DHCP + VLAN



  • Gentlemen, I have configured the scenario shown in the image. Two Vlan represented at the switch in my opinion correctly, tagged member of interface  which connect the pfsense, untagged member in the respective switch ports that belong to those vlan, i use the corresponding standard (802.1q) and the dhcp can not assign  IP addresses properly to vlan 2, provided the addresses assigned to vlan 1, any suggestions?



  • @falbertopl:

    the dhcp can not assign  IP addresses properly to vlan 2, provided the addresses assigned to vlan 1, any suggestions?

    I don't understand this. Do you mean DHCP on vlan 2 provides IP address from the range assigned to vlan 1?

    Can you provide a example or two from the pfSense DHCP log (see Status -> System Logs, click on DHCP tab) showing the incorrect behaviour?



  • I have just spent hours working out how to get a Planet VLAN switch working and isolating the defined VLANs properly. Eventually I gave up using the preconfigured VLAN1 at all - if anything was on VLAN1 it seemed that the switch firmware somewhere insisted on sending at least the broadcast packets out all ports (I was getting answers from DHCP servers I didn't expect). There have been plenty of people on the forum recommending not to use VLAN1 for any real user ports, and now I am joining them:)
    I suspect that the ports you have defined in VLAN 2 on the switch, are also participating in VLAN1 (in at least some way) and happen to get the DHCP server on VLAN1 answer their DHCP request.
    Try using a different VLAN number.



  • @falbertopl:

    i use the corresponding standard (802.1q)

    If you're using a Netgear switch, setting a port to "802.1Q" is not what you want. If I remember correctly, that is - my memory might be deceiving me, as every manaufacturer appears to have different names for the same thing when it comes to VLANs. Erm…"Ingress Filtering: Enable" is, IIRC, the option which correctly tags incoming packets from a untagged port...I think.

    The 802.1Q/"Ingress Filtering: Disable" setting os for the trunk port (pfSense port) only, IIRC.


    Edit: it seems that even different models of Netgear switches have different nomenclature.


    Edit 2: it seems that I seriously got things up, somehow. Need to hook up my own Netgear GS108Tv2 to see what the configuration actually looks like.



  • If all of the above fails I would suggest breaking down the problem in smaller parts.
    1. VLAN setup. Can you ping your pfsense VLAN interface from a PC with static IP on the same VLAN?
    2. DHCP setup. Fire up wireshark on the same PC and look what happens on the interface. Do you observe correct DHCP packet exchange?



  • I have not had time to take a sample of the traces of the system to post them here, but I will next week. regards



  • On a few of the cheaper switches I have used, VLAN with an ID of 1 can only be setup as a native vlan and cannot be tagged on any port that it is configured for. In your picture "VLAN 1"  is setup as  a tagged VLAN for pfSense. You did not mention what the VLAN id of VLAN 1 is.

    I have had consistent results when creating trunks between pfSense and layer 2 devices when all the networks that pfSense needs to talk to are tagged and there is no traffic on the untagged VLAN.

    Some switches that I have come across can only bind their IP stack to the untagged only VLAN with id=1 particularly some of the cheaper Dell switches. So I normally keep VLAN 1 exclusively dedicated for switch management traffic.

    If you want to communicate on a trunk between pfSense and a switch with both tagged and untagged traffic then for the untagged traffic you will have to add the raw interface "re0" (just like you have re1). Then for the tagged traffic add a VLAN from the VLAN tab and make re0 as the parent interface for that VLAN.


Log in to reply