pfSense dhcp problem using VLANS

Toube · Jan 2, 2020, 7:10 PM

Hi All,

I have been struggling for a few days and I don't know what or where I'm going wrong.
My problem is that I set up some VLANS in pfsense GUEST100 and IOT50 and I want to separate the IOT devices from my LAN.

I have create the interfaces and set the DHCP for them. Then I'm using Unifi controller with Unifi AP:s.
So I have created a GUEST and a IOT SSID with VLAN100 and VLAN50 as params for the wifis.

Now my problem is pretty weird.. If I connect a wired device to a smart switch where the port has a VLAN50 it will get the right ip-address.
But for the Wifi devices, they have problems.. they struggle to get a ip-address from the dhcp server.

I have been trying to solve this at the Unifi community but I'm starting to think that it might be a pfsense problem.. or more likely something I have configured the wrong way.
Here is how my network is setup.
Pfsense ports

Eth 0 -> WAN
Eth 1 -> LAN
Eth 2 -> IOT + GUEST VLANS 50 and 100
Eth 2 goes to dumb switch and from there to Unifi port 2 so all devices plugged in to the dumb switch are assigned a VLAN50 address.

Unifi Switch:
All other port has the default All except for port 2 that has VLAN 50 and 100 assigned using Profile in Unifi.

JKnott · Jan 2, 2020, 7:34 PM

@Toube

Why do you have a connection from pfSesne to the dumb switch and then to the Unifi switch and also from pfSense to Unifi? Also, is the native LAN on eth 2 configured?

Toube · Jan 2, 2020, 7:46 PM

@JKnott
good question. I changed it bit recently.
I'm now only using the LAN with the VLANS.. the IGB2 (eth2) is unhooked.
See below:

The Native LAN on eth2 was probably not configured or what do you mean by configured?
Still using this way of connecting the iot devices struggle to get an ip-address from the pfsense server.

JKnott · Jan 2, 2020, 8:15 PM

@Toube

When you go to Status / Interfaces, you can see how every interface, including VLAN, is configured. On my system, bge0 is the LAN and has an IP address. I also have VLAN3 on the same interface, which is listed as bge.3.

Toube · Jan 2, 2020, 8:56 PM

@JKnott
yes on mine it shows same as yours:
IOT Interface (opt1, igb1.50)

JKnott · Jan 2, 2020, 9:51 PM

@Toube said in pfSense dhcp problem using VLANS:

yes on mine it shows same as yours

So you have an IP address on both igb1 and igb1.50

Toube · Jan 2, 2020, 9:53 PM

Yes:

JKnott · Jan 2, 2020, 10:02 PM

@Toube

So, you've got 192.168.1.1 on igb1. Is that subnet used anywhere else? On that interface you've got 2 VLANs and the native LAN, all with IP addresses.

BTW, shouldn't there also be a VLAN 1gb1.100? You had previously said you had VLAN 50 & 100 on that interface.

Toube · Jan 3, 2020, 9:46 AM

Hi @JKnott ,
The 192.168.1.1 subnet is used by the LAN, not sure I understand your question by used anywhere else.
Yes there is the third igb1.100 network I didn't capture it sorry.

Toube · Jan 3, 2020, 7:32 AM

One thing. The port on my Unifi Switch that goes to the pfsense LAN, igb1 port (native), well I haven't set any VLANS on that port. I'm using the port setting ALL.
Well actually all ports are set to All..I assume when ALL is used the ports will echo all the VLANS the AP:s are transmitting so it should work correctly?
Anyways I still have problems with IOT and sometimes also my Android mobile can't get an IP-address when connecting to the IOT SSID.

Chromecast is the one with most problems.
The thing is that if I connect the IOT and chromecast to my primary LAN network without VLAN they will work and the dhcp assignes all IOT devices ip-addresses without a glitch.

Toube · Jan 3, 2020, 8:20 AM

The DNS forwarder, should it be disabled?

I guess the DNS resolver handles the DNS requests?

Gertjan · Jan 3, 2020, 11:32 AM

@Toube said in pfSense dhcp problem using VLANS:

The DNS forwarder, should it be disabled?

It is :

@Toube said in pfSense dhcp problem using VLANS:

I guess the DNS resolver handles the DNS requests?

By default, the Resolver (unbound) is enabled.
It will work for any LAN type interface - keep in mind that on any OPTx type interface (and VLAN) a protocol UDP & TCP destination port 53 needs to be added..

Toube · Jan 3, 2020, 1:10 PM

Hi @Gertjan ,
do I need to add any rules to the IOT network?

Currently only one rule active for the IOT.

Toube · Jan 3, 2020, 11:56 AM

Current situation is that all wireless clients are not getting an IP-address when a VLAN tag is set to the SSID. But for wired connection for example.
If I connect my laptop to a smart switch port that has the VLAN50 tag in the port then my laptop will be given the correct ip-address from the IOT dhcp scope.

bcruze · Jan 3, 2020, 1:46 PM

did you setup the vlan ONLY within the UBNT controller?

settings > networks > create network > purpose vlan only name of vlan and vlan ID

this doesn't sound like a Pfsense issue(yet) it doesn't sound like the vlan was setup properly yet

Gertjan · Jan 3, 2020, 1:10 PM

@Toube said in pfSense dhcp problem using VLANS:

Hi @Gertjan ,
do I need to add any rules to the IOT network?

Currently only one rule active for the IOT.

The IOT firewall rule is ok.

Toube · Jan 3, 2020, 1:47 PM

Hi @bcruze,
the Unifi VLAN (Created 2 x with Vlan only IOT VLANID 50 and GUEST VLANID 100) is at least to my knowledge setup as it should be.
Then added these VLANIDs to the SSID configurations.
On the switch ports where the ap:s are connected I have set the switch profile with LAN as native network and then included the tagged VLANS 50 and 100.

Toube · Jan 5, 2020, 11:51 AM

So it seems was neither Unifi or Pfsense problem.. the problem was my small Netgear smart switches two of them.. they were improperly configured and thus causing the VLAN50 and 100 not to be able to be forwarded to the pfsense router. Thanks all for answering me.

A Former User · Apr 18, 2023, 12:46 AM

@toube
What change to your Netgear switch did you make? Having same issue and I'm using Netgear switches.

Thanks

jaspery · Apr 18, 2023, 1:22 AM

I didn't work with UniFi switches, however I'm planning to later this year.

But concept I'm using with other switches that support VLAN is like this:

Chromecast will need to receive traffic only from IOT VLAN (if I understand your requirement correctly. But for Chromecast (and other consumer grade appliance) it is important to receive this traffic as untagged, so if it is possible in Unify switch you need to configure ports to which devices are connected directly as belonging to proper VLAN but sending untagged traffic.

Also I'm seeing you seem to have solved your issue already, but I'd suggest to consider configuring untagged ports properly (if Unify allows it, maybe it is too smart and guesses proper config on it's own)

I'm just thinking if e.g. Chromecast is connected to port which sends tagged traffic, Chromecast will probably be able to receive some packets, but some portion of packets may be dropped, and this will affect quality of the connection.