Folks I need Help!

jehu

I've checked the logs on the pfsense firewall and this is what I get…I'm starting to believe the switch settings are good.

/status_services.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1 em1_vlan100' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 29 leases to leases file. Listening on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Sending on BPF/em1_vlan100/00:14:5e:77:61:9d/192.168.2.0/24 Listening on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Sending on BPF/em1/00:14:5e:77:61:9d/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp ser

jehu

pfsense vlan settings


johnpoz

Yeah that looks fine.. Is that the only rule you have on the wifi vlan?

So your saying your devices on this vlan 100 are not getting an IP from pfsense?

Then yeah you have a problem with the switch config, or connectivity.  So is your lan, or vlan 1 working??  How are you accessing the pfsense gui?

jehu

@johnpoz:

Yeah that looks fine.. Is that the only rule you have on the wifi vlan?

So your saying your devices on this vlan 100 are not getting an IP from pfsense?

Then yeah you have a problem with the switch config, or connectivity.  So is your lan, or vlan 1 working??  How are you accessing the pfsense gui?

Lan is working fine on vlan 1…I have one vlan for now until I can get it working, vlan 100 wifi.
If I plug into any ports on the switch it all works except for port 10 connected to vlan 100.
On vlan 1 I have no problems getting ip from dhcp 192.168.1.x
On vlan 100 I cannot get an ip from dhcp 192.168.2.x

johnpoz

so going to ask for the 3 times..

did you run the command show vlan on your switch??

jehu

Sorry yes I did…see below

VLAN Name                            Status    Ports

---

1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/4
                                                Gi1/0/5, Gi1/0/6, Gi1/0/7
                                                Gi1/0/8, Gi1/0/9, Gi1/0/11
                                                Gi1/0/12, Gi1/0/13, Gi1/0/14
                                                Gi1/0/15, Gi1/0/16, Gi1/0/17
                                                Gi1/0/18, Gi1/0/19, Gi1/0/20
                                                Gi1/0/21, Gi1/0/22, Gi1/0/23
                                                Gi1/0/24, Gi1/0/25, Gi1/0/26
                                                Gi1/0/27, Gi1/0/28
100  Wifi                            active    Gi1/0/10
1002 fddi-default                    act/unsup
1003 token-ring-default              act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID      MTU  Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---

1    enet  100001    1500  -      -      -        -    -        0      0
100  enet  100100    1500  -      -      -        -    -        0      0
1002 fddi  101002    1500  -      -      -        -    -        0      0

NeoDude

Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?

jehu

@NeoDude:

Correct me if I'm wrong but you only appear to have VLAN100 tagged on one port?

Yes…do I need more ports?
I did try that and it didn't work

NeoDude

You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?

jehu

@NeoDude:

You need VLAN100 tagged on the port that connects to your WiFi AND the port that connects back to pfSense. VLAN1 should remain untagged but active on all ports. Your AP also needs to be VLAN aware, what one are you using?

Sorry really green at this…vlan 100 to tagged to port 10 and port that connects to pfsense is port 3.
If you can help me with the commands I would appreciate it, see below, show run command...thx

interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,1001-1005
switchport mode trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode access

johnpoz

ok so port 10 is in vlan 100

Can you do a show interfaces trunk

Or how about
sho int switchport G1/0/3

That is the port you have in trunk mode to pfsense right..

I would remove this from your port 3
switchport trunk encapsulation dot1q

conf t
int gi1/0/3
no switchport trunk encapsulation dot1q

Then show the commands of the ones I gave above.

Then once you have a device that you connect to on port 10, we can worry about connecting a AP on another trunk port that does vlans, etc.

NeoDude

I wouldn't have a clue about commands, my switch has a Web GUI  8)

But if pfSense is on port 3 then that also needs tagged to VLAN100

jehu

@johnpoz:

ok so port 10 is in vlan 100

Can you do a show interfaces trunk

Or how about
sho int switchport G1/0/3

That is the port you have in trunk mode to pfsense right..SW#show interfaces trunk

Port        Mode            Encapsulation  Status        Native vlan
Gi1/0/3    on              802.1q        trunking      1

Port        Vlans allowed on trunk
Gi1/0/3    1,100,1001-1005

Port        Vlans allowed and active in management domain
Gi1/0/3    1,100

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/3    1,100

Yes port 3 is trunk…see below

johnpoz

We already went over what needs to be tagged where.. Yes completely agree with you

Port to pfsense needs vlan 100 tagged.. And then any uplinks to any AP that would be doing vlan 100 on SSID also tagged, etc.

But he can not seem to get vlan 100 to work..

NeoDude

Have we established that his AP is VLAN aware? and set up to use VLAN100?

jehu

@NeoDude:

Have we established that his AP is VLAN aware?

AP is vlan aware it's a Ubiquiti UniFi AP-AC-Pro AP…but if I plug my laptop in that port I can't get and ip

johnpoz

He is not doing that yet - he is just connecting a device to is vlan port 10.. And its not getting an IP from pfsense, or can not talk to pfsense.  If he can not get a simple access port to work.. Then what is the point of moving to AP?

on your pfsense box can you do a ifconfig and post the output so we can see that your nic actually supports vlan tagging..

example

em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        options=9b<rxcsum,txcsum,vlan_mtu,<strong>VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:50:56:00:00:03
        inet6 fe80::250:56ff:fe00:3%em2 prefixlen 64 scopeid 0x3
        inet 192.168.2.253 netmask 0xffffff00 broadcast 192.168.2.255</rxcsum,txcsum,vlan_mtu,<strong></up,broadcast,running,promisc,simplex,multicast>

jehu

here you go

em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=5009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:14:5e:77:61:9c
        inet6 fe80::214:5eff:fe77:619c%em0 prefixlen 64 scopeid 0x1
        inet 24.23.x.x netmask 0xfffff800 broadcast 24.239.15.255
        nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=5009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:14:5e:77:61:9d
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pflog0: flags=100 <promisc>metric 0 mtu 33160
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 224.0.0.240 maxupd: 128 defer: on
        syncok: 1
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        nd6 options=21 <performnud,auto_linklocal>em1_vlan100: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=3 <rxcsum,txcsum>ether 00:14:5e:77:61:9d
        inet6 fe80::214:5eff:fe77:619d%em1_vlan100 prefixlen 64 scopeid 0x7
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 100 vlanpcp: 0 parent interface: em1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast>

NeoDude

Your laptop won't work on port 10 because it's not a member of VLAN1 and I'm guessing the laptop isn't VLAN aware.

johnpoz

^ what??  Its a native vlan.. Laptop does not have to have any clue to what vlan its on.. Its native untagged vlan..