DHCP fails on VLANs
-
I recently switched pfSense from a LAN + WAN config to add VLANs on my LAN. I am not able to get DHCP addresses on the VLANs. I see DHCPOFFER of valid addresses in the DHCP system log but the clients don't seem to pick the addresses up.
Details:
-
I am running pfSense 2.3.2-RELEASE-p1.
-
The parent LAN adapter is still enabled, though I no longer have it configuring an IPv4 or IPv6 address
-
I have confirmed that my VLAN networks are configured as /24 networks
-
DHCP is enabled on the VLANs, and they appear to have valid ranges for the addresses they can issue
-
Each VLAN network has a firewall rule allowing IPv4* from the VLAN to * * * *
-
I only have a few port forwarding rules on my WAN interface, and the "Default allow XX to any rule" type rule for each LAN and VLAN.
-
When connected from the second physical LAN adapter (OPT1), I am able to ping the gateway interface in each VLAN's subnet
-
My config has VLAN id 10 = 'Home', set to 192.168.1.0/24. VLAN id 20 = 'Misc', set to 192.168.2.0/24. OPT1 (second LAN adapter) is using 192.168.8.0/24
Is there any more detailed info I can see about the DHCP interchange between the client and server?
Is there any special setting I need to ensure that these DHCP packets can route back to the correct hosts?On my switch (Netgear GS748Tv3), I have the ports tagged as either VLAN id 10 or 20, and the pfSense router in port 1 set to tag both of those networks.
thanks!
-
-
Probably something in your switch somewhere. All the DHCP server can do is get the DHCPDISCOVER and send the DHCPOFFER. If the client never sends a DHCPREQUEST based on that offer, look on the client, or between the server and the client, for that.
You probably want to packet capture to see where the traffic is getting lost.
I can assure you dhcpd works just fine on VLAN interfaces.
-
Thanks, I figured out what was wrong. Your reply got me to read up on the DHCP protocol, which made me realize packets being sent from pfSense weren't making it back to nodes in the VLAN. I had set the VLAN ports for the nodes to be untagged but lost the setting when I didn't hit "apply", so all systems were receiving tagged packets.
For those learning about VLANs who stumble onto this thread, in general, the rule of thumb is:
- VLAN-aware gear such as managed switches and routers (including pfSense) should be connected to tagged ports
- Other systems (desktops, servers, etc.) should be on untagged ports
Again, thanks for the quick help!