DHCP server and bridged interfaces
-
Hi all, sorry for the noob question but I'm going nuts with this.
I have a virtualized pfSense on Esxi 6.7
OPT1 is a trunk with several vlans. Each VLAN goes to one VM. All VLANS have different DHCP server working ok. All VMs get theirs specific IP from pfSense.I need to add a lan device to one specific network.
I created a new port group and connected this port group to pfSENSE VM so traffic can be routed to one specific VM via pfSense. These 2 networks were bridged together. It all goes ok as far as this device has static IP.What I want to accomplish is to serve both bridged interfaces with same DHCP server but I can't get it work.
This is what I've done so far:
net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1Interfaces are set to none
Bridge is set to static ip 192.168.10.1/24
DHCP server is enabled on bridge with address 192.168.10.100 to 192.168.10.200Both interfaces and bridge have the following rule as first:
Protocol: UDP
Source: 0.0.0.0
Source Port: all
Destination: 255.255.255.255
Destination port: 67 and 68With no luck.
What I'm doing wrong?
Kind regards
-
@gelcom
Sounds like you are trying to use DHCP Relay.
I currently have my PfSense setup so it is physical, but all my VLANS are on the same NIC.
This is trunked to my Switch, and each interface has a static IP.
Which is similar to your setup
My DHCP Server is on VLAN1 (There's 2 actually - Windows Server 2016 running as a HA Pair)
This server has All the IP Ranges Set up and the relevant entries such as Default route / DNS
In Services Menu select DHCP Relay and select the VLAN / Network Interfaces you want to have DHCP Give out an address for, and add the IP of the DHCP Server, Save and away you go.
After that whatever network I have a device on it gets a DHCP IP Address.
Hope this helps
Efranko
-
Thanks for the reply!
Isn't possible to have DHCP server instead of DHCP relay in my situation? I wish I could keep my DHCP server running as I have a few other interfaces that depend on him.
kind regards
-
What you're doing should work. You can have multiple interfaces in a bridge and run a dhcp server on the bridge that will serve all clients.
Do you see and blocked traffic in the firewall logs?
Do you see incoming dhcp requests in packet captures?
If you set the bridge sysctls after creating the bridge have you rebooted since?
Steve
-
@gelcom Ah, its the bridging bit. Not something I've ever used.
Elfranko
-
@stephenw10 said in DHCP server and bridged interfaces:
Do you see and blocked traffic in the firewall logs?
I see nothing blocked on logs
Do you see incoming dhcp requests in packet captures?
in packet capture I see a lot of dhcp requests as follows:
08:24:31.338439 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548 08:24:31.338700 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300 08:24:32.404478 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548 08:24:32.404687 IP 192.168.104.1.67 > 192.168.104.101.68: UDP, length 300 08:24:34.408468 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548 08:24:34.408737 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300 08:24:35.464471 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548 08:24:35.464747 IP 192.168.104.1.67 > 192.168.104.101.68: UDP, length 300 08:24:37.488454 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548 08:24:37.488726 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300 08:24:38.524544 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
also I see a lot of logs in DHCP:
Oct 5 08:24:37 dhcpd DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2 Oct 5 08:24:35 dhcpd DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:35 dhcpd DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:34 dhcpd DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2 Oct 5 08:24:34 dhcpd DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2 Oct 5 08:24:32 dhcpd DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:32 dhcpd DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:31 dhcpd DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2 Oct 5 08:24:31 dhcpd DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2 Oct 5 08:24:09 dhcpd DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:09 dhcpd DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2 Oct 5 08:24:08 dhcpd DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2
but when I go to Status / DHCP Leases nothing shows up and devices can't get an IP from DHCP server.
I have no idea on where to go from here...
kind regards
-
Where did you run that pcap?
I would run it on the member interface closest to that client to make sure replies are going out.
Set the detail level higher and check the MAC addresses are correct.
Make sure the client is not rejecting it as a rogue dhcp server because the source MAC will have changed if it was previously on the interface directly.
You may want to set a MAC address on the bridge because otherwise and random one will be assigned at each boot and some clients will freak out at that.
Steve
-
@stephenw10 said in DHCP server and bridged interfaces:
Where did you run that pcap?
I ran it on the bridge interface. Now I ran it on member interface itself. Same output.
You may want to set a MAC address on the bridge because otherwise and random one will be assigned at each boot and some clients will freak out at that.
I set a spoof MAC address on bridge interface to avoid that.4
Set the detail level higher and check the MAC addresses are correct.
All MAC addresses are correct...
DHCP Discovery from 0.0.0.0 (Device's MAC address to broadcast
DHCP Offer from DHCP server (bridge MAC address to device MAC address)
Make sure the client is not rejecting it as a rogue dhcp server because the source MAC will have changed if it was previously on the interface directly.
I think this is very unlikely as all devices on all interfaces in the bridge canno't get DHCP IP address.
Pls note that if I delete the bridge and set DHCP server on each interface all devices can get their DHCP IP addresses.
kind regards
-
Do all interfaces in the bridge fail to hand out DHCP leases? Or just this new one?
If the pcap shows the DHCP offer leaving the member interface either it's not reaching the client or the client is rejecting it.
The client and server are using the same OUI there, they are both virtual devices?
Something in ESXi blocking/dropping it?Steve