Strange DHCP Behavior Help Please!

  • So I am new to PfSense but not firewalls in general. I am just finishing up my configuration to get my Unifi wireless network working. I had an issue with adoption because I needed to point the WAP to my PC controller. No problem, fixed that and the software now sees the WAP. However after doing so I seem to have noticed some strange behavior with the devices connected to the WAP and getting IPs from Pfsense.

    Break down of my network:

    WAP connecting to --> 3560 layer 3 switch connecting to --> Pfsense

    My Networks:
    Vlan 10 -- - Wired
    Vlan 20 -- - Wireless
    ^^ on one single interface trunked to the firewall and defined SVI interfaces on the switch

    Vlan 200 - Wireless External
    Vlan 500 - DMZ
    ^^ on one single interface trunked to the firewall and defined SVI interfaces on the switch

    Default route from switch is: <-- Wired internal pfsense interface of vlan 10

    So on with the DHCP issues. My wired vlan works fine. My plugged in PC gets an IP address in its respective vlan (vlan 10) and has full internet access, etc. Also if I change the port over to vlan 20 that my PC is conencted on, all continues to work and I am assigned an IP from vlan 20 now and have internet access, etc.

    The strange stuff going on is with my wireless. The unifi WAP only has one network on it right now vlan 20 (wireless external is just a future VLAN I have in place on the switch / FW as I plan to create a new guest network after getting things running) and the port from the WAP is assigned to vlan 20 on my switch. Also, I need to mention that the firewall is doing DHCP for all my vlans see attached config. For some reason extremely unknown to me my wireless devices are getting DHCP addresses not only on a different vlan (500), these requests are being serviced completly through 2 different physical interfaces. I have no earthly idea how plugged in devices work fine for DHCP inside of vlan 20 but wireless go bonkers. These devices obviously conflict with the assigned IP in that vlan so then have no internet access. Also, my WAP assigns itself the proper IP address within the scope ( but the clients connected to the WAP go nuts.

    I have never seen something so strange but am clueless where to go from here.

    ![alt text](0_1534043322154_49400800-9806-4c30-bcdd-a9bc5f47e3a0-image.png image url)

    ![alt text](0_1534043474369_2afac87e-38c5-465c-a9ca-5d99674ba662-image.png image url)

    ![alt text](0_1534043740482_2742a67e-b875-44b5-986e-96588ced9b92-image.png image url)

  • Is your wireless traffic being tunneled through your controller by any chance? If so, the controller may be misconfigured to send traffic for your internal SSID to your WirelessExternal VLAN.

    Curious about what happens when you turn DHCP off on the WirelessExternal interface.

    Anyway, to really find out what is happening, you'll probably need to do some packet captures.

  • @tguy

    The controller doesn’t really support any traffic engineering capabilities. The most I can do is assign an SSID to a particular VLAN / subnet and default gateway which match VLAN 20 for my internal wireless. I’m going to play with disabling dhcp services on the other VLANs though and run some packet captures. The issue seems centered on wireless though as the DHCP settings appear to work for the cables hosts on the VLAN.

  • Sorry, I can only offer a guess. I'm not familiar with the Ubiquity wireless system but do manage a rather large Cisco WLC network.

    I'm curious to know the resolution to your problem, so hope you'll update your post.

    Good luck.

  • @tguy

    Yeah my thought process is from the Cisco world too and Meraki. So from Uniti inside the WLAN config you can tag your vlans you want for WLAN network segmentation, seems logical right? I had this checked for my internal wireless for VLAN 20. So on a whim I just unchecked it because the problem just felt contributing to the controller / WLAN config. After doing so boom they wireless clients started getting the correct IPs... So strange... I would have never thought that would cause an issue. To me it doesn't make sense. Although it seems with the WAPs connected to a Cisco switch in vlan 20 access mode I can still provision multiple diverse networks from the Unifi control software / WAPs. I'll use PfSense to do the traffic blocking / separation from here forward. I'm still scratching my head a bit but glad I'm working per my design.

Log in to reply