DHCP not working on VLANs

  • I'm using a Netgate SG-1100 with UniFi 8-port PoE switch, UniFi Cloud Key Gen2, and UniFi AP-AC-PRO. My main LAN works fine and devices are assigned an IP address via DHCP whether they plug into the switch (wired) or join the wireless network. However, I have two VLANS, one for a guest network and one for untrusted IoT devices, and devices that join these networks are not being assigned an IP address via DHCP.

    I've followed several tutorials online and as far as I can tell my interfaces, VLANs, DHCP server settings, and NAT rules are all correct. However, for some reason DHCP does not seem to be working on these VLANs despite it being enabled for them. Ubiquiti (UniFi) manufacturer (of course) says the issue is pfSense since it handles DHCP. Here are pictures of my various settings.



    Outbound NAT

    DHCP enabled (example)

    Firewall rules (example)

    ADMIN_PORTS is an alias for ports 22 and 443.

    Inside the UniFi settings, I have the VLANs set up as VLAN-only networks.

    UniFi Networks

    And I have the wireless networks set up to use the VLANs.

    UniFi Wireless Networks

    The main wireless network (wutangLAN) works fine and hosts are assigned an IP address. But when attempting to join either of the VLAN-associated wireless networks, DHCP is not working (the UniFi controller logs that any device attempting to connect "is having trouble obtaining an IP via DHCP.").

    Given that DHCP is enabled for these VLANs in pfSense, I can't figure out why devices aren't being assigned IP addresses when joining them via the configured wireless networks.

  • LAYER 8

    @danzek said in DHCP not working on VLANs:

    UniFi 8-port

    how about the switch? does it let vlan pass ?

  • @kiokoman Yes, the Networks were configured using the VLANs as shown in the screenshot.

  • @danzek said in DHCP not working on VLANs:

    The main wireless network (wutangLAN)

    That ain't nothin to F* with...

    Not pfSense related, but in UniFi:
    Make sure DHCP guarding is off on the vlan network
    Make sure the 'block lan to wlan broadcast' is not checked on the wireless network
    Make sure the port profile has the vlans tagged on the ports

  • @dotdash thanks! Unfortunately none of these resolved it, either. These were what UniFi support had me do plus create a WLAN group. I appreciate the ideas, though!

  • My unifi AP has 2 WIFI's network, GUEST, and WIFI.
    My AP is connected to a SWITCH (not Unifi switch), and this Switch is connected to pfsense.

    WIFI VLAN 10

    pfsense side: note that the ports are tagged.


    Switch side: note that the ports are tagged.

    In the Unifi controller side, I just created the WIFI networks and set VLAN:


    Hope this can help you.

  • @mcury how would I tag the ports in pfSense? Note I’m using an SG-1100 and the LAN port goes directly to my UniFi switch, so the main LAN and all VLANs are on the same “port” out of my Netgate device.

  • Check if the SG-1100 has the option Interfaces/Switch/VLANs
    There, you can create the vlan groups, but I'm not sure if the SG-1100 has this menu.

    Maybe it's better to wait a more skilled person in SG-1100 to help you.
    I'm saying that because you may set the wrong things there and lose communication with the Firewall.


    Take a look at this:


  • LAYER 8

    vlan work from any interface
    on this video i see that he is doing something more to the switch https://www.youtube.com/watch?v=JblnjsnJNJU at around 9:30
    another video here https://www.youtube.com/watch?v=Bp_B79-WLlU

  • Do a packet capture on the pfSense interface, do you see a request from the client ?

    If you don't its not a pfSense issue.

  • @dotdash the tagging in pfSense was the issue. I misunderstood how to do this. Thanks!

  • THIS IS NOW SOLVED. The issue was tagging.

    Inside pfSense I went to Interfaces > Switch > VLANs and added tags for the VLANs on members 0 (default system VLAN) and 2 (LAN) which resolved my issue.

    Thanks everyone!

Log in to reply