WiFi host can’t pull an IP from DHCP

DominikHoffmann

I have a moderately complex setup for a home network. My WiFi access points (APs) provide a guest WiFi SSID, which is fully functional. My APs VLAN-tag all traffic on that guest SSID, so that it can be segregated from the regular WiFi network. What I have failed to get to work is essentially a duplicate (albeit with a different VLAN ID) of that setup, which provides an IoT WiFi network to some of my shadier home automation devices.

Allow me to go through my guest WiFi configuration in detail.

On my pfSense appliance I have set up a dedicated interface with 192.168.11.1/24 addressing. That interface is assigned to “VLAN 11 on mvneta0.” DHCP is configured to hand out addresses in the 192.168.11.101–192.168.11.200 range. Only General Options have been configured.

On the firewall I have these rules:

Allow ICMP access from the 192.168.11.0/24 net any 192.168.11.0/24 address, in order to allow guest WiFi hosts to ping the gateway.
Allow TCP/UDP access to Port 53 from the 192.168.11.0/24 net any 192.168.11.0/24 address, in order to allow guest WiFi hosts to use the appliance’s DNS server.
Block all access from the 192.168.11.0/24 net to the firewall.
Block all access from the 192.168.11.0/24 net to all other local subnets.
Allow all access from the 192.168.11.0/24 net to everything (somehow access to WAN net is not sufficient here).

On the PoE switch running the powered backhauls to the APs I have the Ethernet ports running to the APs tagged with VLAN ID 11, as well as the connection from the Ethernet port to the pfSense appliance.

The APs are configured to use VLAN Tag 11 for the guest SSID.

This gives me a functional, fully isolated guest WiFi network.

The IoT WiFi network, however, using the VLAN ID 13 the 192.168.13.0/24 subnet, does not allow my phone or computer to pull an IP address, when connected to it. What is still blocking access from that 192.168.13.0/24 subnet to the DHCP server?

Bob.Dig

@dominikhoffmann said in WiFi host can’t pull an IP from DHCP:

What is still blocking access from that 192.168.13.0/24 subnet to the DHCP server?

That is an easy one. It is pfSense or the Switch or the AP.

DominikHoffmann

@bob-dig:

I just did my 11th comparison between the guest WiFi and IoT WiFi setup on my APs. Everything is identically setup, except for the VLAN tags.

The same with the port tagging on the switch.

I think, I am missing something in the pfSense configuration.

Bob.Dig

@dominikhoffmann On pfSense you only have to assign the IP and enable DHCP on that VLAN-interface. My guess would be your switch (or AP) and tagging...

Feel free to post images of everything you have done, even if it is not on pfSense but start with it.

viragomann

@dominikhoffmann
Sniff the traffic on the IoT interface, while you attach a device to this Wifi to see, if the communication on the VLAN is working at all.

DominikHoffmann

@bob-dig:

Here is my switch VLAN tagging:

Screenshot 2022-11-06 at 8.51.36 AM.png

The APs are configured like this:

Screenshot 2022-11-06 at 8.53.10 AM.png

Screenshot 2022-11-06 at 8.55.03 AM.png

My pfSense appliance has these configuration elements:

Screenshot 2022-11-06 at 8.57.26 AM.png

Screenshot 2022-11-06 at 8.58.11 AM.png

Screenshot 2022-11-06 at 9.00.20 AM.png

Screenshot 2022-11-06 at 9.01.04 AM.png

Screenshot 2022-11-06 at 9.01.42 AM.png

DominikHoffmann

It’s not the firewall block rules, as toggling those off does not fix anything.

DominikHoffmann

@viragomann

Based on the firewall rules there is no traffic on the home automation network:

Screenshot 2022-11-06 at 9.09.24 AM.png

versus this on the guest WiFi network:

Screenshot 2022-11-06 at 9.09.16 AM.png

viragomann

@dominikhoffmann
I was requesting a Diagnostics > Packet Capture.

There is no rule to allow DHCP traffic, even it is implicitly allowed. So you won't see any packet matching a rule there.

Bob.Dig

@dominikhoffmann So you have switchports inside of pfSense which I don't have, could make thinks different.

And your switch has only one place to configure VLANs?

Same goes for the AP, maybe it can be differentiated if you want the VLANs only in the AP or also outside of the AP?

Jarhead

@dominikhoffmann
WAN net is just the network assigned by your ISP, it's not the internet.

You don't show if you're vlans are tagged or untagged on your switch.
Assuming you have 3 AP's? Ports 2, 3 and 4? With 8 going to the router?

if so, ports 2, 3, 4 and 8 should all be set with your LAN as pvid as untagged, and vlans 11 and 13 as tagged.
Is that what you have?

DominikHoffmann

@jarhead said in WiFi host can’t pull an IP from DHCP:

You don't show if you're vlans are tagged or untagged on your switch.

Here is how the port tagging on the switch is presented:

Screenshot 2022-11-06 at 5.15.29 PM.png

Assuming you have 3 AP's? Ports 2, 3 and 4? With 8 going to the router?

That’s the way I have it set up.

DominikHoffmann

@bob-dig said in WiFi host can’t pull an IP from DHCP:

And your switch has only one place to configure VLANs?

Both VLANs are on the switch port associated with the physical OPT port, because that’s where the Ethernet going to my switch is plugged in.

Same goes for the AP, maybe it can be differentiated if you want the VLANs only in the AP or also outside of the AP?

If I had the VLANs only inside the AP, I couldn’t use the pfSense firewall to block access to my LAN from those two VLANs. They are supposed to provide internet access, only, and no access to other hosts or devices on my home LAN.

DominikHoffmann

@viragomann

Here is the result of the packet capture running for about 90 s, while my iPhone was trying to get onto the newly set-up VLAN ID 13 WiFi network:

Screenshot 2022-11-06 at 5.30.26 PM.png

Nothing! Let me think about what that implies.

Here is a packet capture with my phone getting onto the VLAN ID 11 WiFi network (successfully):

Screenshot 2022-11-06 at 5.34.16 PM.png

So, evidently, devices trying to get onto VLAN ID 13 don’t get an IP address, because their DHCP request never gets to the pfSense appliance.

rcoleman-netgate

@dominikhoffmann What's running at 11.1?

this implies the request comes in (UDP port 68) and a response goes out.

rcoleman-netgate

I would run the capture on the VLAN on port UDP 68 and nothing else... just sniff the traffic. The extra stuff showing up is unhelpful.

DominikHoffmann

@rcoleman-netgate said in WiFi host can’t pull an IP from DHCP:

I would run the capture on the VLAN on port UDP 68 and nothing else... just sniff the traffic. The extra stuff showing up is unhelpful.

Well, that's from the VLAN that’s working. The same packet capture running on the VLAN that is not is just crickets.

DominikHoffmann

I thought of another troubleshooting step: I will temporarily re-tag my guest network with VLAN ID 13 (from VLAN 11) and will see, what happens.

rcoleman-netgate

@dominikhoffmann

What is the Interfaces->Switches Ports and VLAN tabs like?

You have a device with a built-in switch, you have VLANs not communicating, I don't see any screenshots of the actually Netgate's 1) Model number and 2) built-in switch programming.

Here are the pages on my 7100:

viragomann

@dominikhoffmann
So something with the VLAN configuration on one of the involved devices might be wrong. You should recheck all settings. I'd suspect the switch.