No DHCP addresses on LAN
-
I've just installed pfSense 1.2 RELEASE on a Dell R200 server. My configuration isn't very complicated – I have a fixed public IP for the WAN and a private IP for the LAN side. I will have about 150 workstations set up on the LAN side. The Cisco switches are set up using VLANs, one VLAN for the outside and one for the inside. I didn't set pfSense up with VLANs, because each port only has one VLAN associated with it.
After some initial difficulty getting pfSense to boot on this hardware (ACPI has to be disabled) the install went fairly smoothly, and configuration didn't seem to be too hard.
However, after setting everything up, I have been unable to get a single workstation on the LAN side to acquire a lease through DHCP. If I manually set a workstation up with an IP in the correct range, with the appropriate routes, etc., and all works fine. But no leases are handed out.
If I do not manually set up the network, I get 169.254.x.x addresses, and no route to the outside.
The DHCP logs show that dhcpcd is listening, and the status page says that it is as well. I've tried restarting, but don't get any improvement.
What am I likely to have misconfigured? Do I have to set up VLANs on pfSense?
-
Yes if it is a layer 2 switch you have. As you probably already have made a diagram ;) it would be nice if you attach it, if more help is needed.
-
OK, here's my network diagram (I never said I had artistic talent…)
The switches are set up so that VLAN 1 is the "outside" VLAN. My workstations are all on VLAN 601. The WAN interface is behaving itself fine without setting up VLANs in pfSense. Is it OK to leave it alone?
The LAN interface is hooked up to a port that is on VLAN 601. All my lab machines are also hooked up to 601.
I tried setting up a VLAN on the LAN interface, but I then lost contact with the pfSense machine. I had to reset it at the console in order to get it talking to the LAN machines again.
-
Actually, this diagram might be a little better. The previous diagram is close the the logical layout, but this one captures the physical layout better.
The switches for the lab machines are in the same room as the uplink to the outside, the pfSense box is in the server room on the server room switch, and both the WAN and LAN VLANs are carried over a trunk between them.
-
The switches are set up so that VLAN 1 is the "outside" VLAN. My workstations are all on VLAN 601. The WAN interface is behaving itself fine without setting up VLANs in pfSense. Is it OK to leave it alone?
As you don't need any routing between vlans it should work. The switch port's connected to pfSense and workstations just needs to be untagged.
Also make sure that vlan 601 is a member of the Trunk.
-
Well, the resolution was simpler than I expected.
I had the campus network folks look at the switch logs, and it appears that DHCP was being blocked at the switch port. They made that port "dhcp trusted" and all works as it should.
That's what I was hoping for – for such a simple configuration, it didn't make sense that I would have to set up VLANs in the firewall, since everything on the LAN side was on the same VLAN, and everything in the WAN side was on another. I figured it should have been just like a physical network as far as all the hosts (and pfSense) were concerned. But this was the first time I had dealt with a firewall that even understood VLANs, so I wasn't sure. :)
Thanks for the help!