• Have my network setup in a test - Predeployment

    DHCP for VLANS - however having upstream router handle the network routing currently.

    added routing for all networks to PFSense and network to PFSense -
    PFSense can see all networks and route them to the internet without issue.

    Switch Core can be set to DHCP releay (IP Helper) to pass dhcp requests to pfsense.

    PFSense thinks it needs an IP on each Subnet to manage DHCP for each Scope - this is not correct - can I simply add the scopes to the DHCP manually via Command line edits? (SSH is enabled)

    DHCP will support relayed scopes depending on the IP that sent the request.
    This Link has a lot of info - I'm just not sure how to make it applicable - even it talks about multiple subnets on the interface which isn't needed.

    (this post is just missing the darn config that works)

    Scopes desired:
    20,30,50,100 below is their CIDR

    Firewall on 5 - no DHCP needed
    Each /24 network need 100-200 should be fine
    on 100/23 - 100.100-101.200 (~350 address avail)

    Switch core:

    VLAN 5 Transit (internet) .248 (1-7)

    VLAN 10 MGMT .224 (1-31)

    VLAN 20 LAB

    VLAN 30 Office

    VLAN 50 Staff

    VLAN100 Students 254.0 (100.1-101.254)

    VLAN (200 Future VPN - No ip - handled by other)

    Linux DHCP should support IP Helper relay to DHCP server so i shouldn't need to have an IP on each VLAN.
    Just for kicks - yes I can Trunk / Hybrid the port going to the LAN interface and trunk with .5 being untagged and all others being tagged that need DHCP and place an IP on the PFSense box - but then it thinks its doing the routing for those networks which I is not...

    the fix in that case is - remove IP from switch for those networks and add let PFSense do the routing for those networks.

    ---- Does that make any sense?
    My brain keeps rethinking this but not sure which direction to go...
    manually edit dhcp files on pfsense -
    introduce a dedicated DHCP linux box to handle the dhcp requests - can do it on .10 / .5 networks without any issue - just don't have any servers in this network yet.

    very barebones school currently building it all out.

  • without stepping on my self

    it is possible to edit the file:


    and add the needed configuration in there?

    • would need to know how to keep the config from being overwritten once I run it via that gui though..
      basically just enable it in gui then edit then restart dhcpd?
      not sure - asking there.

  • Rebel Alliance Global Moderator

    "–-- Does that make any sense?"

    No... Draw you network.. Where exactly is pfsense??  Its going to be downstream but not doing any routing?

    "however having upstream router handle the network routing currently."

    What exactly do you want psfense to do other than be a dhcp server???

  • odd not getting notifications of replies - will have to check spam - odd..


    All routing was being done by the switch 10.1 - see in image. (ignore Red) blue is test - RED will be onsite links
    have since now tagged other vlans to pfsense switch
    Untagged 5
    Tagged 10-100

    also removed .1 interfaces from switch (except 10.1 & 5.1) -
    that switch routes >

    PFSense static route of 10.0 sends to 10.1

    Firewall rule for outbound added other networks to allow internet out from the other networks
    without adding that rule to LAN traffic would drop at PfSense.

    Since removing the Switch as the primary router - as it couldn't support doing ACLs / filtering VLAN 20 & 30 from accessing other vlans,
    I have now setup PFSense Interfaces as 20.1/30.1/50.1/100.1
    and setup DHCP on those interfaces with Ranges - So No PFSense is Routing for those networks.

    Trick now is to verify the tagging is actually working properly I'll have to setup a device on those vlans and see if i can ping across.
    not sure the hardware will support vlan tags or not - Switches worked as expected - this unit I'm not 100% sure though -

    IF DHCP and INet are working -

    Just need to see how to block VLAN 20 LAB & 100 Students (not 30) from anything but Internet - Do not let them talk to other vlans.
    other vlans can however see those bi-bidirectionally is fine.

  • Have updated my diagram ..

    still ignore Red lines - as they are not active yet - will abandon blue trunks for Red in some cases - think are some Buildings that will also be daisy chain Trunks as well back to core….

    so the rules I have looks like this:

    DNS Rule wasn't thought out…
    should simply use VLAN gateway as DNS - was giving LAN IP for dns - that will be fixed then remove the dns allow rule.

    to block VLAN20 & 100 from being able to access Firewall GUI I should be able to add a simple port block the thier respective gateways on PF correct?