VLAN traffic not getting recognised correctly by DHCP server?

victorhooi · Oct 31, 2017, 7:29 PM

Hi,

I'm trying to use VLANs to segregate my network into different subnet ranges.

I have a downstream switch (Meraki), which is tagging outgoing traffic as VLAN 35.

This is then plugged into the pfSense router on interface igb3.

On that interface, I have the parent interface setup with an IP range of 10.0.30.1/24.

I also have a child VLAN interface (VLAN 35) with an IP range of 10.0.35.1/24.

I have firewall rules setup to allow traffic on that VLAN:

And DHCP enabled for that VLAN as well:

However, for some reason - devices with VLAN 35 plugged into igb3 aren't being given 10.0.35.0 addresses - everything coming in is getting a 10.0.30.0 address from the DHCP address.

Is there something wrong with the above configuration?

Regards,
Victor

Raul Ramos · Oct 31, 2017, 10:10 PM

Hi

Don't see config on the other end (Clients). Have you a switch between the igb3 and clients tagged with vlan 35? (I jump a line in the #1 post, another read i see you have a switch but are the client ports in the switch with PVID 35 ?).

Maybe latter i do a test with pfSense 2.4.1, i suppose?

victorhooi · Oct 31, 2017, 11:58 PM

Hi,

The clients are desktops/laptops - I haven't set any VLAN tagging on those.

However, they're plugged into a Meraki switch (port 3) which has VLAN 35 in trunk mode setup - it's tagging VLAN 35 on outgoing traffic:

Clients -> Meraki Switch -> pfSense Router (Port igb3)

Regards,
Victor

gjaltemba · Nov 1, 2017, 1:16 AM

Try plugging the client in an Access port.

victorhooi · Nov 1, 2017, 5:23 AM

Hi,

Sorry, I don't quite follow.

The clients (desktops/laptops) are plugged into another switch, which then goes into the Meraki Switch (port 4).

Then the Meraki Switch (port 3) is plugged into the pfSense router (igb3).

Both Meraki ports 3 and 4 are currently set to Trunk, with Native VLAN 35.

Do you mean I should set port 4 on the Meraki Switch from Trunk to Access? Or port 3?

Regards,
Victor

victorhooi · Nov 1, 2017, 5:32 AM

Actually - if I use an access port - won't that strip off the VLAN tags?

So that's not what I want, I would have thought?

johnpoz · Nov 1, 2017, 12:18 PM

"Actually - if I use an access port - won't that strip off the VLAN tags?"

No not on the ingress traffic, only on the egress traffic. Clients normally do not understand vlan tags unless you have set it up on the devices interface, and the OS on that device allows it, etc. When traffic enters an interface with pvid set to a specific vlan then untagged traffic into that interface would be put on that vlan inside the switch. As the traffic leaves another interface it would be either tagged or untagged. Depending on how you configured that port, etc.

What is this downstream switch? Is is smart and you have the vlan 35 setup on it as well?

If your sending vlan traffic to a dumb switch than that port wold be access with the pvid set to the vlan you want all traffic from that switch on, etc.. All ports in this dumb switch would be on that vlan.

pfsense - vlan 35 taggged –- smartswitch --- vlan 35 untagged --- dumb switch -- client on vlan 35

If your sending native (untagged traffic) to pfsense then it wouldn't be a vlan interface. It would be just the network setup on that native interface. If you daisy chained switch is smart then you could tagged the traffic to it and then the device you want on that vlan would be an access port with vlan 35 set and pvid 35, etc..

pfsense - vlan 35 taggged --- smartswitch --- vlan 35 tagged --- smartswitch -- client on vlan 35

victorhooi · Nov 2, 2017, 3:54 AM

Hi,

The downstream switch is a HP ProCurve 2510-48. It's a managed (smart) switch, however, it doesn't have any VLAN configuration set - so it's essentially functioning as a dumb switch. Here's a hopefully better diagram I just drew:

Are you saying I should change Port 4 from Trunk to Access, with a VLAN of 35?

(But leave Port 3 as is?)

EDIT: I just took a packet capture on port 3 of the Meraki Switch - and checked it with Wireshark - from what I can tell, the VLAN ID is definitely being set on traffic - so I'm not sure why pfSense seems to be ignoring that?

Thanks,
Victor

Guest · Nov 2, 2017, 4:05 AM

pfSense 2.4.1-RELEASE Now Available

Known Issues
PPP sessions on VLAN parent interfaces will not work on 2.4.1, see #7981. This has been fixed on 2.4.2 which is due out shortly.

This will be not there if you take the version 2.4.0 or until you will be using the version 2.4.2, that will be shortly out
based on that problem.

In some rarely cases a dump switch is not forwarding that VLAN taggs, the most dump switches are doing so
but no all, as I am informed right in that case.

victorhooi · Nov 2, 2017, 4:25 AM

Hi,

Thanks for pointing me at that bug - https://redmine.pfsense.org/issues/7981. However, is it the same issue?

That bug only seem to affect VLANs with PPPoE as the parent interface.

In this case, igb3 is my LAN port, with static IPv4 (not PPPoE) - although my internet is via PPPoE on igb0.

The VLAN interface is a child off igb3:

Thanks,
Victor

johnpoz · Nov 2, 2017, 8:25 AM

If its tagging it.. Is not native… Looks like network 10.0.30 is getting tagged with ID 35... Not going to work.. if you want 10.0.35 to be your tagged network..

victorhooi · Nov 2, 2017, 5:52 PM

Hi John,

Hmm, I assumed that the Meraki switch simply tagged the Native VLAN on egress?

The traffic is coming into the pfSense router on igb3, and from my packet capture it appears to have VLAN ID 35 - based on that, should it not go to the MM_LAN (VLAN ID 35) interface automatically, and get an address in the 10.0.35.0/24 range?

Apologies if I'm mis-understanding something here around VLANs…bit confused.

Thanks,
Victor

Shinshi · Jul 13, 2018, 12:50 AM

Hello Victor,

Did you ever get this issue sorted out? I am experiencing the same problem and trying to figure out what I am doing wrong or what is failing. I have a similar setup, but with only 1 managed switch connected to pfSense and a PC behind that. I am going to verify the switch is correctly tagging the packets like you did with Wireshark when I get the chance. I'm fairly certain that my switch is setup correctly with VLAN ID set via PVID on the incoming untagged port and exiting via the tagged port to the pfSense port. I'd certainly be interested to know what your resolution was.

Thanks, Peter.

Derelict · Jul 13, 2018, 5:13 AM

@victorhooi said in VLAN traffic not getting recognised correctly by DHCP server?:

The traffic is coming into the pfSense router on igb3, and from my packet capture it appears to have VLAN ID 35 - based on that, should it not go to the MM_LAN (VLAN ID 35) interface automatically, and get an address in the 10.0.35.0/24 range?

Yes.

Know that the DHCP server has no concept of a VLAN. That's all handled in the FreeBSD interface code. The DHCP server will either be listening on igb3 (untagged) or igb3.35 (35 tagged traffic)