DHCP Leases with VLAN



  • Hi all !

    I noticed a couple of things, and would like to report them here / find out if this is the expected behaviour etc..!

    Config:

    My LAN NIC has 2 VLAN's "sharing" it
    LAN: 192.168.1.x
    VLAN100: 192.168.100.x
    VLAN200: 192.168.200.x

    I have a mobile device which has a MAC reservation at the DHCP server of VLAN100. The VLAN's are actually wifi networks, so it is usual that the mobile device moves between the two wifi nets (and thus between the two VLAN's).

    Connected to VLAN100, the mobile device will be given static "reserved" IP 192.168.100.30
    Connected to VLAN200, the mobile device will get any IP from the VLAN200 range according to the DHCP server

    This is all fine. However, I observe the following:

    1. When the mobile device connects to VLAN200, the DHCP leases page shows the device as "online" in both VLAN's!

    2. All other devices connecting on either VLAN which take a DHCP lease (ie. have no reservation) show in the DHCP leases page as "online". OK so far.. However, those devices which have a reserved DHCP IP never show as "online" in the DHCP leases page. They are listed as static, but never show online. (With the exception of the mobile device above!)

    Summary:

    Before I switched to having the VLAN's (so in the days of a single LAN), the DHCP leases page did reflect the online status of the computers with DHCP reservations. So, am I right to conclude that VLAN (or multiple VLAN) is not fully DHCP compatible? Or should I be tweaking a setting or other ?

    BTW: The gateway given out by the DHCP server is the default (so the VLAN router ip).. maybe they should be all set to the LAN router ip instead? Just a thought?

    Thank you for any advice !



  • This isn't VLAN related.

    A device is shown as "online" when it's MAC is currently in the ARP-table.
    Since you connect the same device on two different subnets/VLANs, the static one will be shown as online because this MAC is in the ARP table from the dynamic lease.

    There is nothing really you can do, except maybe change the MAC of the device if you connect on the dynamic range.



  • thanks for the reply.

    you prompted me to look at the ARP-table

    I can see that the same mac is listed (as expected - because its the same physical nic) for the lan and both vlan router ips. But, should i manually change the 2 vlan macs so that they are unique (I can see the option to do that at the interfaces config), or does that not really matter?

    Also (and more worrying) I can see all the wifi devices now assume the mac address of the wifi bridge. I will need to check the bridge and switch configurations, but that might explain why all the other users with static reservations do not show online anymore! Although no-one has complained of lack of service in 2 weeks since the network upgrade, so maybe it does not affect usage, just security at the captive portal and logging?



  • I think you will have to becareful when considering MAC spoofing or changing of MAC addresses. I haven't tried the Wireless Bridge setup yet so I can't confirm the problem you have with it.

    Regards!



  • little update… the wireless part is solved :)

    I had one of the bridges in the wrong mode. I changed it to Transparent layer2 mode and now the client macs appear in the pfsense arp-table correctly !

    I am really glad I posted my original question- otherwise I might never have noticed that misconfiguration. Thank you GruensFroeschli!

    As for the mobile device showing up in the list twice, that is fine now I understand why. I am just happy it is not an error or problem.

    So now its just the question of what to do with the interface that has the VLAN's configured on it. Leave all 3 macs the same, or change the macs on the vlans so that they are unique... I would be brave and try, but finding a quiet "wifi" moment could be tricky! That said, I suspect if it was vital then it would have been done by the pfsense config wizard, so perhaps I am best just to leave them as they are.



  • Changing the MAC of the VLAN wouldn't help.
    I was refering to changing the MAC of the client dependant on which VLAN it is.

    Maybe with a script when the link comes up.
    Request an IP, detect in which subnet you are, release the IP, set the MAC and rerequest an IP.
    Well…. that's probably not realistic, but would solve the problem ^^"

    Something else:
    Currently you're running the VLANs and the untagged parent interface parallel.
    In my experience it's not such a good idead to mix tagged and untagged traffic on the same physical interface.
    Especially if you're moving devices between the tagged and untagged subnet you can get very nasty stuff happening with frames being sent to the wrong place.
    The solution would be to move the LAN itself to a VLAN as well.

    eg:
    sis0: not assigned
    vlan100 on sis0: LAN
    vlan101 on sis0: OPT1
    vlan102 on sis0: OPT2



  • I was refering to changing the MAC of the client dependant on which VLAN it is.

    Yeah, I understood it that way, and you are right it would solve it. However.. aside from the fact that my iPhone might not have that type of script capability ;D it really does not matter provided there is no potential error to be had. I never use the same device at the same time on both nets (of course!) so I am happy to see it listed twice now I understand why it happens.

    Its only for testing anyway- the reserved ip locks to an unrestricted bandwidth setting, and the other "unreserved" ip adopts the network-wide bandwidth limits (ie. what the students get).

    I will try and find an early morning where I can experiment a little with the LAN / VLAN config as you suggest.
    Thanks again for your care and advice. All seems to be well now!

    Mike.


Locked