PFsense with downstream router and transit while still using DHCP on PFsense

pithychats · Jun 3, 2017, 11:40 PM

Not sure if this configuration is possible.

Have 2 VLANS for general use

VLAN10 - 10.192.10.1/24
VLAN20 - 10.192.20.1/24

For transit I intend to use 10.193.1.1/24 (I know I can make this a /30, but I'll leave it /24 unless there is a downside).

On PFsense have 4 interfaces

Interface 1 - WAN
Interface 2 - VLAN10, VLAN20
Interface 3 - Transit
Inferface 4 - Unused (or second WAN in future)

On layer 3 switch I intend to have two interfaces with connections to PFsense

interface 2 VLAN10, VLAN20 connected to interface 2 on PFsense
interface 3 Transit connected to interface 3 on PFsense with IP in 10.193.1.1/24 different from Layer 3 switch

A few questions.

1. Does this setup make any sense at all? I want to route DHCP traffic to PFSense on interface 2 of L3 swtich, and pretty much everyting else on (ie not on VLAN10 or VLAN20) through interface 3 to PFSense.
2. I have a DHCP server set up in each VLAN on PFSense. For DHCP traffic from the same VLAN do I need DHCP-relay?
3. What do I have to set up in PFsense to allow NATing of downstream subnets on interface 3? How do I do this and not affect the DHCP on interface 2?

In general I don't need PFSense to route between VLANs, I have the L3 switch for that. I only need PFSense to serve DHCP.

(If you are wondering why I am using PFSense for DHCP it is because Microsoft requires user CALs for each DHCP client and the L3 switch has no DHCP server capability)

Thanks for the consideration

Derelict · Jun 4, 2017, 12:47 AM

pfSense DHCP does not support that. There are no GUI widgets to support serving multiple subnets on one interface like that.

ISC DHCP server should support it just fine.

You might have to roll your own DHCP server if you can't use MS.

Never heard of a Layer 3 switch without DHCP server capability. You might want to look again there.

coxhaus · Jun 4, 2017, 1:00 AM

DHCP is a broadcast. If you want to relay to another network the broadcast, you use DHCPRELAY or ip helper address depending on your equipment. I would want all my DHCP ip addresses in one location for easy access. Microsoft makes a nice DHCP server and DNS server which works well with Microsoft Active Directory.

Derelict · Jun 4, 2017, 1:28 AM

OP doesn't want to be subject to the CALs, though I find it hard to believe the CALs wouldn't be somehow applicable in some other manner.

pithychats · Jun 4, 2017, 1:51 AM

@Derelict:

pfSense DHCP does not support that. There are no GUI widgets to support serving multiple subnets on one interface like that.

ISC DHCP server should support it just fine.

You might have to roll your own DHCP server if you can't use MS.

Never heard of a Layer 3 switch without DHCP server capability. You might want to look again there.

I am pretty sure the switch doesn't; people whine about it online.

What if I made a separate DHCP instance for each VLAN. IE run a separate DHCP instance on VLAN10 and VLAN20. I have done that in the past and it seems to work. For the CALs, the problem is MS wants a CAL for everything, including printers, people on guest wireless etc. For many of these clients the only item requiring a CAL is DHCP.

If I do roll my own DHCP server (which is definitely doable, I can just spin up an CentOS instance), how do I set the NATing for downstream subnets?

Thanks for the help

johnpoz · Jun 4, 2017, 2:26 AM

"I am pretty sure the switch doesn't; people whine about it online."

What switch? Make and model.. I find it almost impossible to fathom a L3 switch not supporting dhcp..

pithychats · Jun 4, 2017, 3:20 AM

@johnpoz:

"I am pretty sure the switch doesn't; people whine about it online."

What switch? Make and model.. I find it almost impossible to fathom a L3 switch not supporting dhcp..

HP 6600-24G-4XG. I cannot find anything about it supporting a DHCP server in the documentation.

I am still curious about the setup though. Is there an technical reason I cannot route VLAN traffic over 1 trunk from the L3 switch and everything else over the transit link? I am also still a bit confused as to how to deal with downstream NAT.

Thanks!

Derelict · Jun 4, 2017, 4:40 AM

It is not routing that is the problem. It is DHCP.

coxhaus · Jun 4, 2017, 4:42 AM

My Cisco SG300-28 layer 3 switch supports DHCP for multiple networks. I use it.

Derelict · Jun 4, 2017, 4:47 AM

If you set a gateway on a LAN interface and route subnets to it, pfSense should pick that up and properly do outbound NAT for it on its WAN interfaces. If you hit a situation where that is not the case, hybrid or manual outbound NAT will be able to solve it.

johnpoz · Jun 4, 2017, 10:41 AM

Sure looks like it supports being a dhcp server to me!

http://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/public/psi/manualsDisplay/?sp4ts.oid=3897494&javax.portlet.action=true&spf_p.tpst=psiContentDisplay&javax.portlet.begCacheTok=com.vignette.cachetoken&spf_p.prp_psiContentDisplay=wsrp-interactionState%3DdocId%253Demr_na-c04490719%257CdocLocale%253Den_US&javax.portlet.endCacheTok=com.vignette.cachetoken

Did you actually go over the management and configuration guide?

pithychats · Jun 8, 2017, 5:50 AM

@johnpoz:

Sure looks like it supports being a dhcp server to me!

http://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/public/psi/manualsDisplay/?sp4ts.oid=3897494&javax.portlet.action=true&spf_p.tpst=psiContentDisplay&javax.portlet.begCacheTok=com.vignette.cachetoken&spf_p.prp_psiContentDisplay=wsrp-interactionState%3DdocId%253Demr_na-c04490719%257CdocLocale%253Den_US&javax.portlet.endCacheTok=com.vignette.cachetoken

Did you actually go over the management and configuration guide?

Thanks. It turn out hp.com had an older version of the manual. A firmware update allowed DHCP to work. Thanks again to everyone for the help!