Single NIC machine not getting WAN IP with PFsense
-
@kfaust Yes or the replies are not being tagged coming back in. That would be the PVID on the port. It looks correct but maybe never applied or similar?
You could just use WAN untagged and LAN tagged and reconfigure the switch to match that. But that would likely expose the switch GUI on the WAN. So...sub optimal!
-
@kfaust said in Single NIC machine not getting WAN IP with PFsense:
sending has the VLAN tag on it,
Well yeah its tagged on that port so you would need to send the tag.. But on the port connected to the modem it should be untagged on vlan 99, and yes the pvid should be 99.. So the answer to your dhcp would hit the port on the switch and the switch would say oh this is vlan 99, and send it on to pfsense tagged on 99.
-
The switch config posted in screenshots above looks correct. It is a TPLink switch of course....
-
Well if nothing else I've learned a good bit about wireshark monitoring! I spent the whole evening just figuring out how keep my windows laptop from stripping the tags off the packet when trying to monitor them with port mirroring, but I finally got it.
That said, it does appear the switch is correctly applying and removing the tag when the DHCP request ingresses on port 1 and egresses from port 2. Good to know, but it doesn't exactly solve my problem. The only other thing I can think is that if the response from the modem is getting dropped when it enters the switch somehow.
As one last attempt, I do have a managed netgear switch lying around with same number of ports. I'll swap them out next chance I get and see if that makes a difference.
-
Yes, if the PVID wasn't applying for some reason the replies from the ISP would not make it back onto the VLAN.
However it looks to be correctly configured and LAN was working as expected when you had that configured as VLAN 10 in the same way.If you still have the pcap of your laptop pulling a lease successfully, or pfSense doing so on re0, then you might look at those reply packets and see if they have some other tags. Every cheap switch I have seen just strips priority tags but it's possible this one uses them and drops the packets. Does it have tagging enabled on the QoS tab?
Steve
-
Made some more head way this morning. I need to amend my previous statement:
That said, it does appear the switch is correctly applying and removing the tag when the DHCP request ingresses on port 1 and egresses from port 2.
This true, but I wasn't taking these packet captures while connected to the modem. Since I can't take the modem down during the day, I moved my set up and connected my desktop to the port where the modem would usually go, then mirrored/monitored port traffic in my laptop. In this scenario, pfsense was sending tagged DHCP requests through port 1 and they were passing through port 2 with the tag stripped off, all correct.
I tried this again in the morning with the modem connected, and found that the DHCP requests aren't being routed after ingressing on port 1. Just to be sure, I connected my PC again and verified everything by monitoring just the port 1 ingress, then egress, and the same for port 2 . I then did the same with the modem, also setting up capture on pfsense to track the packets it's sending to port 1, then specifically monitoring port 1 egress on the laptop.
All that's to say: when the modem is connect to the switch, PFsense will send a VLAN-tagged DHCP Request (ID: 99) to the switch, but the switch does not route the package anywhere, it never leaves the port and thus never reaches the modem. If I change the connected end device to desktop PC, the packages suddenly route correctly. Same VLAN/PVID setup I've already demonstrated in this thread. No idea what could cause this, but i'll keep researching while awaiting any ideas here.
-
Hmm, does the modem have some odd MAC address perhaps?
It shouldn't matter though broadcast traffic should be sent everywhere.
You might try passing the untagged traffic from re0 directly through the switch and see if that fails.
Either with the switch just passing it as untagged on a VLAN or in port vlan mode if it has that.Steve
-
There's truly no accounting for the physical layer. I tried it with my netgate switch the morning and pfsense pulled a WAN IP on VLAN 99 almost instantly just as every guide I've followed would expect. The VLAN/PVID setup is exactly the same, all that changed is a the switch. Maybe some weird interaction between the TP-Link switch and the cable modem? In any case, I'm finally unblocked on this and can start moving forward with everything else.
-
@kfaust said in Single NIC machine not getting WAN IP with PFsense:
TP-Link switch
Not on the top of my recommendation lists for low cost switches.. Ever since their fisaco with vlan 1 not being able to be removed, and it taking them like 2 years to fix it.. And them saying on their own forums that it was normal and required, etc. it was clear they don't actually understand vlans..
They did finally fix it, but they didn't officially back port the firmware change to the older models, etc.. I have one with the fixed firmware in use, its behind my tv and have some vlans on it and not had any issues, and it does let me remove vlan 1 now. And some of the leak testing I did it seems to be actually isolating the vlans.. But I wouldn't buy that brand if there was any other choice.. At least not their entry level smart switches.
-
Hmm, yeah TPLink have had some... interesting.... switch issues in older models but nothing that would really explain this. Weird. Glad you were able to resolve it.
-
@stephenw10 yeah its odd for sure - what I would do for testing and validation of the problem would be to duplicate dhcp and vlan without the modem.
Fire up something running dhcp and let pfsense pretend its a wan interface getting dhcp and run it through the switch with the same sort of setup. untagged towards your dhcp server/gateway for pfsense, and tagged towards pfsense..
You would use anything for the test, some laptop or pi would work just fine for such testing..
