LAN plus VLANs: device gets IP from the wrong DHCP-server

sgw

@patient0 said in LAN plus VLANs: device gets IP from the wrong DHCP-server:

And there is not much point in allowing all VLAN on Switch2p21 if it can't do VLANs.

correct. turned that off now. For sure this doesn't explain the DHCP issue.

sgw

corrected a mistake:

eno1 .. Switch2port13 .. is member of vmbr0 on the PVE

it only transports tagged VLANs .. so it can't transport the untagged DHCP traffic from LAN2 also

My try would be: connect PC as DHCP-client to switch1p20 (that's where the problems were reported first), let it get an address. Yesterday it pulled an IP in LAN2.

Then remove the connection between Switch2 and Switch3, retry.

We can only do that when we have announced some maintenance window (next week).

sgw

Just as a thought:

I don't have these 2 boxes ticked on the pfSense interfaces:

https://docs.netgate.com/pfsense/en/latest/interfaces/configure.html#reserved-networks

And the firewall rules have this "allow * from/to everywhere" for LAN and LAN2.

PCs should reach servers etc / but we don't want these DHCP-packages.

Should I block port 67/68 on LAN2 interface?

patient0

@sgw said in LAN plus VLANs: device gets IP from the wrong DHCP-server:

I don't have these 2 boxes ticked on the pfSense interfaces:
https://docs.netgate.com/pfsense/en/latest/interfaces/configure.html#reserved-networks

No, as mentioned on the page it is usually used on WAN interfaces to block RFC1918 traffic.

Should I block port 67/68 on LAN2 interface?

I don't see why that would be necessary. If you read DHCP discovery you see that the client sends a DHCPDISCOVER to 255.255.255.255 which is limited to the broadcast domain (LAN1).
I think it's best if you use Wireshark to sniff the traffic that you see on a port with PVID1 to check what DHCP traffic you see.

Btw, I assume you have set that port on the switch to PVID1 and no VLANs allowed?

sgw

@patient0 said in LAN plus VLANs: device gets IP from the wrong DHCP-server:

Btw, I assume you have set that port on the switch to PVID1 and no VLANs allowed?

pls detail which port is meant here, thx

patient0

@sgw I was referring to the port you put the client on which should get a LAN1 IP.

sgw

You talk about the access port for the PC? Yes, its PVID is 1 = LAN1 native. VLANs are allowed there per default, I assumed this wouldn't hurt as the PC should not talk tagged. But we will test that.

sgw

@patient0 said in LAN plus VLANs: device gets IP from the wrong DHCP-server:

I don't see why that would be necessary. If you read DHCP discovery you see that the client sends a DHCPDISCOVER to 255.255.255.255 which is limited to the broadcast domain (LAN1).
I think it's best if you use Wireshark to sniff the traffic that you see on a port with PVID1 to check what DHCP traffic you see.

Good to hear that my fw-rules aren't wrong in that way ... I run pfSenses with dozens of VLANs and interfaces in other sites and never had such an issue so far.

patient0

@sgw said in LAN plus VLANs: device gets IP from the wrong DHCP-server:

I assumed this wouldn't hurt as the PC should not talk tagged. But we will test that.

It shouldn't, you're right. But to narrow it down it would help.

I do use a Unifi Switch and have clients on ports configured like yours (native VLAN 1 and allow all VLAN) and it works as expected.

sgw

@patient0 I don't know about that PC. But it's very unlikely that it's configured to understand VLAN 150. This VLAN comes from me and exists only on my systems (pfSense, switches, PVE).

But sure, I will take away the VLANs from that port at first.

thanks so far

I wrote an issue on the german Proxmox-forum as well, to check my bridging setup on the PVE.

I link it here, maybe somebody is interested as well:
link