pfSense DHCP Outage a day after installing NetGate Plus 26.03-RELEASE

Mon, 06 Apr 2026 09:38:00 -0400

Summary

On 2026-04-06 at approximately 09:38 EDT, the Kea DHCP service on pfSense (26.03-RELEASE) stopped serving leases on all interfaces. The root cause was a corruption of the <dhcpd> block in /cf/conf/config.xml, which caused pfSense to generate an empty Kea interfaces list. Service was restored by activating a previous ZFS boot environment.

Timeline

Time (EDT)	Event
08:54	config.xml drops ~15KB — `<dhcpd>` block wiped (config-1775480086.xml > config-1775480087.xml)
08:54–09:37	Multiple config saves at reduced size; pfSense regenerates Kea config with empty interfaces each time
09:38	Kea begins logging `DHCPSRV_NO_SOCKETS_OPEN`; DHCP stops serving leases
09:38–09:41	Kea restarts repeatedly, fails each time
~09:45	Operator detects outage; accesses box via WireGuard VPN
~10:00	Investigation begins
~10:30	Root cause identified: empty `<dhcpd>` in config.xml
~10:45	Config restore from backup attempted; Kea config generator continues producing empty interfaces
~11:00	ZFS boot environment rollback to `default_20260405014509` initiated
~11:10	Service restored

Root Cause

A pfSense package operation (pfBlockerNG or Suricata reload/apply) triggered a config write at 08:54 that silently cleared the entire <dhcpd> section from /cf/conf/config.xml. This is a pfSense 26.x bug: package-initiated config saves can clobber unrelated service configuration blocks.

Dhcp on > Cabronerias de Matu

pfSense DHCP Outage a day after installing NetGate Plus 26.03-RELEASE

Summary

Timeline

Root Cause