Wrong assigned address



  • Hi,
    I've got a server with the lan interface connected to the 192.168.4.0 network, and the opt1 interface connected to the 192.168.44.0 network. Both interfaces have DHCP server enabled, and both the services have the right list of MAC addresses to which assing one or other address.
    Everything is fine except for a couple of windows clients that, even if their mac address is listed into the LAN map, are getting the OPT1 lease. In other words, clients mapped into the 4 network are getting addresses from the 44 one.
    I've tried to check the option "deny unknown hosts" on the service of the OPT1 interface, so to do not allow clients not listed in the mapping, but they are getting again the wrong network address. On the contrary, the LAN network does not have such option checked.
    What am I doing wrong?



  • It's very strange, it seems as clients are requiring a lease first on the OPT1 interface than the LAN one. This could be correct, but how can I exclude unknown clients (i.e., not mapper MAC-IP ones) from getting a lease? I've checked the "Deny unknown clients" from the OPT1 DHCP server options, but it does not work, and I cannot specify that the range for the DHCP on OPT1 should be null (i.e., only registered clients can get a lease).
    Any suggestion?



  • I found in the logs something that could help understanding what is going wrong:

    kernel: arp: 192.168.44.180 is on rl0 but got reply from 00:17:f2:07:68:1b on nfe0
    

    rl0 is the network card attached to the 192.168.44.0 network, while nfe0 is the one 192.168.4.0 network. The message says that, even if the address is registered (mapped) on the network 192.168.44.0 the interface of the other network is going to reply to the DHCP request.
    Is there something I can do about this?



  • Did you plug two NICs into the same switch?
    If yes and you're actually running 2 DHCP servers on the same broadcast domain, you're just asking for trouble.
    Get another switch and separate your subnets.



  • Ops…yeah I realized it after I post the message: wrong vlan configuration. Now it seems to work having separated well the switch ports.



  • If you're using a VLAN switch you could create a trunk to the pfSense and create tagged virtual interfaces on the pfSense.
    Like this you could make sure that the traffic going to the switch certainly lands in the correct VLAN.



  • @GruensFroeschli:

    If you're using a VLAN switch you could create a trunk to the pfSense and create tagged virtual interfaces on the pfSense.

    Sorry,it is not clear to me what the benefits of this could be. Can you explain me better or point to some documentation about?



  • The benefit is, that you need only one physical interface for as many interfaces as you need.
    you create as many VLANs as you need on this parent interface.
    Each VLAN apears on the pfSense as if it were a real interface.
    You then have only one cable to the switch.
    The VLAN configuration on the switch takes care that each VLAN interface can communicate only with the member ports of the same VLAN.

    IMO its just clearer to only have one trunk to the pfSense and separate traffic via configuration, than putting many NICs and connect multiple cables.

    I'll have to search the forum for documentation/howtos.
    (writing currently from iPhone).



  • But using one interface on the firewall will physically limit the bandwith for both the VLANs, while having it managed thru the switch plus two NICs will have a better backplane speed, isn't it? So I believe if possible the solution with a separate NIC for each network will give better performance.



  • Depends.
    When i have such a setup i usually use a Netgear FS726T.
    They have 2 Gbit port and 24 10/100 Mbit ports.
    Using a Gbit port to the pfSense leaves much bandwidth free for additional VLANs.
    But yes if you're just connecting a single 100 Mbit port you will probably be better off with 2 interfaces.



  • Having difficulties to get the two networks working (see http://forum.pfsense.org/index.php/topic,24454.0.html), could it be better to get pfsense manage vlans on a single nic instead of two nics? I have a switch with a gigabit port to use for the pfsense network card. In the case I use pfsense to manage the vlans should I have the switch to work in tagged or untagged mode?



  • When working with VLANs:

    • If you assign a VLAN on a parent interface, DON'T assign the interface itself.
      (ie: vlan100 on rl0, vlan200 on rl0, vlan300 on rl0, rl0 itself NOT assigned).

    • Traffic leaving the pfSense is always tagged.
      The switch should be apropriatly configured
      –>accept only tagged traffic from the port going to the pfSense. Drop/block untagged traffic.
      Traffic going to the pfSense should be tagged as well.
      We dont assign the parent interface itself so untagged traffic will be dropped on the pfSense side too.

    I dont see any problem with having VLANs on different parent interfaces.


Log in to reply