@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

But existing and enabled are or should be two different things.

When an interface is not connected (you ripped out the network, or powered down the device or switch on the other side), the DHCP server serving that interface will detect the "DOWN" system / hardware event, and shut down.
pfSense won't even show you your DHCP server instance anymore.
But, no panic, the settings will still be there. And when you connect (power up) the connection, it will auto-start, with the previously known settings.

@Seeking-Sense said in Trouble importing DHCP Mappings from 2.6 to 2.7.2:

One other issues I have come across is that KEA DHCP causes issues throwing PHP errors / crash reports in conjunction with pfblockerng dev.

kea initially, when using 23.09 ? I can't recall, work fine but the implemention'27.2' (and 23.09, 24.03, before 24.11 came out) was, for my needs, to minimalist.
You can use Kea, if you validated your requirement first.

Here they are : Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

As you can see, the details are here - published November 2023 :

15493662-314e-4f6b-a7b1-21d126113858-image.png

So, you need "static MAC DHCP leases" ?
Ok, fine. Stick with ISC for the moment.

Right now, 24.11 adds static DHCP leases, DNS registration, but is still limited about adding your own DHCP options.
The upcoming 2.8.0 will have the same Kea support.

Btw : kea by itself was and is rock solid for me. It had to stick with ISC because I wanted to keep my DHCP mac leases, my DHCP special options etc, but since 24.11 became available, I switched to kea. Options were still missing but with some copy and paste instructions from the source' (redmine) I could add what I needed.

Btw : kea has no relations with pfBlockerng.

Hmm, well I guess I would test a client that isn't the switch just in case it has some quirk that prevents it using a VLAN correctly for management. But if you used that same setup on a 6100 it should work here too.

Otherwise a pcap at the client will at least show if it reaches it.

@NickJH

Check this one :

0a2b3de4-9ed3-4396-9d83-12078a0f97fa-image.png

and hit the big bleu save button at the bottom of the page.
Worked for me ©

edit :
and we never believe a GUI as it nature is hiding all the info we're looking for :
a test !?!

Because I know I've entered this :

9d3fe825-15f5-4190-ad49-62c7c62fe8ec-image.png

This must work :

C:\Users\Gauche>nslookup bureau2 Serveur : pfSense.bhf.tld Address: 2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c Nom : bureau2.bhf.net Addresses: 2a01:cb19:beef:a6eb::88 192.168.1.2

and this is correct ...
I'm also using static "IPv6 leases" because I really dont want to have to deal with IPv6 like '2a01:cb19:beef:a600:46d4:54ff:fe2a:36dc'.

My LAN IPv6 '2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c' is already a horror. Gone are the day you can 'quickly' ping LAN using "192.168.1.1" 😵

@mhd353 Yeah you could do that. Or like I said earlier, just change the 3.1 to 30.1 and use it as the native on that port, you can then add vlans later if needed. I've done it where I name the physical port "Trunk" and had no native network on it. I've also read recently that the physical port doesn't even need to be enabled but I never did that and doesn't sound like something that would work to me. Maybe I'll try it sometime just to find out.

First, configure mvneta1 interface with an IP address in a MGMT network that you choose (not vlan). And use this same network in the switch and AP for management purposes.

Checking your screenshots, everything seems to be correct at the pfSense side.
Check your netgear, make sure the MGMT network is correct (untagged) and in the same network as mvneta1 in pfsense, check if this same port is configured to receive vlan20 and vlan30 tagged, and the downlink has the same configuration.

The port connecting pfSense to Netgear switch should be like this:
VLAN 1 Untagged (MGMT of the switch)
VLAN 20 Tagged
VLAN 30 Tagged

Netgear Switch to AP:
VLAN 1 Untagged (MGMT of the AP)
VLAN 20 Tagged
VLAN 30 tagged

Then, assign the wifi networks to use VLAN 20 and VLAN 30 respectively.

@Lace pfSense will do incoming and outgoing in much more detail and with more advanced filtering options than USG will ever do ;-)
If you use the assistance of pfBlockerNG, you can GEO block countries, lists of know offenders and what not in both inbound and outbound directions.

But sure you can use both - allthough it is a compliccated setup with more failure options.

Colors should convey some kind of meaning. Choosing a random color just to have it be a color seems like a bad idea.

The grey color already has a well-known intended meaning of something being inactive/disabled. I don't see the need to change it.

@hydrian
You can get it work with a single public IP, but probably not with a MAC lock. CARP uses certain MAC addresses, which cannot be spoofed as far as I know.

Final reply to this thread for anyone in the future who needs to setup something similar:

I've put the full solution, including the NodeRed flow here: https://gist.github.com/Slyke/7d5b290f1d5695fdd79f5e0a08837c93

@stephenw10 yes we can agree the user can configure it wrong all over. Again, an administrator might fat finger a large static DHCP list with a couple entries thus causing hostname mix ups. That for one would be very hard to pinpoint. Moreover, we know the amount of hours system administrators work. It's a lot of hours. This would make PfSense have a ease of use software functionality built in. I assumed that if pfSense allowed multiple duplicate entries, it was done for a situation when two devices need to be swapped in and out and need the same IP address, in this mindset PfSense should still log the correct hostnames. Again, if that was the reason for PfSense allowing the GUI duplicate entries.

Weird thing to research, but the hostnames mixup was what I was after and or why
PfSense would allow the duplicate entries in the first place. Let's agree admins have monster static dhcp lists that are updated and changed all the time within a secure setting. This situation would want controls in place for hostnames. Finally, logs for the hostnames could get bonkered up and with a monster list and that would be hard to track down why hostnames are wrong. We know PfSense now has experimental layer 2 Ethernet filtering.

@bmeeks I solved it by copying both the curl and sh binaries into the chrooted folder and specifying the path to them directly:

mkdir -p /var/dhcpd/bin mkdir -p /var/dhcpd/usr/local/bin cp /bin/bash /var/dhcpd/bin/ cp /usr/local/bin/curl /var/dhcpd/usr/local/bin/

Then in my /var/dhcpd/etc/dhcp_update.sh script:

#!/bin/sh BASE_URL="http://your-web-server.com/your-endpoint" EVENT_TYPE="$1" IP_ADDRESS="$2" MAC_ADDRESS="$3" case "$EVENT_TYPE" in "1") ONLINE_STATE="online" ;; "2"|"3") ONLINE_STATE="offline" ;; *) ONLINE_STATE="unknown" ;; esac URL="${BASE_URL}?ip=${IP_ADDRESS}&mac=${MAC_ADDRESS}&state=${ONLINE_STATE}&event=${EVENT_TYPE}" echo "DHCP Announce: $URL" /usr/local/bin/curl -X GET "$URL"

It aborted with exit code 6, which means that cURL couldn't resolve the hostname (good news!). I still haven't tested this with my proper endpoint, but I think it will work now.

@Richard-1 said in No DHCP on proxmox:

On my Win11 VM I receive ip configuration from DHCP server, on my physical PC no DHCP configuration received, I need to enter ip, subnetmask, gateway, ... manually to connect to network.

It's the way you have it setup...please see here: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

Did you connect your physical PC to pfSense LAN? Nothing is wrong to connect manually though. You should consider amending your title as Proxmox doesn't do DHCP.

@JonathanLee sorry if I wasn't clear. No, one URL should be enough

@chrisjx Hi,
I also have a location with two ISPs, one is the primary and the second is a Starlink.
So I know how to setup the LAN4 as a OPT and assigned VLAN 40 to it. But how do I make sure the Starlink is on VLAN 40 then?

Did you managed to get this working?

BR
Nick

@djdmx Good to hear!!
Sorry I haven't answered any of your posts, just getting over the flu. But you didn't need my help anyway!