DHCPNAK or Offer in VLANS

Orion2030

Hey Guys, Ladies;
Have a been to a nagging issue here. I am trying to set the following:

PFsense 2.4.5 in a Netgate SG-5100
igb0 is the WAN
ix0 is the LAN where pfsense is administered from (192.168.1.x)
ix3 is configured to run 3 vlans: VLAN2(192.168.2.x), and VLAN3(192.168.3.x)

on ix3 I am running dhcp for the clients in each VLAN.

Then I connect PFSense ix3 ---> TP-Link Lite Managed switch (TL-SG3126) port 9
Port 9 is designated as a TRUNK TAGGED port

Then TP-Link port 10 (configured as TRUNK TAGGED) ---> Orbi Home Router (RBR50)

Then Orbi is configured with 3 VLANS, in the following way:
Port 1 is default and all of WIFI devices
Port 2 is VLAN2
Port3 is VLAN3

vlan problem.jpg

Here is the problem:
CLIENT-X. When I connect the client via ethernet to Port 1 of the ORBI router, I get 10.0.0.x addresses as expected, just like all wifi devices
When I connect CLIENT X to port 3 I get VLAN3 addresses as expected.
But when I connect CLIENT-X to port 2 of the ORBI, I get DHCPNAK responses from the logs in pfsense DCHP server. Other times, I get

Annotation 2020-05-03 122432.jpg

When I tried a different laptop on VLAN2, I get a different error:
Annotation 2020-05-03 122432-2.jpg

It seems a DHCP offer is made to the client but the client never gets the offer.

I know I have a lot of moving parts here, and have tried to remove the switch from the equation but it did not work either. I suspect I might have two issues:
A) DHCP settings in PFSENSE
B) VLAN configuration on the SWITCH or on the ORBI.

Any help would be awesome !

JKnott

@Orion2030

Why do you need 3 routers? Can you not put the ISP router into bridge mode? However, that isn't your problem. Your problem is caused by having another router downstream from pfSense. Unless that router is capable of managing VLANs (unlikely), then your VLANs will be discarded when they reach it. You use a managed switch to separate out the VLANs.

BTW, some TP-Link gear doesn't handle VLANs properly.

Orion2030

@JKnott , thanks for the quick response.

I could eventually put the ISP router into bridge, no problem... but as you said, that is not the issue here.

I guess where I am thrown off a bit is that VLAN 1 and VLAN3 work just fine, or so it seems as expected. It is only when in VLAN2. The ORBI Wifi router does not handle VLAN when in BRIDGE MODE, only when in ROUTER MODE.

Not sure about TP-LINK issues. I can say that if I connect CLIENT X directly into ports on the Switch, I get IPs for VLAN2 and VLAN3 just fine ( when bi-passing ORBI) but of course I have no clue how ORBI actually handles VLANS.

JKnott

@Orion2030 said in DHCPNAK or Offer in VLANS:

I can say that if I connect CLIENT X directly into ports on the Switch, I get IPs for VLAN2 and VLAN3 just fine ( when bi-passing ORBI) but of course I have no clue how ORBI actually handles VLANS.

As I said, that's the issue. A VLAN is nothing more than an extra 4 bytes in an Ethernet frame that a managed switch uses to separate the virtual LANs. If that ORBI doesn't handle VLANs, it can't do anything with them. In fact, since the first two of those 4 bytes are the Ethertype a router wouldn't even recognize those packets as being IP and so won't route them. A router from companies such as Cisco or pfSense can manage VLANs, but consumer level gear generally doesn't, at least not beyond guest WiFi.

I have no idea why VLAN 3 appears to be working, as it shouldn't be. I suspect you may not have what you think you do.