Two VLANs, same DHCP



  • Is it possible to have one pfSense DHCP server for 2 VLANs? If yes, how?

    My scenario: I have native VLAN for wired connections and VLAN 10 for WiFi (via Ubiquiti UniFi APs). I would like to have one pfSense DHCP server for wired (native VLAN) and WiFi (VLAN 10) connections. Wired and WiFi connections are part of same LAN network.
    At the moment I am using native VLAN for both connections. But I have problem, because I can’t block access to local server for some PCs, connecting via WiFi.
    My setup: ISP’s modem <-> pfSense <-> managed switch. On switch I have connected 2 UniFi APs, server, PCs… I have problem with some PCs, connecting via WiFi, for which I would like to block access to local server.



  • If you want one DHCP server to operate across two VLANs, why have VLANs at all? If the wired and wifi networks can see each other anyway, just subnet your PFS LAN connection so it can see both and run your DHCP server from there. Otherwise, you can segment the LAN off into to VLANs by defining two separate virtual LAN connections and run separate DHCP instances from within each VLAN.



  • I want to limit access to local server for some PCs, that are connecting via WiFi. In current setup I can't control local access to server, because APs and server are connected to switch and traffic don't pass over pfSense but just over switch.
    If I could setup VLAN for WiFi APs, all traffic from PCs connecting via WiFi would get to pfSense and from there back to local network and I could control access to server. But at the end I need wired and WiFi network as local network (PCs must see each other) on same DHCP.


  • LAYER 8 Netgate

    Nope. Your router has no way to block same-subnet traffic. The router isn't involved in traffic between members of the same subnet.

    You probably want separate SSIDs.

    Tag one to a different VLAN - a completely different pfSense interface and DHCP server plus firewall rules governing traffic from this VLAN to your LAN.

    Tag the other to the same VLAN as your LAN, which I guess is the untagged default VLAN.

    What wireless users can access depends on what network they join.



  • I know Windows DHCP Server can serve multiple VLAN's once configured properly. The switch or router needs to forward or relay the DHCP requests to the server.

    If pfSense's DHCP server can respond to dhcp relay requests, then I don't see why not.


  • LAYER 8 Netgate

    I have no idea what you're trying to do.

    No. pfSense's DHCP does not currently support requests for multiple scopes coming in on one interface from relays/helpers.



  • @Derelict:

    I have no idea what you're trying to do.

    +1
    this is totally unclear to me too.
    Although I understand the underlying idea, I don't understand why such design would be the one deployed…

    No. pfSense's DHCP does not currently support requests for multiple scopes coming in on one interface from relays/helpers.

    … especially because it doesn't work  ::)


  • LAYER 8 Global Moderator

    "Wired and WiFi connections are part of same LAN network."

    Huh??  Thought you said wifi was vlan 10?  I think your not understanding what a vlan actually is.. Or for sure not explaining what your wanting to accomplish that is for sure.


Log in to reply