Cannot get DHCP functioning on 2nd Interface

Jedi2155 · May 13, 2024, 5:55 AM

I have PFsense installed on a MiniForums MS-01 (4x network ports). The WAN (2.5gbe igc0), LAN ports (10gbe / ixl0) are working fine, but when I try to setup another port (2.5gbe, igc1) as a separate network it won't give me a functional DHCP (tried both Kea & ISC backends).

I've watched several videos, setup the interface, dhcp server, and firewall rules but it won't work for some reason. Funny enough DHCP works on the SAME physical port where I configured a VLAN on it, but it DOES NOT work when I don't use a VLAN.....but it works if manually assign IP/DNS on the end device.

I've tried deleting all the VLAN's and interfaces except for WAN/LAN which are functioning as expected.
From what I can tell I've configured everything correctly, but I cannot get my 2nd interface which is connected to a Laptop to receive a proper DHCP address.
I've done some packet captures, which seems to indicate there is some broadcast of the DHCP server, but the laptop won't take it and switches to APIPA mode.

Longer discussion thread here, but I haven't been able to find a solution yet.
https://www.reddit.com/r/PFSENSE/comments/1cogj5m/cannot_get_dhcp_functioning_on_2nd_interface/

Gertjan · May 13, 2024, 7:21 AM

@Jedi2155 said in Cannot get DHCP functioning on 2nd Interface:

I configured a VLAN on it

which means you have also, on the other side of the wire**, a VLAN capable switch set up correctly.

** this wire is the LAN cable going to this switch, this wire transports the LAN, and VLAN packets

Can you show this (VLAN) static IP setup ? (and show that it has been set up with something bigger as /32, example /24)

And show the DHCP server setup of this (V)LAN interface, with the pool.

@Jedi2155 said in Cannot get DHCP functioning on 2nd Interface:

but when I try to setup another port (2.5gbe, igc1) as a separate network it won't give me a functional DHCP (tried both Kea & ISC backends).

Assign the interface :

Activate it, give it an IPv4 IP and mask :

Activate DHCP and add a pool :

Enjoy.

Do visit

and add some pass rules.
DHCP will work, but that's about it for now ^^

Jedi2155 · May 18, 2024, 2:42 AM

@Gertjan

Hi Gertjan, I have probably spent 10-15 hours over the past week and a half trying to get it up and running, but it's still not working. I've deleted all my VLANs and have tried to just get a simple laptop to try to get an DHCP address which I'm still unable to and recreated my interfaces several times, and I've also gone to /conf/config.xml to try to manually debug the interface but its still not working. I would post the code but it gets flagged as spam and i can't respond.

I'm starting to wonder if there is a BIOS/UEFI issue.

Gertjan · May 19, 2024, 2:19 AM

@Jedi2155

OPT3 = LAN2 right ?

Check on the console :

[24.03-RELEASE][root@pfSense.bhf.tld.tld]/root: ps ax | grep 'dhcpd -u'
 7029  -  Ss      0:11.34 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igc0 igc1 igc2

where I have "igc0 igc1 igc2" you should have "ixl0 igc1ixl1" = the interfaces on which dhcpd, the DHCP server daemon, is running.

I would stay away from VLAN as long as possible, and use VLANs only if basic networking is ok.

For DHCP to work on an interface like LAN2, not firewall rules whatsoever are needed as hidden DHCP pass rules will get inserted if you activate a DHCO server on an interface.
So, as soon as you hook up a device on LAN2, it should get a DHCP lease . yiu can check that by running

ipconfig /all

on that device.

Before hooking up, start a packet capture and hunt for DHCP traffic :

Select your interface igc1, traffic = UDP and port will be "67 68".

11:59:37.674838 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
11:59:38.677680 IP 192.168.2.1.67 > 192.168.2.37.68: UDP, length 363
11:59:39.748836 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
11:59:39.749441 IP 192.168.2.1.67 > 192.168.2.37.68: UDP, length 363

where the 192.168.2.x network is my igc1.

Look also at Status > System Logs > DHCP

Jedi2155 · May 19, 2024, 2:24 AM

@Gertjan

I did check my pfsense rules, and it does show the DHCP rules are enabled on port 67/68 based on /tmp/rules/.debug.
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

I ran wireshark packet capture on my laptop, which sends the broadcast, but receives nothing from the PFsense router.

Also here's the packet capture from the router, where it does receive the broadcast request from Laptop:

packetcapture-igc1-20240518192105.pcap

Jedi2155 · May 19, 2024, 2:27 AM

Funny thing here is that it makes the DHCP offer before it receives the broadcast from the Laptop.

Gertjan · May 20, 2024, 5:46 AM

@Jedi2155

That a discover first, and then an offer afterwards for me, which is the right sequence.
The transaction ID is the same, so, who send the discover, got a reply.

Jedi2155 · May 20, 2024, 10:56 AM

@Gertjan So any idea why my end device isn't getting any packets back? I've tried 3 laptops and a router, none of them gets a DHCP address, but it works if I manually assign a static IP. It also worked earlier if I assign a VLAN (getting DHCP).

Gertjan · May 20, 2024, 4:45 PM

@Jedi2155

What's between that 'device' and the pfSense LAN NIC ?
What happens when you connect the device by wire from the device NIC to the pfSense NIC ?
What was the device you were using to make the image :

as it saw the discover, broadcasted from the device, and the offer, send from pfSense.

Jedi2155 · May 20, 2024, 4:45 PM

@Gertjan

What's between that 'device' and the pfSense LAN NIC ?

Only a wire, the pfSense NIC a nd the device is directly connected

What happens when you connect the device by wire from the device NIC to the pfSense NIC ?

This is how it is currently connected.

What was the device you were using to make the image :

The image you replied to was captured using the built in pfSense packet capture utility which I saved as a pcap file and loaded into wireshark.
I've run a packet capture on the end device using wireshark, when there is only a single wire through but I never see any of the pfSense packets that is reported on the pfSense packet capture tool.

Jedi2155 · May 21, 2024, 4:14 PM

After 3 weeks of trying to solve this issue, I'm about to return my hardware appliance and get a UniFi if I can't figure this out, its my last week before my return window trying to get PFsense working....

Gertjan · May 21, 2024, 4:22 PM

@Jedi2155

Wait ...

You are having troubles with the 'second' network.
What happens when you make LAN this second network, and the second network LAN ?
If the issues follows the NIC, you might have a NIC that can receive but not send ?!

Jedi2155 · May 21, 2024, 4:33 PM

@Gertjan

I tried that a few weeks ago and it actually worked (DHCP and all). It has to be a configuration issue and I cannot figure it out for the life of me. As I said, the LAN connection works if I:

1 - Manually assign a static IP
2 - When I had a VLAN setup to this LAN and the end device, DHCP works perfectly!
3 - When I configure it as a simple LAN interface and I also tried bridging it, I cannot get it to work.

Primary LAN is a i226LM, secondary is a i226V

I've also double checked the BIOS settings (it's a Minisforum MS-01.
Last thing I'm going to try to backup my config, wipe everything and try to reconfigure it from scratch.

I presently only have PFsense installed (directly, no proxmod or virtualization yet) and I'm using this as a HomeLab eventually. Was dipping my hand into PFSense trying to do more control before return to a commercial solution.

Jedi2155 · Jul 9, 2024, 7:58 PM

@Gertjan

So I wiped the disk, and reinstalled from scratch, and before I did anything else, I configured the second LAN, and it worked.....I then reloaded my saved config I backed up prior to the wipe, and it was still working....

So something broke that wasn't related to my configuration and I have no idea what. So at this stage ( I had tried several attempts to reboot/reroot and lots of things, but something in the install broke basically).

Danyo · Jul 9, 2024, 7:58 PM

@Jedi2155 This is probably a bit late, but it might still help others out in the future:

If you have this issue, with the MS-01, it isn't your fault. It has to do the with I226-lm. It has intel Vpro on it, which for some reason messes with the DHCP leases. It's a known issue that's been around for a year or 2.

I was struggling with the same issue for a week or so until I stumbled upon an article that explained this in more detail.

On other systems you can turn off intel Vpro properly, but on the ms-01 it doesn't fix it for some reason.

Jedi2155 · Jul 10, 2024, 2:27 PM

@Danyo Thank you! I got it working now generally but it doesn't work in all cases and it depends on the end device. For example the i226-LM DHCP works with my Desktop which has an Intel NIC but it doesn't work if I plug it into my laptop (which doesn't have an Intel NIC), or my LG TV. This only applies to the i226-LM as you suggested but not the i226-V.

I'm wondering what within your research suggested issues with Vpro (which when I googled) is an umbrella term for dozens of features including several VM ones which are toggleable on the MS-01 BIOS. I have moved pfsense into a proxmox container so VM features are pretty useful even I don't know what they all do (yet).

Danyo · Jul 10, 2024, 3:25 PM

@Jedi2155 I found several topics about it, but the main reason for it is this:

https://www.asrockind.com/en-gb/index.php?route=newsblog/faq&faq_id=91

On asrock boards they have the option to fully turn the function off, which allows DHCP leases to work once again.

edit.: it's interesting that it does work with intel devices on the other end, I have only tried my laptop and TV, and neither work, I might give my desktop a try later see if that works. Or just cave in and use that connection for the WAN side.

thewho · Jul 22, 2024, 9:47 PM

@Danyo Where did you read about the Intel devices works? i have searching about everywhere to find more info about this problem.