Weird Raspberry Pi issue with VLAN
-
I have just created a VLAN for IoT devices and things are working well; with the exception of a couple of Raspberry PI 4's that don't seem to want to get an IP address via DHCP.
The same Pis work fine on a non-vlan tagged SSID, but when trying to move them over to a VLAN-tagged SSID, they never get an IP address (they default back to an internal 169.254.62.xx IP address dished out by the DHCP client. However, I have 31 ESP32/8266 devices on the same VLAN-tagged SSID running various ESPHome/Tuya/tasmota firmware that connect and get IPs from pfSense's DHCP server just fine.
I have 2 SSIDs/networks defined in my Netgear insight console, one tagged for IoT, one untagged for "normal" traffic. Both are using the associated VLAN in pfSense, Both are working and can access their respective DHCPs. Both allow normal traffic through pfSense (with isolation provided in the firewall).
Is there something special you need to do with a Pi to make it work on a VLAN tagged SSID? I've googled and found a few articles about VLANs on a Pi, but all of those seem to be setting up a multi-homed virtual adapter on the Pi directly.
Oh, and I checked both the AP's configuration AND pfSense, and neither have any ACL's that would prevent the Pi's from getting/connecting to the respective wireless networks.
Any suggestions on where to look?
Thanks in advance!
Skippy -
I have never had an issue w RPI's on my tagged SSID's.
You should run some packet captures on "both ends", on the "Vlan".
pfSense have packet capture , raspi have wireshark or tcpdump.If you hadn't mentioned the tasmotas that gets DHCP , i'd have said watch out for some DHCP (up/downstream) protection in either switch or AP (I know Ubi's have that).
But since the tasmota's gets an ip, something must be working ....What does a PC (linux ??) say on that IOT Vlan ?
/Bingo
-
I actually only have 1 tasmota device, the rest are all esphome. I do plan on replacing tasmota with esphome once I can figure everything out on the tasmota device. So, it will hopefully go away, soon.
I have switched both my laptop (Winders 11) and cell phone (android) to the tagged IoT vlan, and they both get an IP address successfully; I have an old laptop I can put some Debian on and see if that has any issues, too. That's what is confusing... most devices I've connected all get an IP address successfully the first time they connect, but these 3 headless Pi's simply refuse to get an IP on that same ssid. I just assumed that since I had so many fully working devices on the ssid, maybe it was a Pi issue that someone else might have discovered. These aren't anything weird... just 3 Pi 4's running octoprint.
I'll see if pfTop gives me any insight into what might be going on.
Thanks for the tip!
Oh, and if it helps ANY, here's some output from the Pi:
pi@octopi:~ $ wpa_cli -i wlan0 status bssid=94:a6:7e:9d:6b:e2 freq=5320 ssid=cobbnet-iot id=0 mode=station pairwise_cipher=CCMP group_cipher=CCMP key_mgmt=WPA2-PSK wpa_state=COMPLETED ip_address=169.254.62.211 p2p_device_address=de:a6:32:12:54:62 address=dc:a6:32:12:54:62 uuid=00b6d800-1082-5b00-8ae9-7c9a30815a27 ieee80211ac=1 -
You should run tcpdump on your Raspi to see what is happening when you start a DHCP negotiation.
And also run a packet capture on the pfSense.You have the tools ... USE THE FORCE LUKE ....
-
SOLVED!
I have 2 APs... the 2nd one in the garage/shop area was actually the one my clients were trying to connect to; even though the primary in-house AP is the closest AP. I had missed adding a tag on the port the 2nd AP was connecting to pfSense from. Once I found that I had missed the tag and added it, everything is now getting IP addresses.
<facepalm>
Thanks for the tips! I actually learned quite a bit just using tcpdump and pfTop (like how to filter DHCP UDP traffic!!)
I owe you a virtual beer!
Cheers!
Skippy -
