DHCP: request multiple leases from one interface

Burken

Like the old thread from 2007 i ask the same thing. ( http://forum.pfsense.org/index.php/topic,7214.0.html )

Can i make subinterfaces?
My ISP limits the upload of every IP to 10Mbit.

And gives me 5IPs.

So with 5 Ip leases i can have 50Mbit with load balancing.

GruensFroeschli

No.
You can add additional IPs via VIP, but you cannot loadbalance over these.
But you can use AoN to have different clients have their outbound traffic leave via different IPs.

example:
192.168.0.0/24 over IP1
192.168.1.0/24 over IP2
192.168.2.0/24 over IP3
ect.

Burken

@GruensFroeschli:

No.
You can add additional IPs via VIP, but you cannot loadbalance over these.
But you can use AoN to have different clients have their outbound traffic leave via different IPs.

example:
192.168.0.0/24 over IP1
192.168.1.0/24 over IP2
192.168.2.0/24 over IP3
ect.

Thx for the fast answer. Then i have to buy more NIC's ;)

GruensFroeschli

You dont need more NICs.
You can add your additional IPs under
"Firewall" –> "Virtual IPs"

Although if you get your public IPs via DHCP this wont work.

An alternative is, if you have a VLAN capable switch, connect it to your WAN interface and have like this multiple "VLAN interfaces".

Burken

I have Netgear ProSafe GS724. It can do VLANs…

Can you explane a bit more how it can be done? (i get 5 DHCP ip's)

Eugene

Can somebody explain how one interface can get five DHCP leases?

GruensFroeschli

Not!
One interface cannot get multiple DHCP leases.

But if you have some additional interfaces you can get DHCP leases on them.
A VLAN on pfSense appears as a new interface which is capable to get a DHCP lease, even if it's not a real physical interface.

Burken

I will try the VLAN method later today. :)

cheesyboofs

The problem I found with vlans on the wan side is if you use the same ISP they will see the same MAC out of all the vlan wan interfaces which will somewhat confuse the ISP’s DHCP server – you may need to drop a small bridge/access point between pfsense and the each wan port as I had too.

http://wan2.cheesyboofs.co.uk/home.htm <- can be slow to load.

This has the added advantage of not screwing up any static routes you’ve set. I did try setting virtual MACs on the wan interfaces but this had little or no effect, for me anyway.

Eugene

That is what I mean. Even ig you have VLANs on WAN MAC for all vlans stays the same, so I doubt it's possible to get different IPs using DHCP.

Burken

We can just change the MAC on the VLAN's

fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:47:07:d4:b7
        inet6 fe80::203:47ff:fe07:d4b7%fxp1 prefixlen 64 scopeid 0x2
        inet 85.226.124.25 netmask 0xfffff800 broadcast 85.226.127.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

vlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:03:47:07:d4:b1
        inet6 fe80::208:2ff:fe5f:eb3%vlan0 prefixlen 64 scopeid 0xa
        inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 10 parent interface: fxp1
vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:03:47:07:d4:b2
        inet6 fe80::208:2ff:fe5f:eb3%vlan1 prefixlen 64 scopeid 0xb
        inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 20 parent interface: fxp1
vlan2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:03:47:07:d4:b3
        inet6 fe80::208:2ff:fe5f:eb3%vlan2 prefixlen 64 scopeid 0xc
        inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 30 parent interface: fxp1
vlan3: flags=8842 <broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:03:47:07:d4:b4
        inet6 fe80::208:2ff:fe5f:eb3%vlan3 prefixlen 64 scopeid 0xd
        inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 40 parent interface: fxp1
vlan4: flags=8842 <broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 00:03:47:07:d4:b5
        inet6 fe80::208:2ff:fe5f:eb3%vlan4 prefixlen 64 scopeid 0xe
        inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 50 parent interface: fxp1</full-duplex></broadcast,running,simplex,multicast></full-duplex></broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

I changed them all… but i dont get any dhcp responses...

Im not so good at IEEE 802.1Q VLAN... to be honest i have no clue what im doing...

on my switch i can set this:

Not member
Tag egress packets
Untag egress packets

And there is a "PVID" setting..

ktims

Set the pfSense port to tag egress packets, that's how pfSense can tell between the different VLANs. On the other side, untag egress packets so it looks like a bunch of different machines on a switch to the modem. You should probably not use VLAN 1 for this since many switches can't tag VLAN 1 frames, and mixing tagged/untagged traffic isn't wise.

I still don't think this will work though since the return traffic won't be tagged with the VLAN it was sent from (all traffic returning from the modem will be in VLAN 1 or whatever PVID you set) and will arrive at the wrong logical interface in pfSense (if it gets there at all since the MAC is different). You might be able to get around this by bridging all the VLAN interfaces to WAN manually, but that's a wonky hackish configuration and I'm still not sure it'd work.

Background: VLAN tagging is a special 'tag' added to an ethernet frame that can specify which VLAN that frame belongs to. 802.1q-aware devices can be set up to tag the frames they send, and 802.1q-aware switches can do a bit more to integrate 802.1q and non-802.1q devices. If you tag egress frames, then these tags are added to all traffic the switch sends out that port, and the device on that port (be it a switch or router like pfSense) can see which VLAN each frame belongs to. When you untag the frames, the tag is removed from outgoing frames on that port, so the connected device isn't aware there's even a VLAN configuration in place, it just sees the traffic as if all the devices on all VLANs it is a member of were directly connected. However, since the device doesn't understand VLANs, it doesn't tag traffic it generates either, which raises the issue here. All untagged traffic from devices connected to the switch will be belong to the PVID of the port. As a result when your pfSense sends a DHCP request out the VLAN 10 interface, the response comes back on VLAN 1 and gets dropped or ignored.

Burken

ktims, I think you have right there… but i still don't get 100% a hang of it.

So if my VLAN 10 sends DHCP broadcast the Switch will TAG the broadcast packets as VLAN 10?

Will the ISP-DHCP answer? But the response will come at VLAN 1 so the switch will just drop it instead of remembering were to send it?

GruensFroeschli

I'm moving so my lab is packed in boxes.

I will have to do some tests when i finished moving.

I never had on VLAN interfaces the IPs get assigned via DHCP, but what is did was having multiple VLAN interface statically in the same subnet.
So i figure it wouldnt be much different per DHCP.

For this i used 2 switches: a normal cheap switch and a VLAN switch.


                           |---cable---|
                  /-|switch|---cable---|VLAN switch|-\
                 /         |---cable---|              \
(network)---cable          |---cable---|               cable---|pfSense
                           |---cable---|

Otherwise there is no way to set the PVIDs for the different ports.

ktims

@Burken:

So if my VLAN 10 sends DHCP broadcast the Switch will TAG the broadcast packets as VLAN 10?

Not quite, pfSense tags the frame, and that tells the switch which ports should 'see' it. Once it knows what port the frame will be sent out, it checks if it should be sent tagged or untagged (this is the 'egress' option). Since your ISP port was untagged in my example, the tag would be stripped at this point. Your ISP never sees the VLAN information, and when the ISP DHCP server replies, the reply is not tagged. When an untagged frame arrives at a port, the switch assigns that frame to the VLAN you set in PVID for that port. This is the problem with my example - even though you have separate VLANs for traffic leaving pfSense, the return traffic from your ISP will all go to one VLAN.

So GruensFroeschli comes in with some good thinking to solve it. The extra switch and cables in his example gives you a way to receive the replies from your ISP through separate VLAN-switch ports, so you can assign them the proper PVID. Obviously it wastes some ports and you need a cheap switch, but I think it should work. However be careful when you're configuring this, with the switch<=>switch links you could easily end up with MAC addresses appearing on multiple ports which will confuse the heck out of the 'dumb' switch and could also result in switching loops and other oddness. Each VLAN switch port should be assigned a VLAN, that should be its PVID and it should be the only VLAN it is a member of, with untagged egress. Though really, given the number of switch ports this solution eats, it's easier and maybe cheaper to just add physical interfaces, unless you have half a dozen free ports on your VLAN switch.