No DHCP over VLAN

kalas666

Hi All

I've been using pfsense for a while now.  We have recently bought a Draytek 910C AP which supports multiple VLAN's.
We want to set 1 vlan up as the internal AP and the second vlan for guest access.

I have added a dual port nic into the pfsense and configured the interfaces accordingly.  This physical nic is directly connected to the AP.

Although the client machines can authenticate on the AP they do not get an IP.

If I set them up as static they get net access and there is no issue with routing across subnets.

I currently have a pass all on every protocol for the vlan Rule for testing.

The dhcp logs do not show any requests on the vlan subnet.

I know this should be simple, but there is something I'm missing.

Thanks,
Chris

johnpoz

So you have the AP directly connected to the pfsense?  Or is there a switch?  If you setup multiple vlans on your AP and your tagging them with what ID? 100, 10, 199?  Then you would have to create your vlan on pfsense with the same tag.

if your connected to a switch the switch will have to be configured in trunk mode via the cisco turn that means that ports carries the tags that is connected both to your pfsense interface that you have the vlans on and the port connected to the AP.

kalas666

Hi,
Thanks for the reply.

The AP is effectively directly connected to 1 nic on the pfsense. There is no switch between the pfsense and the AP.
There are 3 vlans sat on the 1 physical nic. vlan5 for managment (192.168.5.1), vlan10 for guest (192.168.10.1) and vlan 20 for internal wifi (192.168.20.1). 
As I said in my previous post, If I statically assign ip's, then the clients can authenticate with the AP and have full network access.

johnpoz

Well do you see dhcp discover on pfsense interface you have the AP connected too?  Do you have dhcp enabled on you vlan interfaces?

There is no reason for a pass all rule, when you enable dhcp server on interface it auto creates hidden rules to allow for dhcp.  If your not seeing anything in the logs.  Make sure you actually sniff on the physical interface of pfsense and check if your seeing the packets or not.  If your not seeing the packets then you have an issue with your AP..

dillbilly

Bumping this thread.

I'm having the same issue that kalas666 is. I've had VLANs working before with my current hardware (pfSense on a SuperMicro Atom server and a Cisco Small Business 200 series switch), but this is the first time I've created any since upgrading psSense to 2.3.

DHCP works fine on LAN
DHCP is enabled on VLAN
VLANs are set up correctly on the firewall, switch, WAP, and VMware server
Clients on VLANs cannot receive a DHCP lease
Assigning a static address provides the appropriate network access to wireless and vm clients
No signs of requests from VLAN clients in the DHCP logs

johnpoz

"No signs of requests from VLAN clients in the DHCP logs"

Well if the dhcp server does not see the discover how can it make an offer?  Where are the discovers being lost - are they not being tagged?  What I can tell you is I have vlans both wired and wifi that get dhcp from pfsense without any issues.

dillbilly

Traffic is obviously getting tagged, as everything worked properly when a static IP address was set. The lack of a log entry could mean two things 1) that it wasn't receiving traffic, or that 2) it wasn't listening correctly to the VLAN interface. I factory reset pfSense and without changing the config on any of my other hardware have added two VLANs to the default config and DHCP seems to be working, which indicates that it was an issue with pfSense and my particular configuration. I'll restore my old config to see if I can do some log gathering again, but I was running a fairly vanilla setup with only a few rules and snort installed but not running.

dillbilly

So having partially reconstructed the VLANs I had in my prior config the issue has cropped up again, and it does seem to be pfSense at fault.

Running absolutely vanilla pfsense, all I've done was go through the initial wizard, create my VLANs, and enable the DHCP server on what is to be my guest VLAN. Network access? Check. DHCP leases? Nope. Checked the logs and I have this error:

Can't bind to dhcp address: Address already in use
Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server.

This thread https://forum.pfsense.org/index.php?topic=90549.0 has some discussion on the topic, but no practical solutions.

johnpoz

If I had to guess dhcp did not restart when you added your interface, so when it tried to start again it already saw listening on 67

Did you just try stopping dhcpd and restarting.  It listens on all IPs

[2.3.2-RELEASE][root@pfSense.local.lan]/root: sockstat -L | grep :67
dhcpd    dhcpd      8498  16 udp4  *:67                  :
[2.3.2-RELEASE][root@pfSense.local.lan]/root:

You can then verify your on your interface via

[2.3.2-RELEASE][root@pfSense.local.lan]/root: ps axww | grep dhcpd
8498  -  Ss      0:29.39 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1 em2 em3 em2_vlan200 em2_vlan100 em2_vlan300 em2_vlan500

so you can see mine is listening on multiple vlan inerfaces.