pfsense unifi dhcp problem DHCPREQUEST / DHCPACK vs DHCPDISCOVER / DHCPOFFER

Lobanz

Weird problem. I have a couple of access points and they are configured with two different Unifi networks with different VLANs (VID 47 and 10). PCs, phones, etc are on 47. Only servers and other infrastructure components on 10.

WiFi DHCP on the 47 SSID works, but DHCP on the 10 SSID doesnt. Both work when a laptop is plugged into the same ports instead of the APs.

Here's the equipment:

AP -> switch port -> lagg0 -> pfsense

My Unifi controller (and all my servers) is on VLAN 10.

The pfSense has interfaces for the 47 and 10 VLANs with working DHCP servers on both -- works fine with a PC plugged into the switch port instead of the AP. But DHCP over WiFi only works for PC's and phones over the 47 VLAS SSID, but not 10. Traffic seems to be flowing fine over lagg0.

The switch ports are on a cisco SG-500 and the VLANs are:

AP port (trunk port):

47 tagged
10 untagged (PVID native)

Unifi Controller port (access port)

10 untagged (PVID native)

lagg0 trunk ports:

47 tagged
10 tagged
254 untagged

The main differences between 47 (working) and 10 (not working) is that 47 is tagged on the AP port and 10 is not.

Here's the pfSense DHCP logs of a failed DHCP on VLAN 10, and a successful DHCP on VLAN 47.

Aug 2 15:48:59	dhcpd	41631	DHCPACK on 192.168.47.102 to b2:e5:7a:f5:f6:7d (My-Phone) via lagg0.47
Aug 2 15:48:59	dhcpd	41631	DHCPREQUEST for 192.168.47.102 from b2:e5:7a:f5:f6:7d (My-Phone) via lagg0.47
Aug 2 15:48:59	dhcpd	41631	reuse_lease: lease age 1621 (secs) under 25% threshold, reply with unaltered, existing lease for 192.168.47.102
Aug 2 15:48:54	dhcpd	41631	DHCPOFFER on 192.168.10.108 to 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:54	dhcpd	41631	DHCPDISCOVER from 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:47	dhcpd	41631	DHCPOFFER on 192.168.10.108 to 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:47	dhcpd	41631	DHCPDISCOVER from 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:43	dhcpd	41631	DHCPOFFER on 192.168.10.108 to 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:43	dhcpd	41631	DHCPDISCOVER from 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:41	dhcpd	41631	DHCPOFFER on 192.168.10.108 to 82:3e:1b:78:60:1f (My-Phone) via lagg0.10
Aug 2 15:48:40	dhcpd	41631	DHCPDISCOVER from 82:3e:1b:78:60:1f via lagg0.10

Anybody else run into this?

Thanks!

--- Lobanz

johnpoz

@Lobanz first thing I would do to start troubleshooting this is git rid of the lagg..

Lobanz

More info.

I greated another SSID on vlan 200 (GUEST) and its get DHCP just fine.

Looks like it has something to do with vlan 10. It's the only vlan that has something plugged into a physical switch port. The others just flow through the LAGG to the pfsense router.

--- Lobanz

Lobanz

Even more info. Getting there. Looks like it has something to do with VLAN 10 being untagged

So, the APs are plugged into switch ports P1 and P2. The Unifi Controller is on P5.

Again, the VLANS are as follows:

10 - SERVERS
47 - CLIENTS
200 - GUEST
4000 - default VLAN

Inititally the VLANs were setup as follows (T is tagged, U is untagged aka "native" aka "PVID"):

P1, P2: 10U, 47T, 200T
P5: 10U

So I changed the switch port VLAN settings so that they are like this:

P1, P2: 10T, 47T, 200T, 4000U
P5: 10T, 47T, 200T, 4000U

So, in this configuration, the WiFi client DHCP worked on all the SSIDs coresponding to these VLANs! HOWEVER, the Unifi Controller couldn't see them.

I've always read that the APs and the Unifi Controller must be on the same native (untagged) VLAN. Seems to be true.

Do I really need to set up a separate VLAN just for the Unifi devices to get DHCP to work on the other VLANs?

--- Lobanz

johnpoz

@Lobanz the controller and AP can be on a tagged vlan.. They added this feature quite some time ago.

But yes controller and AP are untagged, mine currently are. And I also have a SSID that is untagged, and other SSIDs that are tagged. The untagged vlan is the same the AP and controller are on.

Actually I have 2 ssids that end up on the untagged network. One use psk, the other is eap-tls..

That wlan network is untagged, all the other networks are tagged..

Lobanz

@johnpoz Awesome!

Getting there!

So, essentiually, on the networks screen, the top section is UNTAGGED networks, and the "Virtual Networks" are the TAGGED networks. That helps!

So, then I made my PPD_SERVERS SSID point to the Default network (the same VLAN (10) where the Unifi Controller and the APs live) it started working. But if I define a WiFi SSID that is tagged for VLAN 10, it no werky.

So one more question:

Why can't I rename the "Default" network to something else?

Running Network Version 7.4.162. AP firmware 6.5.62.14788.

--- Lobanz

johnpoz

@Lobanz as to renaming it - hmmm.. Never looked into that. I named mine from the get go from what I can remember..

I am running 7.5.169 for controller. And 6.5.64 for firmware.

Ah -- you prob need to switch to the legacy interface to change the network name.

As to 10 not working when you tagged it - because it wasn't a tagged vlan.. On your switch ports..

Lobanz

@johnpoz said in pfsense unifi dhcp problem DHCPREQUEST / DHCPACK vs DHCPDISCOVER / DHCPOFFER:

Ah -- you prob need to switch to the legacy interface to change the network name.

Ha! Yes. I flipped back to legacy, made the change and then found my way back to the new interface. Now it's the way I want it. Thanks!

SOLVED!

--- Lobanz