all IPv6 it creates those hidden block all IPv6 rules. And yeah most likely going to create a lot of noise in the logs.

Those blocks your still seeing to to 224.0.0.22 are multicast with ip-option set but not allowed - you could change your rules to either create one that blocks but doesn't log, or your allow rule to allow ip-option being set

@Gertjan those 3 name server might be just his isp dns.. that first on is fibreop and the others are aliant - which are the same isp - with the fibre one being for their FTTH.

Yeah if you want to use those - you should have unbound forward to them - but I see little benefit to forwarding for dns, just let unbound resolve is better option imho.

I see the same issue on my end in Pihole. I can load the list in a browser, but not by updating. I added your chosen list and fails. Really no idea why. Limiting connections at the far end to monthly? Dunno.

090db581-7840-4519-8763-2c2907f40ed0-image.png

@semara turn x forward mode off unless this is behind another router or something.
If you want transparent no certificates turn off ssl intercept

I too am seeing this exact issue across two fresh installs of 2.8.0 on different hardware. I think this is the root of a few issues that have been reported including this one:

https://forum.netgate.com/topic/197613/pfsense-ce-2-8-0-kea2unbound-causes-high-cpu-load-even-when-dns-registration-is-disabled/2?_=1749683895535

Is this not a clear bug if kea2unbound is being invoked when dns registration and early dns registration are deselected? or is this intended to always restart unbound at random? I'm seeing the same logs and same symptoms with /var/unbound/leases/leases4.conf empty. Happy to provide any information needed as this is very disruptive.

@microserfs and what IP was that - clearly your current IPv6 address is not block that I show you connected with.. And the only other IPv4 I see you using is not blocked.. You would have to let me know what IP you were coming from that was blocked.. Send it to me via PM if you don't want to make it public.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system:

ln -s -F /nvme/LOGS_Optane/snort /var/log/snort

Also you can do this with suricata.

/var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

@SteveITS It looks like it is detecting ipv6 better

already is showing alerts

Screenshot 2025-07-12 at 10.39.56.png

It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it