Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP on VLAN not working

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oeawallis
      last edited by

      Good Morning together!

      We are new into pfSense and set up our companies new Firewall with pfSense in a Test Lab.

      Now I was able to create several VLANs on the pfsense and configure them as an Interface.
      I assigned them all to ix0 (which is one of our two 10GB Ethernet jacks on our SUPERMICRO Server), configured an DHCP-Server and DNS-Forwarding for every VLAN.
      (192.168.[1 … 100].[10 … 250] DHCP Ranges, Interface IP is allways 192.168.xxx.1 )

      Now the Problem:
      When I put this "trunk" on ix0 (as Cisco world would call it) into a switch, I won't get any DHCP Lease on non of the assigned ports.

      We tested arround with an TP-LINK tl-sg108pe and one DLINK DXS3350SR. Our Trunk-Ports where in "TAGGED" Mode and the VLAN-attending Ports where configured to be untagged.

      Can you imagine what we are doing wrong?
      Do we have to turn of the physical interface ("LAN") and only use the VLANs

      Side-Not: When I configure DHCP Server on an physical interface of the Supermicro, I get an DHCP Lease immediatly, so the service itself does fine.

      Thanks for your help, as our IT staff starte getting despaired :P

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you have an interface on ix0_vlan10, you need to make sure VLAN 10 is tagged to pfsense on the switch port ix0 is connected to. Any host on the switch on an untagged (access) port on VLAN 10 will get DHCP from that DHCP server. You can also statically assign a workstation to say, 192.168.XXX.100/24. See if it can ping 192.168.XXX.1. If not see if it has ARP for 192.168.XX.1 after trying to ping it. If not, your Layer 2 is not right.

        No, the parent interface ix0 does not need to be assigned for the VLAN interfaces to work. If it is assigned, it might have to be enabled for the VLANs on it to function. I would have to test that.

        Look in the switch to see if you can see all the MAC addresses associated with VLAN XXX. I used to do things like that all the time to quickly determine if a VLAN was properly tagged through the infrastructure.

        On a Brocade it would look something like this:

        
        telnet@6450#show mac-address vlan 999
        Total active entries from VLAN 999 = 12
        MAC-Address     Port                 Type          Index  VLAN 
        d468.4d1f.5a00  1/2/2*1/2/4          Dynamic       51600  999  
        3c07.540c.2316  1/2/2*1/2/4          Dynamic       27692  999  
        0060.2e02.45bd  1/1/24               Dynamic       8132   999  
        d468.4d1f.7140  1/1/43               Dynamic       52932  999  
        6c19.8f93.953b  1/1/43               Dynamic       49840  999  
        0008.a20a.5942  1/1/44               Dynamic       1500   999  
        1c5f.2bb5.ee37  1/2/2*1/2/4          Dynamic       39464  999  
        6805.ca0a.3b21  1/1/26               Dynamic       992    999  
        0026.bb5a.7f32  1/1/3                Dynamic       14620  999  
        d050.99e1.5612  1/1/25               Dynamic       39044  999  
        001e.8cf1.e910  1/1/42               Dynamic       21712  999  
        66b5.a87f.db78  1/1/41               Dynamic       64596  999
        
        

        I know that 1/2/2*1/2/4 is a lagg to another switch. Since I am getting MAC addresses there I know VLAN 999 is tagged properly between them.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.