DHCP server and bridged interfaces



  • Hi all, sorry for the noob question but I'm going nuts with this.

    I have a virtualized pfSense on Esxi 6.7
    OPT1 is a trunk with several vlans. Each VLAN goes to one VM. All VLANS have different DHCP server working ok. All VMs get theirs specific IP from pfSense.

    I need to add a lan device to one specific network.
    I created a new port group and connected this port group to pfSENSE VM so traffic can be routed to one specific VM via pfSense. These 2 networks were bridged together. It all goes ok as far as this device has static IP.

    What I want to accomplish is to serve both bridged interfaces with same DHCP server but I can't get it work.

    This is what I've done so far:

    net.link.bridge.pfil_member=0
    net.link.bridge.pfil_bridge=1

    Interfaces are set to none
    Bridge is set to static ip 192.168.10.1/24
    DHCP server is enabled on bridge with address 192.168.10.100 to 192.168.10.200

    Both interfaces and bridge have the following rule as first:
    Protocol: UDP
    Source: 0.0.0.0
    Source Port: all
    Destination: 255.255.255.255
    Destination port: 67 and 68

    With no luck.

    What I'm doing wrong?

    Kind regards



  • @gelcom
    Sounds like you are trying to use DHCP Relay.
    I currently have my PfSense setup so it is physical, but all my VLANS are on the same NIC.
    This is trunked to my Switch, and each interface has a static IP.
    Which is similar to your setup
    My DHCP Server is on VLAN1 (There's 2 actually - Windows Server 2016 running as a HA Pair)
    This server has All the IP Ranges Set up and the relevant entries such as Default route / DNS
    In Services Menu select DHCP Relay and select the VLAN / Network Interfaces you want to have DHCP Give out an address for, and add the IP of the DHCP Server, Save and away you go.
    dhcprelay.JPG

    After that whatever network I have a device on it gets a DHCP IP Address.

    Hope this helps

    Efranko



  • Thanks for the reply!

    Isn't possible to have DHCP server instead of DHCP relay in my situation? I wish I could keep my DHCP server running as I have a few other interfaces that depend on him.

    kind regards


  • Netgate Administrator

    What you're doing should work. You can have multiple interfaces in a bridge and run a dhcp server on the bridge that will serve all clients.

    Do you see and blocked traffic in the firewall logs?

    Do you see incoming dhcp requests in packet captures?

    If you set the bridge sysctls after creating the bridge have you rebooted since?

    Steve



  • @gelcom Ah, its the bridging bit. Not something I've ever used.

    Elfranko



  • @stephenw10 said in DHCP server and bridged interfaces:

    Do you see and blocked traffic in the firewall logs?

    I see nothing blocked on logs

    Do you see incoming dhcp requests in packet captures?

    in packet capture I see a lot of dhcp requests as follows:

    08:24:31.338439 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    08:24:31.338700 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300
    08:24:32.404478 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    08:24:32.404687 IP 192.168.104.1.67 > 192.168.104.101.68: UDP, length 300
    08:24:34.408468 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    08:24:34.408737 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300
    08:24:35.464471 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    08:24:35.464747 IP 192.168.104.1.67 > 192.168.104.101.68: UDP, length 300
    08:24:37.488454 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    08:24:37.488726 IP 192.168.104.1.67 > 192.168.104.100.68: UDP, length 300
    08:24:38.524544 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 548
    

    also I see a lot of logs in DHCP:

    Oct 5 08:24:37 	dhcpd 		DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2
    Oct 5 08:24:35 	dhcpd 		DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:35 	dhcpd 		DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:34 	dhcpd 		DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2
    Oct 5 08:24:34 	dhcpd 		DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2
    Oct 5 08:24:32 	dhcpd 		DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:32 	dhcpd 		DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:31 	dhcpd 		DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2
    Oct 5 08:24:31 	dhcpd 		DHCPDISCOVER from 00:15:65:67:52:87 (SIP-T46G) via bridge2
    Oct 5 08:24:09 	dhcpd 		DHCPOFFER on 192.168.104.101 to 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:09 	dhcpd 		DHCPDISCOVER from 00:15:65:6f:10:a4 (SIP-T48G) via bridge2
    Oct 5 08:24:08 	dhcpd 		DHCPOFFER on 192.168.104.100 to 00:15:65:67:52:87 (SIP-T46G) via bridge2 
    

    but when I go to Status / DHCP Leases nothing shows up and devices can't get an IP from DHCP server.

    a.jpg

    I have no idea on where to go from here...

    kind regards


  • Netgate Administrator

    Where did you run that pcap?

    I would run it on the member interface closest to that client to make sure replies are going out.

    Set the detail level higher and check the MAC addresses are correct.

    Make sure the client is not rejecting it as a rogue dhcp server because the source MAC will have changed if it was previously on the interface directly.

    You may want to set a MAC address on the bridge because otherwise and random one will be assigned at each boot and some clients will freak out at that. 😉

    Steve



  • @stephenw10 said in DHCP server and bridged interfaces:

    Where did you run that pcap?

    I ran it on the bridge interface. Now I ran it on member interface itself. Same output.

    You may want to set a MAC address on the bridge because otherwise and random one will be assigned at each boot and some clients will freak out at that.

    I set a spoof MAC address on bridge interface to avoid that.4

    Set the detail level higher and check the MAC addresses are correct.

    All MAC addresses are correct...
    DHCP Discovery from 0.0.0.0 (Device's MAC address to broadcast
    1.jpg

    DHCP Offer from DHCP server (bridge MAC address to device MAC address)
    2.jpg

    Make sure the client is not rejecting it as a rogue dhcp server because the source MAC will have changed if it was previously on the interface directly.

    I think this is very unlikely as all devices on all interfaces in the bridge canno't get DHCP IP address.

    Pls note that if I delete the bridge and set DHCP server on each interface all devices can get their DHCP IP addresses.

    kind regards


  • Netgate Administrator

    Do all interfaces in the bridge fail to hand out DHCP leases? Or just this new one?

    If the pcap shows the DHCP offer leaving the member interface either it's not reaching the client or the client is rejecting it.

    The client and server are using the same OUI there, they are both virtual devices?
    Something in ESXi blocking/dropping it?

    Steve


Log in to reply