VLAN computer not pulling correct ip address

johnzimm · Feb 26, 2023, 5:25 PM

VLAN computer not pulling correct ip address.
Computer plugged into port 16 pulled ip address 192.168.1.130... not from VLAN 192.168.10.x
I feel like there is some little thing I am missing,

Settings-
PFSense running on a dell computer...
Interfaces - "main - Static 4 IP - IPv4 address 192.168.10.1

DHCP server main Enabled - Subnet 192.168.10.1 - Subnet mask 255.255.255.0 - Available rang 192.168.10.1 to 192.168.10.254 - Rang 192.168.10.10 to 192.168.10.250
DNS server - 1.1.1.1 and 8.8.8.8

Firewall rules - main - Action pass - Interface main - Adress family IPv4 - Source main.net - Destination any - Discription allow all

Netgear GSS116E 16 port managed switch
VLAN - port based - Avdanced- Enebled - VLAN Identifier 10 - Checked port 13, 14, 15, 16

johnpoz · Feb 26, 2023, 5:42 PM

@johnzimm said in VLAN computer not pulling correct ip address:

VLAN - port based

And how is pfsense going to understand that without tagging?

You would use 802.1q vlans with pfsense and tag whatever vlan you setup to pfsense interface that you put the vlan on.

johnzimm · Feb 26, 2023, 6:01 PM

@johnpoz
OK, I am assuming I don't change anything in PFsense... but I change the switch settings. Is that correct?

VLAN - 802.1q - VLAN configuration - VLAN ID - 10 - click add - VLAN membership - change to VLAN ID 10 - Put a "U" for ports 13, 14, 15, 16 - apply - Change port PVID for 13, 14, 15, 16 to 10 - apply

This cuts the internet to the test computer on port 16. And gives it no ip address and a hardware address of 44:A8:42:ED:C9:CF

johnpoz · Feb 26, 2023, 6:35 PM

@johnzimm you have vlan 10 setup on some pfsense interface?

So example... I have couple of vlans on one of my interfaces..

I also have an untagged network on this igb2 interface

So wlan in pfsense is 192.168.2.253/24

psk is 192.168.4.253/24
guest is 192.168.4.253/24

Rules are setup on these interface to allow what I want. Dhcp is setup on these interfaces, etc.

Now on my switch I use vlan 2 for the 192.168.2/24 network - pfsense has no clue about this vlan ID.. Its just on my switch.. Vlan 2 is not tagged on that port.. But vlan 4 and 6 are..

So here is my switch where 2 is untagged, 4 and 6 are tagged.

This port 5 on my switch is plugged into my igb2 interface on pfsense.

Now port 27 that I plug a device into that I want on this vlan 4, that port is set as untagged..

Traffic coming from that device, the switch knows hey any traffic I see coming into this interface is on vlan 4.. Now it sends it where it need to send it for vlan 4 traffic, be it a broadcast a unicast multicast packet.. If sends it to pfsense via that port 6 interface it knows to tag that traffic with vlan ID 4..

Pfsense sees traffic coming in, if no tag its on the native wlan interface, 192.168.2 network... If it comes in with vlan 4, it knows it goes to the vlan 4 interface..

Now when pfsense answers.. It send that answer from vlan 4 tagged... Switch says yeah ok this is vlan 4 traffic. When it needs to send it out a port that is untagged like port 27 the switch removes the tag..

edit: Make sure you check the pvid of the port your connecting your device into.. Some lower end switches might not set the pvid on the port when you change the port to be on a a vlan, even if only 1 vlan and untagged..

You also want to check the port going to pfsense if using an untagged network on the same interface you have your vlans on in pfsense.

Notice my pvid on those ports

johnzimm · Feb 26, 2023, 8:28 PM

@johnzimm you have vlan 10 setup on some pfsense interface?

I believe I tagged them correctly in pfsense...

johnpoz · Feb 26, 2023, 8:36 PM

@johnzimm yeah looks good.

Did you actual enable it and put an IP on it, enable dhcp etc..

And what are you ports like for your tagging.. The port that is connected to this igb1 interface, and then the port you are connecting some device, pc/laptop/etc

TheWaterbug · Mar 6, 2023, 11:37 PM

I had a similar weird event happen to me on Friday. I was in the process of moving a security camera server to the outside of my core LAN. I started with this:

and then moved the Blue Iris Server, POE Switch #1, and a bunch of cameras to the LAN50 side of the firewall. I have DHCP Server running on LAN50, with a reservation for the Blue Iris computer at 192.168.50.13.

I "moved" POE Switch #1 just by switching the cabling. I did not turn it off.

The Blue Iris server pulled a DHCP address of 192.168.0.138. I double-checked the cabling and rebooted it twice, and it still got the same address, which should be impossible.

I wasn't until I power-cycled the unmanaged POE Switch 1 that the Blue Iris PC finally pulled the correct DHCP reserved address of 192.168.50.13, and then everything started working as expected.

If the switch had stayed powered-on after initially moving the cabling, could the CAM table have somehow allowed the DHCP request the Blue Iris computer to traverse across to LAN0?

johnpoz · Mar 6, 2023, 11:52 PM

@thewaterbug said in VLAN computer not pulling correct ip address:

The Blue Iris server pulled a DHCP address of 192.168.0.138

No it didn't not from that drawing..

could the CAM table have somehow allowed the DHCP request the Blue Iris computer to traverse across to LAN0?

From the drawing you have no physical connection.. So no there would be no way for what your saying to have happened.. Now would seems more likely is the server just used its old IP because it didn't get an answer from a dhcp server, which is quite common..

Client will try and renew its lease, and sure it could get a nak and then have to do a discover to get a new IP on the new network, but if it doesn't hear back from a dhcp server at all.. It can continue to use its original lease until it expires.

TheWaterbug · Mar 7, 2023, 1:18 AM

@johnpoz said in VLAN computer not pulling correct ip address:

No it didn't not from that drawing..

That's what I thought, too, which is why I wrote that it was impossible!

But I was looking at the monitor right there in front of me, and it was a .0.138 address. And it wasn't even the previously-used address, as that was .0.13 per its old reservation at LAN0.

johnpoz · Mar 7, 2023, 1:19 AM

@thewaterbug not sure what to tell you - but its not possible.. You have no layer 2 connection to the dhcp server running on lan - so there is no way it could of pulled an IP from that dhcp server.

And your saying it never had a 0.138 address... I just don't see how it was possible without a layer 2 connection. Your saying you saw in the logs dhcp? Is that not a different physical interface? You show it on the drawing as a different interface - you don't have them bridged? Its not a vlan, where maybe the switch didn't tag something?

TheWaterbug · Mar 7, 2023, 1:27 AM

@johnpoz said in VLAN computer not pulling correct ip address:

@thewaterbug not sure what to tell you - but its not possible.. You have no layer 2 connection to the dhcp server running on lan - so there is no way it could of pulled an IP from that dhcp server.

And your saying it never had a 0.138 address... I just don't see how it was possible without a layer 2 connection. Your saying you saw in the logs dhcp? Is that not a different physical interface? You show it on the drawing as a different interface - you don't have them bridged? Its not a vlan, where maybe the switch didn't tag something?

Ah, shoot. I didn't think to check the logs on the DHCP server, and now it's been over-written.

I saw it on the client.

Correct, it was on a different physical interface (OPT1), with no bridging in place, and the problem fixed itself just by my power-cycling the unmanaged switch.

I don't know what to say, either, other than that stranger things have happened.