Want to answer a challenging question involving vlan multiple subnets and more?


  • Here is my setup:

    Internet -> 2012 Server w/ hyper-v hosting PFSense using its own two physical gigabit nics. Server itself has 4 nics in LAGG port1 -> Netgear GS728TP switch -> Rest of the network.

    Rest of the network -> Computers (VLAN 1 using 192.168.99.0/24)
    |
    -> Ubiquiti Unifi Wireless AP's (VLAN 1 and 6 using 192.168.99.0/24 and 192.168.100.0/24)

    PFSense virtual router LAN ip: 192.168.99.252
    Physical server ip: 192.168.99.2
    AP1: 192.168.99.4
    AP2: 192.168.99.5

    Unfortunately this switch does not have a IP helper. I am trying to figure out how I can get VLAN6 users to get an IP address on a different subnet than the rest of the network. Can anyone help me achieve this? I have run out of ideas and am trying not to throw more money into this.

    Thanks.


  • Not sure that I fully understand your question, but in this scenario why not have the WAP provide DHCP in VLAN 6? (Your diagram doesn't specify if VLAN 6 also is present all the way back to pfSense?)


  • To my knowledge unifi devices cannot supply dhcp.

    The switch does have proper ports setup with tagged and trucking.

    I am trying to get my waps to allow guests onto a different subnet than everyone else. The same waps allow legit users onto the main subnet as well.


  • It seems odd that a device that cannot provide DHCP itself is also unable to provide DHCP forwarding, but I guess that means you have no alternative to ensuring you have full layer 2 connectivity.

    If I were troubleshooting this issue, I'd break it down in to two separate issues. First, VLAN functionality, then DHCP. I would first verify that my wireless client configured with a static IP in VLAN 6 had full connectivity end to end. This would establish the the VLAN was in fact properly configured and operational for layer 2 and 3:
    Can pfSense and a VLAN 6 wifi client  ping each other (through VLAN 6)?
    If not, can pfSense and the Unifi ping each other?
    If not, does taking the GS728TP out (putting Unifi straight into pfSense) allow pfSense and Unifi to ping each other?
    And so on down the line…

    Then I'd try to work out where the DHCP broadcasts were getting filtered/dropped starting with the pfSense logs...


  • That's a good idea. Right now I have one of my desktops on vlan 1 and 6 and it can ping the pfsense which is now a 2.2alpha install. It's still not getting dhcp though. Once I get back to my office in the next 30min I'll do what you said above.

    The pfsense is now installed with a vlan adapter on  vlan 6 using 192.168.100.252 and still has the lan adapter with IP of 192.168.99.252 and the desktop can ping both from its dhcp given IP of 192.168.99.102.


  • Ok well I took pfsense out of the equation and put a dd-wrt router in place of it. I am able to pass the 2nd subnet onto the devices on that VLAN, even though something with the ddwrt itself is preventing me from getting online…

    so it must be something with the configuration of my PFSense.

    Is it going to be possible to put a hyper-v PFSense with 2 adapters (WAN/LAN) into a situation such as this? To me it appears like that is not possible. A PHYSICAL pfsense with 2 adapters I'm sure is possible though.

    I tried creating two VLAN adapters off the hn0 to replace the hn0 LAN adapter and that completely broke the webgui access, so it looks like I'm having to start my pfsense over again.

    I dont know what it is but for some reason Enabling virtual lan identification in the vm settings breaks all the adapters in the pfsense. I can enable it and it'll break, and then disable it instantly and it will work again.

    Simply put, I do not think vlans work period over hyper-v. I have been at this for 12 hours straight trying a TON of combinations. These are on Intel nics too.


  • Ok so it ended up that I was trying to do the impossible. Trying to get 2 virtual adapters to use 2 different VLANs. So I simply added a 3rd gigabit nic I had laying around (7 total now) and I simply put vlan 6 in that enable vlan id in the hyper-v and configured the proper firewall rules, and everything started working perfectly. Added blocking rules to separate the networks and its working perfectly :)


  • @elementalwindx:

    Ok so it ended up that I was trying to do the impossible. Trying to get 2 virtual adapters to use 2 different VLANs. So I simply added a 3rd gigabit nic I had laying around (7 total now) and I simply put vlan 6 in that enable vlan id in the hyper-v and configured the proper firewall rules, and everything started working perfectly. Added blocking rules to separate the networks and its working perfectly :)

    Those are very interesting findings. I've seen other issues caused by hypervisor's network implementations. It's seems that virtual pfSense instances definitely face obstacles that bare metal does not.

    @elementalwindx:

    Ok well I took pfsense out of the equation and put a dd-wrt router in place of it.

    Just curious, when you when you swapped in dd-wrt, was it also virtual or bare metal?


  • @MindfulCoyote:

    @elementalwindx:

    Ok so it ended up that I was trying to do the impossible. Trying to get 2 virtual adapters to use 2 different VLANs. So I simply added a 3rd gigabit nic I had laying around (7 total now) and I simply put vlan 6 in that enable vlan id in the hyper-v and configured the proper firewall rules, and everything started working perfectly. Added blocking rules to separate the networks and its working perfectly :)

    Those are very interesting findings. I've seen other issues caused by hypervisor's network implementations. It's seems that virtual pfSense instances definitely face obstacles that bare metal does not.

    @elementalwindx:

    Ok well I took pfsense out of the equation and put a dd-wrt router in place of it.

    Just curious, when you when you swapped in dd-wrt, was it also virtual or bare metal?

    It was bare metal off a netgear router I had.

    I'm now having issues of my pfsense 2.2 alpha pushing it's own ssl cert onto my exchange clients. :/ . Wish I could figure out how to stop that.