DHCP on multiple VLANs on same physical interface

  • Dear all,

    I am a pfSense newbie. I am also not the most experienced firewall-manager on this planet. However, I hope you will indulge me.

    I have setup a new server with two ethernet interfaces. One WAN, One LAN.

    What I am trying to do is separate some of the network traffic, to avoid my children messing with our music collection, or only allow them access to certain sites. I am running pfSense in a VirtualBox VM.

    So, I have set up the following way:

    Ethernet 1 (bridged on VM to em0 on pfSense) -> WAN -> gets IP from provider. This works fine.
    Ethernet 2 (bridged on VM to em1 on pfSense) -> LAN
    Ethernet 3 (connect to VirtualBox internal network, to em2 on pfSense).

    The reason for the last connection is that I want to be able to manage the interface only through my server, and not allow accidental access to the webinterface. This also works fine.

    Now, on the LAN of pfSense I created four VLANs, each with their individual IP and netmask

    AdminNet (for parent laptops, NAS, printers)
    GuestNet (split in two parts, ChildrenNet and RegularGuests)
    AVNet (for all bluray, mediaplayers, AV-receivers, TVs)
    SurveillanceNet (for all IP cameras)

    What I would like to do is have a DHCP setup that defaults to an IP in the GuestNet if the Mac-Address is unknown, and a static IP assignment for one of the other nets, if it is known.

    What I see however is that none of the subnets seem to see the DHCP broadcast at all.

    After some experimenting, I see that if I give the LAN itself also an IP and a subnet, and enable DHCP there, I am given an IP address.

    How can I resolve this? It would seem that I would need to forward the broadcast traffic received on the LAN for DHCP to the other subnets, and if one of them recognizes the MAC-address it would return the IP.

    I cannot set up the DHCP on the LAN interface alone, because it would create an overlap with the other interfaces which pfSense does not allow.

    Can someone give me some pointers on how to get this working as it should? I can see issues with the fallback scenario of providing an IP (could return two addresses), so if necessary I could also let all DHCP server be restrictive in their IP handouts, but they need to see the traffic regardless.

    Thanks in advance for any pointers.

  • Is your AP capable of VLANs?
    If so did you set up the DHCP servers for each interface?
    I assume you are trying to have all kids devices on 1 interface/VLAN, all AdminNet devices get leases on the  the AdminNet interface, etc?

    I have multiple separate interfaces, each with DHCP servers, with specific fixed IP devices on each interface with different rules per interface(More restrictive, WAN vs VPN, etc…). Is that what you are trying to accomplish?

  • Yes, that's the idea. So if the AdminNet DHCP server sees a known MAC, it will get an IP from either that pool or a static assignment (depending on what makes sense for the device). If one of the children comes online, they would get a RestrictedNet ip etc.

    In principle that's all that is required. But apparently the DHCP broadcast does not reach the VLANs. When I define an IP for the physical LAN interface, I do see the DHCP broadcasts, so in principle if I could forward those to all VLANs, that would work too.

    But maybe I am overcomplicating things.

  • I'm also quite puzzled by this.  First off, DHCP will not work through a router, unless a relay is used.  This means the DHCP server must be configured for each VLAN.  Also, assuming a client gets an address for a different VLAN, how does it switch VLANs?  On WiFi, that would also included changing SSID.

  • Ok, so maybe I am going about this in the wrong way. I thought using VLANs would prohibit the clients from seeing eachother's traffic.

    I have set up DHCP on each of the VLAN interfaces, maybe just a DHCP relay would do the trick.

    As for the different VLAN question, switching VLANs would never happen. As DHCP is broadcast, it would receive an  IP, locking it to a specific VLAN/subnet.

    Remember, this is just a home solution trying to avoid children and guests messing with the important stuff on the network. If this could be achieved another way, I am game.

  • LAYER 8 Global Moderator

    If you want to isolate your wifi into multiple vlans then you need an AP supports vlans - plain and simple.  Or you would need a different AP for each vlan.

    If you created multiple vlans on pfsense "lan" interface then you would need a vlan capable switch to assign the specific vlans to different ports on your switch.

    What switch are you using, what AP are you using and we can for sure walk you through how to create vlans and put different devices on each vlan be it they are wired or wireless if your switch and AP support vlans.

  • I have a Netgear JGS524 switch (24 port) switch, which by the looks of things, does not support VLANs.

    Furthermore, there is a Fritz.Box 7390 (DSL modem and router, builtin WIFI, 4 port switch), that supposedly supports VLAN tagging.

    Then there is a 5 port Netgear ProSafe GS105, a ZyXel 8 port switch that apparently allows prioritization, a Netgear WNDR3800 router with WIFI, which apparently can do VLANs in hardware, but is apparently not available through software.

    There are a few other switches but they are all unmanaged (D-Link, Netgear.

    The AV-equipment is all connected through one port on the switch.

    Guests and children would connect through WiFI only, so I could also enable the Guest-option on the Fritz.Box or Netgear (or both). Problem is that signal of these two WiFi-routers is not sufficient to cover the whole house.

    The point of the exercise was that I had one central location where I could explicitly control what parts of the internet my children were allowed to visit, and if I went the guest-WiFi route that option would go out the window and the routers themselves are limited in their routing capabilities.

    Another option could be that I tunnel the Wi-Fi traffic into pfSense, thus ensuring single point of entry into the firewall.

    I could also add another NIC to the server and separate the AV-equipment that way.

    Or maybe I should just shell out for a dedicated pfSense device and handle things that way? Might be easier?

    Open to any suggestions and thanks for your time.

  • Rebel Alliance

    I'm in the middle of setting up something similar. For a newbie, it is a massive task - especially if you don't want to break anything enroute!

    @johnpoz recommended a managed switch as the starting point for this exercise. I've gone with the Cisco SG350 series, which seems very capable but is definitely more than I need at the moment.

    I also knew that I had to get VLAN capable Access Points, as although my Tomato routers did have support, this was not easy to determine how to setup. So I settled on the UniFi AC-PRO…

    ... and quickly purchased a couple more of the IW (in wall) version for complete coverage of the property. This was after realising that PoE on the SG350 would have been very handy...

    ...So purchased a UniFi 8-port PoE switch. The UniFi kit is very easy to configure, but I'm still assessing the compatibility (or my level of competence).

    Not to put anyone off pfsense, I could have achieved everything I needed with UniFi kit, however, it wouldn't leave any room to grow or learn.

    I currently have 8 SSIDs available throughout the property (4 on 2.4, the rest on 5GHz), each on their own (pfsense-driven) VLAN with DHCP. However the UniFi AP require that they be on the native VLAN (1) for device IP assignment. This is against some of the recommendations posted here.

    I'm now at a stage where, I have replicated all the functionality I had before migrating to pfsense, plus added a segregated guest wifi network. And it's only taken 9 months.

    My property is fully wired for ethernet, a mix of Cat 5 & 5E, and unsuitable for 5GHz transmissions. With typically three ports per room (the design was TV, phone & data), I thought a 24/28-port switch would be best. With hindsight an 8/10-port PoE switch would have been better, as I've ended up adding these anyway, and the IW version APs have data & PoE-out ports.

    The three different 8-port UniFi switches have 8, 4 & 1 PoE port respectively. I expect to use 5 or 6 powered ports on the top model (US8-150W c. $200). The added advantage is that this unit uses a standard IEC C13 power connector (aka kettle cable), so suits a UPS environment. I'm currently skipping the intermediate model (US8-60W), and using two of the base model US8. This has the advantage that it can be powered itself, by PoE!

    Sorry if this sounds like a sales pitch, but the UniFi kit has been a pleasure to setup, and seems to work intuitively. However, it is obvious that it doesn't have the level of control or customisation offered by pfsense, which I will continue to use as my primary router.

    Next step is to fully isolate my media, VoIP, IoT, and of course the kids!

  • I have set up DHCP on each of the VLAN interfaces, maybe just a DHCP relay would do the trick.

    No need for that.  If you have multiple interfaces, including VLANs, on pfSense, you can enable DHCP on those interfaces as required.  No need for a relay.  Just enable it and configure the desired address info.

    I have a Netgear JGS524 switch (24 port) switch, which by the looks of things, does not support VLANs.

    It may not be able to be configured for VLANs, but it should still pass them on to devices that can be so configured.  For example, here I have an unmanaged switch and an access point that supports VLANs and multiple SSIDs.  The VLAN passes fine through the switch.  Any reasonably modern switch should be able to pass VLAN frames.  Incidentally, the difference between a VLAN and regular Ethernet frame is the VLAN header that starts at the same position as the Ethertype/size field normally starts.  An extra 4 bytes are inserted in the frame, followed by the Ethertype/size and the rest of the frame.

  • LAYER 8 Global Moderator

    While sure a dumb switch can pass the vlan frames along - it does not understand them.  So you run into a problem that over that switch you are running multiple layer 3 on the same layer 2.. There is no isolation at this point.. While it can be done. I really would never suggest anyone do it.

    I show the JGS524E that supports vlans, and is actually cheaper than the JGS524 on amazon ;) by a buck or 2..

    The cost of a switch that supports vlans is negligible compared to ones that don't - so why anyone would ever think of getting dumb switches these days just blows my mind..

    If you want to start using vlans - its time to upgrade your equipment so they are supported end to end..

  • I have a TP-Link managed switch, but as you mentioned earlier, it doesn't handle VLANs properly, just like their access point that I have here.  :(

    I wonder why they have such a problem implementing VLAN support.

    As for having VLANs on the same network, I don't see that as a problem, in that most people wouldn't have a clue about it, even if they knew.  Also, some versions of Windows don't even support VLANs.

    In a business environment, do it properly, but in a home LAN, why worry.

  • Ok, first off - thanks for thinking with me.

    This is what I would like to accomplish. I have two physical GBit interfaces, one WAN and one LAN. I could add another two LAN card (or two el-cheapo USB3.0 ones, my network is not that demanding)

    I could then map these physical interfaces to pfSense interfaces, and have DHCP work on each one. Even though connected to the same switch, I could still 'sort' the DHCP traffic that way by using static mapping to the correct network. It would be less physically secure than the VLAN route but should thwart most of my children's evil plans (they do not do network design ;-) )