Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP issuing wrong ip's for wrong VLANs

    DHCP and DNS
    3
    6
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firedemon
      last edited by

      I have an issue where i have 3 vlans setup with dhcp scopes in pfsense, which are being issued via dhcp relay on 2 unifi switches to 2 unifi APs.

      I am confused by the dhcp logs and as to why this started happening.
      I also have the unifi switches alerting me to a rogue DHCP server which cites the MAC of my pfsense box.

      Any suggestions on where to look or guidance ?

      F 1 Reply Last reply Reply Quote 0
      • F
        firedemon @firedemon
        last edited by

        VLAN 2 - 172.17.2.x - SECURE wireless
        VLAN 5 - 172.17.5.x - IOT wireless
        VLAN 4 - 172.17.4.x - KIDS wireless

        i can connect to SECURE wireless & be given 172.17.5.x IP and then the VLAN 2 rules apply to my 5.x IP and does not resolve properly since i am only allowing 2.1 as the DNS server, but vlan 5 dns issues its settings 1.1.1.1 & 9.9.9.9 (which are blocked on vlan 2 since i have it set to only allow 2.1 as the dns server).
        Same goes with different networks and wrong dhcp scopes being assigned.

        This happened out of the blue.
        vlans are segmented, dhcp scopes are different, networks are in unifi controller, traffic is tagged, dhcp relay is set

        Possible causes:
        -I have a SPAN port setup with a bridge interface mirroring traffic to another box analyzing traffic.
        -Suricata randomly disappeared until i reinstalled it
        -i turned off pfBlockerNG-dev temporarily to try to upgrade my unifi products (AP's will not upgrade successfully)
        -i have since forgotten 1 switch and 1 AP as the AP wouldnt upgrade and the switch stopped being seen
        -i am getting a rogue dhcp server message from the switches pointing to the MAC of my pfSense box

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          Do a packet capture on pfsense and have a look at the dhcp packets in and out each vlan interface.

          Think its an issue with the switch setup.

          I have pfBlockerNG-dev running and I can upgrade my Unifi AP fine.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @firedemon said in DHCP issuing wrong ip's for wrong VLANs:

            which are being issued via dhcp relay on 2 unifi switches to 2 unifi APs.

            Huh?? Pfsense can not be the destination for a dhcp relay, it has to have an interface in the L2 its assigning dhcp to.. So why would need or have relays setup?

            How about a drawing - so we can help you figure out what is going on. What is actually handing out the dhcp?

            If clients are in the L2 that dhcp server is attached to, there would be no relays needed to be setup anywhere. You only need a relay for an L2 that that is not attached to the dhcp server, and this dhcp server has scopes for these unattached vlans.. You can not do this with pfsense, where pfsense is the dest of relay you setup... It can be a relay, but then it can not run dhcpd on that vlan.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              firedemon
              last edited by

              The issue was the bridge I setup when trying to get my segmented VLANs mirrored to a SPAN port.
              I deleted the bridge as I had all VLANs as members of 1 bridge.
              Everything works as expected with DHCP assigning the proper scopes to the appropriate networks.

              Regarding the SPAN port...

              1. Can I setup 1 vlan per bridge to the span port to accomplish this? (Ie. 1 bridge = Lan vlan -> Span , another bridge = IOT vlan -> span, another bridge = kids vlan -> span)

              2. Do I include the WAN port to the span port?

              3. Is a span port on a switch a better option & where is the ideal placement for this switch to monitor all traffic going in and out across all vlans?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                @firedemon said in DHCP issuing wrong ip's for wrong VLANs:

                I deleted the bridge as I had all VLANs as members of 1 bridge.

                Huh.. Yeah that is Borked for sure!!

                Yeah do your span on your switch.. Grab whatever vlans you want.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.