Unable to get DHCP address over VLAN?
-
Hi,
I have a pfSense 2.1 device, that is connected to a switch (Linksys SRW2048), as well as to two WAN connections (ADSL2+ modems).
The LAN interface that connects to the switch is on 192.168.2.1/24, and DHCP serving 192.168.2.10 to 192.168.2.199.
This portion of the network seems to be working fine - wired clients can connect in fine, and get a DHCP address and access the internet.
I also have two Unifi wireless APs that I'm attempting to bring into the network.
I have configured a public SSID on these that is using VLAN tag 5.
The Unifi APs are plugged into a trunking port on the Linksys switch. The port connected to the pfSense is also trunking.
In pfSense, I have created a new VLAN tag that has the same parent interface as LAN (Interface, Assign, VLANs) called VLAN5PUBLICWIFI. I have then created a new interface that is assigned to this VLAN tag (Interfaces, Assign, Interface assignments). This interface has address 192.168.3.1/24.
I have then configured a DHCP Server for VLAN5PUBLICWIFI, that is serving address in the range 192.168.3.10 to 192.168.3.199.
I have also added a firewall rule to VLAN5PUBLICWIFI:
-
Proto is IPv4 *
-
Source is VLAN5PUBLICWIFI net
-
Port is *
-
Destination is *
-
Port is * net
-
Gateway is my Multi-WAN group
-
Queue is none
I seem to be having issues getting DHCP serving working - basically, nobody can connect to the Wifi network, because it seems to time out when trying to obtain an address.
Any thoughts on what we can do to fix this?
Cheers,
Victor -
-
It is generally recommended that tagged and untagged traffic NOT be mixed on FreeBSD/pfSense network interfaces. I have no idea if that is your problem.
I am unfamiliar with the capabilities of Unifi APs. Have you disabled DHCP server in them? Are they acting as bridges (in which case they should forward DHCP requests) or routers (in which case they probably don't forward DHCP requests)?
I suggest you plug a PC into the switch instead of a Unifi. Does DHCP work now? If not you now have a simpler problem to fix.Does the pfSense DHCP log (Diagnostic -> System Logs, click on DHCP tab) show a request from the PC? Does the pfSense firewall log report any DHCP traffic?
If DHCP does work, you now have a simpler problem (fewer possibilities) to fix.
-
Hi,
The Unifi AP is plugged into a trunk port on my switch.
The actual wifi AP itself seems to connect fine - it is visible on the LAN, and seems to get an address via DHCP.
AFAIK, the unit isn't a DHCP server, and should just forward them. There's more info here:
http://wiki.ubnt.com/UniFi_and_switch_VLAN_configuration
The issue is with the SSIDs and VLAN tagging - if I assign a VLAN tag to an SSID - the clients aren't able to get an address via DHCP.
However, if I remove that VLAN tag, and leave it untagged, they can get a DHCP address - however, they still can't access the internet.
Cheers,
Victor -
AFAIK, the unit isn't a DHCP server, and should just forward them. There's more info here:
http://wiki.ubnt.com/UniFi_and_switch_VLAN_configuration
The referenced document suggests the Unifi can be configured to forward DHCP requests.
The issue is with the SSIDs and VLAN tagging - if I assign a VLAN tag to an SSID - the clients aren't able to get an address via DHCP.
However, if I remove that VLAN tag, and leave it untagged, they can get a DHCP address - however, they still can't access the internet.
From which system do they get a DHCP address? And what is the address and network mask?
Please post the output of pfSense shell commands:```
/etc/rc.banner ; ifconfig -
Hi,
I tried connecting to the Unifi AP and setting a static IP address (192.168.3.5) that should be in the right range - still no luck, and I wasn't able to ping the pfSense VLAN interface (192.168.3.1).
Here is my banner:
/etc/rc.banner *** Welcome to pfSense 2.1-BETA1-pfSense (amd64) on pfSense *** WAN (wan) -> pppoe0 -> v4/PPPoE: 203.173.37.172/32 LAN (lan) -> em2 -> v4: 192.168.2.1/24 OPT1 (opt1) -> pppoe1 -> VLAN5PUBLICWIFI (opt2) -> em2_vlan5 -> v4: 192.168.3.1/24[2.1-BETA1]Here is my ifconfig:
ifconfig em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:30:18:ab:8a:57 inet6 fe80::230:18ff:feab:8a57%em0 prefixlen 64 scopeid 0x1 nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>) status: active em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:30:18:ab:8a:58 inet6 fe80::230:18ff:feab:8a58%em1 prefixlen 64 scopeid 0x2 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:18:aa:4d:b5 inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::230:18ff:feaa:4db5%em2 prefixlen 64 scopeid 0x3 inet6 fe80::1:1%em2 prefixlen 64 scopeid 0x3 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:18:aa:4d:b6 inet6 fe80::230:18ff:feaa:4db6%em3 prefixlen 64 scopeid 0x4 nd6 options=1 <performnud>media: Ethernet autoselect status: no carrier em4: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:18:aa:4d:b7 media: Ethernet autoselect status: no carrier enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33664 pppoe0: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet6 fe80::230:18ff:feab:8a57%pppoe0 prefixlen 64 scopeid 0xa inet 203.173.37.172 --> 203.215.17.248 netmask 0xffffffff nd6 options=3 <performnud,accept_rtadv>ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 options=80000 <linkstate>inet6 fe80::230:18ff:feab:8a57%ovpns1 prefixlen 64 scopeid 0xc inet 192.168.4.1 --> 192.168.4.2 netmask 0xffffffff nd6 options=3 <performnud,accept_rtadv>Opened by PID 44809 em2_vlan5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:30:18:aa:4d:b5 inet6 fe80::230:18ff:feab:8a57%em2_vlan5 prefixlen 64 scopeid 0xd inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 inet6 fe80::1:1%em2_vlan5 prefixlen 64 scopeid 0xd nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 5 vlanpcp: 0 parent interface: em2 em2_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:30:18:aa:4d:b5 inet6 fe80::230:18ff:feab:8a57%em2_vlan4 prefixlen 64 scopeid 0xe nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 4 vlanpcp: 0 parent interface: em2 em2_vlan3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:30:18:aa:4d:b5 inet6 fe80::230:18ff:feab:8a57%em2_vlan3 prefixlen 64 scopeid 0xf nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 3 vlanpcp: 0 parent interface: em2 em2_vlan2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:30:18:aa:4d:b5 inet6 fe80::230:18ff:feab:8a57%em2_vlan2 prefixlen 64 scopeid 0x10 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 2 vlanpcp: 0 parent interface: em2</full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></broadcast,simplex,multicast></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast>Also - I just checked - if I disable VLAN tagging on the Unifi Access Point, wireless clients can get an address via DHCP, and they do have internet access. So it just seems like the VLAN tagging or something is somehow causing issues in my pfSense setup…
I set one of my ports on the switch to tagged VLAN5 - I connect in via Ethernet cable - I am not able to get an address via DHCP, and if I also try to set a static address, I'm also not able to ping 192.168.3.1.
So it seems like my VLAN setup is broken?
I've attached my settings for:
-
Interface Assignments
-
VLANs
-
VLAN 5
-
DHCP for VLAN5
Any thoughts?
Cheers,
Victor
 -
-
You are mixing (VLAN) tagged traffic and untagged traffic on the same interface. That is not recommended.
Is your VLAN switch correctly configured? The port to pfSense should be a "trunk" port - that is the switch should not strip VLAN tags on output to this port and not add VLAN tags on input. The port should be a member of at least VLANs 5, 4, 3 and 2.
When the UniFi is "VLAN tagging", the switch port to which it is connected should also be a trunk port and a member of all the VLANs the UniFi could support.
What do you do to the switch when you enable/disable VLAN tagging in the UniFi?
-
Hi,
Hmm, I believe the switch (Linksys SRW2048) tags all untagged traffic with VLAN1 by default? Would there still be tagged and untagged traffic coming in on the interface on the pfSense box?
The pfSense box and the Unifi AP are both plugged into the Linksys switch - those two ports have been configured as trunks. My understanding was that this would be enough, and I don't need to explicitly make it a member of each VLAN.
I disable/enable VLAN tagging through the Unifi admin interface - this only applies to Wifi clients connected via that SSID. When I enable VLAN tagging of that SSID, no DHCP and can't seem to ping 192.168.3.1 - however, once I disable VLAN tagging of that SSID, it all works. I don't make any changes in the switch or pfSense configuration.
Cheers,
Victor -
The pfSense box and the Unifi AP are both plugged into the Linksys switch - those two ports have been configured as trunks. My understanding was that this would be enough, and I don't need to explicitly make it a member of each VLAN.
So how do you think your switch is going to decide which traffic to forward on a trunk port? Everything? Everything from a trunk port? If necessary read your switch manual to see if it provides an answer to this question.
I suggest you make the trunk port from the switch to pfSense a member of all the VLANs configured in the UniFi and retry your DHCP request then consult the pfSense DHCP server log (Status -> System Logs, DHCP tab) to see if the DHCP request was received and on the correct interface.