Windows DHCP Server + Multiple Scopes + Pfsense DHCP Relay
-
Hi, I need some help/guidance in setting up a second (or more DHCP) subnets on windows server 2016 . I use pfsense as the firewall gateway.
To give a brief writeup on my HW / SW setup. I have a Server running with 2 Ethernet ports, I use one for WAN connectivity into pfsense Hyper-V while I use the other Ethernet Port for LAN External switching. I setup pfsense LAN side as DHCP relay to Windows server box and everything works perfect.
Now I want to setup another (or maybe even more) DHCP scope for various reasons on the Windows server and I created a VLAN interface on pfsense with a static IP assigned. I then added the new VLAN IP to DHCP relay towards the windows server.
I am able to ping the new VLAN , but when I connect a device with the VLAN tag defined it does not get an IP assignment. What am I missing ? Please provide guidance. -
Check your firewall rules on VLAN interface to ensure that port 53(DNS) is allowed. If it is then do a packet capture in pfSense and server for troubleshooting.
-
Thanks I have setup firewall rule on the VLAN as Allow All for testing this out presently.
To give more context of the setup -
-
@surfer_boy
Looks like VLAN2 has LAN for parent interface. How did you setup VLAN2 in Hyper V? -
Hi, I created a new interface first as VLAN2 with tag of 2 under parent interface LAN. Then under DHCP relay I selected both LAN and VLAN2 and forwarding address of the DHCP server under 19.2.1.254.
-
@surfer_boy Are those suppose to be public subnets or private subnets?
-
Private
-
@surfer_boy Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) -
Windows acts funny when it has a public IP.. You really should not just grab IPs out of thin air and use them on your local private network. The whole point of rfc1918 is for this use.
What is the point of setting up vlans on pfsense inside a VM host.. Why would you not just create different native networks no reason for pfsense to deal with tags.. You can just give it another vnic attached to whatever vswitch, etc..
-
@johnpoz to each their own.... setting up pfsense inside VM (esp. Hyper-V) and not sharing with mgmt OS is pretty much like a containerized device. In any case I did also change the IP scheme as you guys suggested but that didnt help. I ran some wireshark tracing and I feel this is a HyperV switch issue where its defaulting to Access instead of trunking.
Thanks for your valuable advise, it was helpful to say the least. I will keep chugging along until I get this fixed. -
I was not saying anything about running pfsense in a VM... Think its a GREAT idea... But there is little reason to run it with vlans when inside the vm host they can just be native.
You have to worry about any vlan switches stripping or adding tags, if those vlans then play in the real world.. In esxi for example you need to set a vlan tag of 4095 on a vswitch if you do not want it to strip tags. And let the vm deal with the tags.
-
I was able to get this resolved finally. My gut was right, the issue was on the HyperV switch side and not on pfsense. I had to setup the virtual switch for trunking with powershell scripts since its not possible with the GUI. Once I did that it was straighforward. A word of caution for others who attempt this any changes done through powershell will be overwritten by the GUI if you modify there. So take extra caution.
