DHCP server for VLAN

hspindel · Dec 3, 2023, 1:44 AM

I'm trying to setup my first VLAN on a Netgate 8200 running pfSense+ 23.09.

Under Interfaces/Assignments/VLANs I added a new VLAN with parent interface igc0 (lan). I am not at all sure that that was the correct parent interface to use.

Under Interfaces/Assignments I added the new interface (it got assigned OPT8).

Under Interfaces/OPT8, I set a static IP and enabled the interface. I can then ping that static IP from my main subnet, so the VLAN seems to be setup correctly.

Under Services/DHCP server, there is a LAN tab only. I expected to see a tab for OPT8. There is none, so I can't find a way to configure a DHCP server for devices on the VLAN. Reading guides on the web indicates that there should be a tab for OPT8.

This is with Kea DHCP.

How do I setup a DHCP server for the VLAN?

Thank you.

hspindel · Dec 3, 2023, 6:29 AM

@hspindel
Never mind. I stumbled on the solution, which I'll document here.

In the static IP setting for OPT8, the subnet mask can't be 32. I've set it to 24. Then OPT8 shows up in the DHCP server.

This is very counterintuitive, as I would expect this setting to be the exact IP needed for OPT8. It was 192.168.5.250/32 and I changed it to 192.168.5.250/24. I would have expected a /24 to mean the 250 was ignored. But somehow the 250 is recognized and ping 192.168.5.250 works.

If anyone can comment on why it works this way, I'd appreciate it.

johnpoz · Dec 3, 2023, 12:02 PM

@hspindel said in DHCP server for VLAN:

Under Services/DHCP server, there is a LAN tab only. I expected to see a tab for OPT8. There is none

A /32 or 255.255.255.255 is just that IP, there is no IPs available to be able to provide any sized dhcp scope, so no the ability to enabled dhcp would not be available until you set a mask with IPs available to use for dhcp.

sic0048 · Dec 4, 2023, 9:25 PM

This might help you understand subnet sizes. Subnet Cheat Sheet

As noted, a /32 subnet size has just one useable IP address, so there is no need for a DHCP server.

hspindel · Dec 4, 2023, 9:50 PM

@sic0048
While I appreciate you taking the time to answer, I have no problems understanding subnet masks.

My point is that the way pfSense uses the subnet mask when identifying the IP address of an interface is nonsensical. The IP address specified is a full /32 address, but the mask is /24.

johnpoz · Dec 5, 2023, 12:46 AM

@hspindel said in DHCP server for VLAN:

identifying the IP address of an interface is nonsensical.

If you set the mask to /32 then how would it talk to anything? On any device when you set the IP you set the mask, this tells it the network its attached to..

So clearly you do not actually understand what a subnet mask is and how it is used..

Your not setting a loopback address, your setting the firewalls interface IP and what network it is attached too.

hspindel · Dec 5, 2023, 1:56 AM

@johnpoz

Don't tell me I don't understand subnets.

You're completely missing the point.

The pfSense Interface definition wants the user to specify the IP address of the interface, but uses it in a (to be charitable) confusing way.

To give you an example:

The Interface IP is 192.168.1.250. This is a /32, or it wouldn't work, The Interface has to have a /32 address.

The pfSense GUI wants me to specify it as 192.168.1.250/24 in order for DHCP to work. But /24 is a subnet address, not an endpoint address. The /24 indicates that the 250 is not meaningful. Yet pfSense uses the 250 in assigning the Interface IP.

A GUI that made sense would have a /32 for the Interface IP, and a /24 for the subnet. pfSense combines these in a nonsensical way.

johnpoz · Dec 5, 2023, 2:01 AM

@hspindel said in DHCP server for VLAN:

(to be charitable) confusing way.

Sorry but you must be the only person on the planet that can't understand that you set the mask there.. NO it wouldn't be 32.. Its not going to work if you set that, because then there is no network - just the host address.

I highly suggest you re look into what a mask actually is, cuz clearly no matter how much you say you understand, clearly you don't

@hspindel said in DHCP server for VLAN:

A GUI that made sense would have a /32 for the Interface IP, and a /24 for the subnet

Sorry but that is just stupid and wouldn't make any sense.. Yes an IP address is 32 bits, but you don't need to call it out.. It is a given that the ip is 32 bits, your setting the mask on the network your connecting to..

What you are suggesting is nonsense.. Sorry you can not comprehend the use of a mask when you set an IP.. But if you insist on setting that to 32, your not going to be able to run a dhcp server, nor are you going to be able to talk to anything.

sic0048 · Dec 5, 2023, 4:02 AM

@hspindel said in DHCP server for VLAN:

@sic0048
While I appreciate you taking the time to answer, I have no problems understanding subnet masks.

My point is that the way pfSense uses the subnet mask when identifying the IP address of an interface is nonsensical. The IP address specified is a full /32 address, but the mask is /24.

Clearly you don't understand subnet masks. You don't use subnet masks to identify a particular IP address (or range of IP addresses) in a subnet. You use subnet masks to indicate how large the entire subnet is - ie how many total ip addresses are in that particular subnet.

So a subnet mask of /32 doesn't mean you are identifying a single ip address in a larger subnet. A subnet mask of /32 indicates the entire subnet has just a single ip address. Whereas a subnet mask of /24 indicates the entire subnet has 256 IP addresses.

Jarhead · Dec 5, 2023, 7:51 PM

@hspindel said in DHCP server for VLAN:

@johnpoz

Don't tell me I don't understand subnets.

You're completely missing the point.

The pfSense Interface definition wants the user to specify the IP address of the interface, but uses it in a (to be charitable) confusing way.

To give you an example:

The Interface IP is 192.168.1.250. This is a /32, or it wouldn't work, The Interface has to have a /32 address.

The pfSense GUI wants me to specify it as 192.168.1.250/24 in order for DHCP to work. But /24 is a subnet address, not an endpoint address. The /24 indicates that the 250 is not meaningful. Yet pfSense uses the 250 in assigning the Interface IP.

A GUI that made sense would have a /32 for the Interface IP, and a /24 for the subnet. pfSense combines these in a nonsensical way.

When you set the IP on a PC, do you give it a /32 or the actual subnet mask of the network?
Why would this be any different?

Get it?

johnpoz · Dec 5, 2023, 7:58 PM

@Jarhead exactly - an IP is always 32 bits in length, it can be nothing other than that.. if wouldn't be a IP if wasn't - that you would have to call out that hey this IP is 32 bits makes zero sense..

In 30 some years working in IT, even before there was IPs.. Have never seen anything that would require you to call out that your IP address you is 32 bits, because well its a given that it is.. When you set the mask your setting what network this IP is on.