Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP, sometimes, confuses VLAN/LAN interfaces...

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Ghost 0
      last edited by

      ๐Ÿ‘ป I have three active interfaces:
      Ig0: WAN
      Ig1: LAN (192.168.1.xxx) plus VLAN10, VLAN20, VLAN30
      Ig2: LAN (192.168.2.xxx)

      Ig1 and Ig2 are on different switches that are connected to the router (pfSense 2.5)

      Sometimes, once in a blue moon, DHCP will assign the devices on Ig2 VLAN30 ip's. This shouldn't be. I never experienced this phenomenon with pfsense 2.4.5. Is this a known glitch with this new upgrade?๐Ÿค” ๐Ÿ‘ป

      JKnottJ GertjanG 2 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @Ghost 0
        last edited by

        @ghost-0

        Any chance you have TP-Link switches?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        G 1 Reply Last reply Reply Quote 0
        • G
          Ghost 0 @JKnott
          last edited by

          ๐Ÿ‘ป Hi and thanks for the speedy reply!

          I'm using D-link switches.๐Ÿ‘ป

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Ghost 0
            last edited by JKnott

            @ghost-0

            Then you'll have to do some packet captures. You can use Packet Capture and also Wireshark on a computer. You should be able to set up the switches for port mirroring, so that you can use Wireshark to monitor the DHCP packets.

            I asked about TP-Link, as they have a "feature" that allows multicasts to leak from the main LAN to the VLANs. I used to have that problem with a TP-Link access point, which made it impossible to use the VLAN & 2nd SSID with IPv6. After replacing the AP, it now works properly. I discovered that issue, before I heard about it with the switches, by using Wireshark to see what was actually happening.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            G 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Ghost 0
              last edited by

              @ghost-0 said in DHCP, sometimes, confuses VLAN/LAN interfaces...:

              Ig1: LAN (192.168.1.xxx) plus VLAN10, VLAN20, VLAN30

              Why not detailing the network on these VLAN ? Do they not have their own DHCP server with their own pool ?

              Every dhcp server process listen to it's own logical interface, being A LAN, a VLAN10, VLAN30 or whatever.
              A dhcp server process can't attribute an IP that is not in it's pool.

              What do the dhcp server log say about this ?
              Can you show where a dhcp server running on ig2 interface attributing an IP coming from a VLAN30 interface / pool ?

              I know, what I'm saying is how things should happen.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              G 1 Reply Last reply Reply Quote 0
              • G
                Ghost 0 @JKnott
                last edited by Ghost 0

                ๐Ÿ‘ป The switch this occurs on is a non-managed switch, thus port mirroring is not an option. The other switch is a managed switch, where the bulk of my devices are attached, doesn't have this problem. Perhaps, I could monitor the situation with a cheap replacement switch. But, here is the kicker... This never happened with pfSense2.4.5. So, I'm thinking the problem must be with the new upgrade, pfSense 2.5??๐Ÿ‘ป

                DerelictD JKnottJ 2 Replies Last reply Reply Quote 0
                • G
                  Ghost 0 @Gertjan
                  last edited by Ghost 0

                  ๐Ÿ‘ป As I said before, this problem didn't exist with pfSense 2.4.5.

                  VLan10 on interface 1g1: the ip range is: 192.168.10.xxx to 192.168.10.xxx with its own DHCP.
                  VLan20 on interface 1g1: the ip range is: 192.168.20.xxx to 192.168.20.xxx with its own DHCP.
                  VLan30 on interface 1g1: the ip range is: 192.168.30.xxx to 192.168.30.xxx with its own DHCP.

                  Here's the morning log when it occurred:

                  Mar 30 08:33:55 dhcpleases 49859 Sending HUP signal to dns daemon(51726)

                  Mar 30 08:37:46 dhcpd 59723 DHCPDISCOVER from 00:24:8c:0e:xx:xx (Asus-i7) via igb1.30

                  Mar 30 08:37:46 dhcpd 59723 DHCPDISCOVER from 00:24:8c:0e:xx:xx: via igb2

                  Mar 30 08:37:47 dhcpd 59723 DHCPOFFER on 192.168.30.10 to 00:24:8c:0e:xx:xx
                  (Asus-i7) via igb1.30

                  Mar 30 08:37:47 dhcpd 59723 DHCPOFFER on 192.168.2.11 to 00:24:8c:0e:xx:xx (Asus-i7) via igb2

                  Mar 30 08:37:47 dhcpd 59723 DHCPREQUEST for 192.168.30.10 (192.168.30.1) from 00:24:8c:0e:xx:xx (Asus-i7) via igb1.30

                  Mar 30 08:37:47 dhcpd 59723 DHCPACK on 192.168.30.10 to 00:24:8c:0e:xx:xx (Asus-i7) via igb1.30

                  Mar 30 08:37:47 dhcpd 59723 DHCPREQUEST for 192.168.30.10 (192.168.30.1) from 00:24:8c:0e:xx:xx (Asus-i7) via igb2: wrong network.

                  Mar 30 08:37:47 dhcpd 59723 DHCPNAK on 192.168.30.10 to 00:24:8c:0e:xx:xx via igb2

                  Mar 30 08:37:47 dhcpleases 49859 Sending HUP signal to dns daemon(51726)

                  As you can see... normally, computer (Asus-i7) on Ig2 is usually assigned an IP of 192.168.2.11... However, this morning, it was assigned an IP from VLAN30, which is from Ig1. I have obfuscated the mac address of that device in question. I hope this helps ๐Ÿ‘ป

                  F 2 Replies Last reply Reply Quote 0
                  • F
                    f.meunier @Ghost 0
                    last edited by f.meunier

                    @ghost-0
                    Hello
                    As you can see in 2nd line, the discover packet is seen on interface igb1.30, that's why pfSense offers in vlan 30 subnet.
                    You must investigate why the packet comes from vlan 30 since you say that the computer is in igb2.
                    Seems that it's more a network problem than a pfSense problem.
                    Can you explain how the two switches are set up ? (physically and configuration)
                    You say that both switches are connected to one router : how are the switches interfaces to this router configured ? Maybe the discover leaks to igb2 through the router's interface ?

                    (mostly ZOTAC CI or CA nano barebones)

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @Ghost 0
                      last edited by

                      @ghost-0 said in DHCP, sometimes, confuses VLAN/LAN interfaces...:

                      The switch this occurs on is a non-managed switch

                      VLANs on an unmanaged switch. Just don't do it. Get a managed switch and create the broadcast domains and tag the traffic to the pfSense port as is required to keep broadcasts from crossing between networks.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @f.meunier
                        last edited by Gertjan

                        Mar 30 08:37:46 dhcpd 59723 DHCPDISCOVER from 00:24:8c:0e:xx:xx (Asus-i7) via igb1.30
                        Mar 30 08:37:46 dhcpd 59723 DHCPDISCOVER from 00:24:8c:0e:xx:xx (Asus-i7) via igb2

                        Two discovers - on same moment - over two networks.

                        Spo two answers :
                        Mar 30 08:37:47 dhcpd 59723 DHCPOFFER on 192.168.30.10 to 00:24:8c:0e:xx:xx (Asus-i7) via igb1.30

                        Mar 30 08:37:47 dhcpd 59723 DHCPOFFER on 192.168.2.11 to 00:24:8c:0e:xx:xx (Asus-i7) via igb2

                        Note that the IPs 30.10 and 2.11 respect the igb1.30 == VLAN30 and igb2 == LAN

                        But things get even better :

                        The Asus ACks one IP ( 192.168.30.10).
                        The DHCP server signals it receives the ACK ove the wrong network.
                        Traffic is echoed (copied) over multiple LAN's.

                        It's time to have a talk with your switches ;)

                        edit :

                        @derelict said in DHCP, sometimes, confuses VLAN/LAN interfaces...:

                        VLANs on an unmanaged switch

                        Euuuuuuuhhhhhhh ..
                        You NEED managed switches that know what a 'VLAN' is.

                        edit again : @f-meunier and @Derelict said it all.

                        You said this worked well with 2.4.5 ? How so ?

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 1
                        • F
                          f.meunier @Ghost 0
                          last edited by

                          @ghost-0
                          Is your setup something like this ? (note that default vlan 1 is on both igb1 and igb2, because it's the default "landing" vlan if you don't explicitly remove it.)

                                              --------------
switch1m -----------| igb1       |
vlan 1, 10, 20, 30  |            |
                    |       igb0 |  -- wan
switch2u ---------- | igb2       |
vlan 1              --------------

                          Do you have some links between the two switches ?

                          (mostly ZOTAC CI or CA nano barebones)

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @Ghost 0
                            last edited by

                            @ghost-0 said in DHCP, sometimes, confuses VLAN/LAN interfaces...:

                            The switch this occurs on is a non-managed switch, thus port mirroring is not an option.

                            How are you separating the VLAN then? Perhaps you could provide a diagram of your network.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.