DHCP Multi functions

  • It just came to me, is it possible to have the following:

    VLAN 10 - Static assign IP address to MAC address (basically DHCP is disabled)
    VLAN 20 - DHCP is enabled

    would this setup work? I plan to use VLAN10 for the organization, VLAN20 is for the guest

  • Yes (assuming suitably configured VLAN capable switch etc)

  • On VLAN10 static-mapped network, I would still use the DHCP server, but allocate everything a static-mapped address. Then you can  manage the addresses from pfSense. When you have static-mapped everything the first time, check the "Deny unknown clients" box. When I have networks like this and want to add a new static-mapped client, I uncheck "Deny unknown clients", plug in the new device, it gets an address from the DHCP pool, then I can see it in the GUI and easily add the static mapping. Then go back and check "Deny unknown clients" again.
    If I want to add an extra layer of protection against accidental DHCP pool use, I make an alias LAN_DHCP_Pool for the pool address range, then block traffic from that to everywhere except LAN address. That way if I accidentally leave the pool enabled, people only get an IP address, but can't get anywhere until they come and see the IT guy and get their device static-mapped.

  • Hi

    I've been scouring the forums, and this is exactly what i'm trying to setup - but I could use a couple of pointers please.

    I've configured the 2 vlans, but i can't seem to find where i can set the appropriate ip address's for each ?
    Further - i don't seem to be able to find where you put the appropriate ip scope for each vlans dhcp service either ?

    If i understand the principle correctly - the PFsense, should be connected to a switch port, which is "tagged" for both the vlans, that i want to use ?

    If i've missed and obvious howto, to faq section, just point me at it - i have had a good search though :)


  • @dailand:

    I've configured the 2 vlans, but i can't seem to find where i can set the appropriate ip address's for each ?

    On the Interfaces -> (assign) page you might see OPTx interfaces for the VLANs. If not, click the "+" below the interface list to add the VLAN interfaces to the pool of pfSense interfaces. They should get assign an OPTx name (e.g. OPT2, OPT3 etc) Then go to each of the Interaces -> OPTx pages and specify the IP address for the VLAN interface.


    Further - i don't seem to be able to find where you put the appropriate ip scope for each vlans dhcp service either ?

    Once the VLAN interface has been assigned a static IP address you can go to the Services -> DHCP Server page and click on the appropriate OPTx tab to specify the DHCP IP address range and other relevant parameters.

  • Thanks Bob !

    It was the "+" that i failed to notice - I'm well on the way, to actually getting this to do what i want now i think :)

  • ok, so with the help here - I've created 2 vlans, assigned them under interfaces, and set up their DHCP scopes.

    On my switch - i've configured port 1 (into which my pfsense lan interface plugs into) for untagged, as well as tagged for the 2 created vlans (10, and 20)
    I've then configured port 2 on my switch, as tagged for vlan 10 only, and port 3 as tagged for vlan 20 only, all other ports are set to untagged.

    Mr problem is - that plugging my laptop into ports 2, or 3 - i don't get a dhcp address

    The lan interface card on the PFsense, is a new TP-Link TG-3469 - which says it should support 802.1Q vlans.

    Am i missing another essential step ?

  • @dailand:

    On my switch -

    What brand and model switch? There doesn't seem to be standard nomenclature for VLAN parameters in switches.

    On my switch (HP Procurve 1700-8), port 1 would be a member of VLANs 10, 20, port 2 a member of VLAN 10 and port3 a member of VLAN 20.
    Port 1 would be a "trunk" port and ports 2 and 3 would add VLAN tags to packets on entering the switch and strip VLAN tags on packets leaving the switch (so systems connected to ports 2 and 3 need have no knowledge of VLAN tags). I suspect you might have configured your switch ports 2 and 3 to expect systems connected to them to use and understand VLAN tags.


  • My Switch, is a Dlink DGS-1210-48

    I'll try and attach a screen shot of the Vlan config - thanks for the fast response :)

  • You should consult the manual for a more definitive explanation than my guess: Untagged ports means switch doesn't send VLAN tags and doesn't expect to see VLAN tags on received frames on those ports and Tagged ports means ports on which the switch includes VLAN tags on output and expect VLAN tags on input frames. Therefore I expect you should make port 1 Tagged on VLAN 10 and port 2 Untagged on VLAN 10.

Log in to reply