Quick question on DHCP & VLANs
-
Is a DHCP server on a VLAN effectively quarantined from any clients not part of the VLAN?
I want to provide DHCP from a decomissioned router serving basically as a WAP. Between the WAP and all wired clients is a Procurve switch that will create and manage VLANs. If I put the WAP on its own VLAN and enable the DHCP server on it, will it leave my 100% static IP wired network alone? I tried this without VLANs and the DHCP server screwed up the whole network, including everything that had been given fixed IPs (I guess Windows just has a craving for DHCP and does everything possible to avoid using fixed IPs).
My understanding of VLANs is that they are invisible to one another (without trunking), which I hope makes the DHCP server incapable of interfering with my fixed-IP LAN. It may also help shield my stuff from the local WiFi users, who are web-behavior security risks. If there is a simpler or more effective way to do this, feel free to suggest it.
-
It depends on how your switch is configured. VLANs are normally separated from one another when defined independently on the same switch, unless the switch has routing set to allow traffic to cross the VLANs. You can certainly define VLANs which can't interact with one another and - in your case - prevent your DHCP server from affecting hosts on any other VLAN.
I don't know your setup or specific requirements, so whether this is the simlest or most straightforward way to approach your situation is open to debate. Based on what you've mentioned so far, VLANs would do the trick.
-
So you don't understand what a vlan is then ;) By definition of what a vlan is dhcp would be isolated..
Now keep in mind you can just go willy nilly creating a vlans on pfsense and be plugged into a dumb switch… Your switching network has to understand vlans and switches have to be setup to say what ports are in what vlans, etc.
-
It depends on how your switch is configured. VLANs are normally separated from one another when defined independently on the same switch, unless the switch has routing set to allow traffic to cross the VLANs. You can certainly define VLANs which can't interact with one another and - in your case - prevent your DHCP server from affecting hosts on any other VLAN.
That's what I meant by "VLAN trunking" (terminology varies across manufacturers), which I don't intend to implement, as I want total isolation except for the shared WAN access.
So you don't understand what a vlan is then ;) By definition of what a vlan is dhcp would be isolated..
Now keep in mind you can just go willy nilly creating a vlans on pfsense and be plugged into a dumb switch… Your switching network has to understand vlans and switches have to be setup to say what ports are in what vlans, etc.
My knowledge is very fragmented and 100% autodidactic, so I am at the mercy of well-written documentation, which is getting progressively scarcer in the tech world. My switch will create and manage the VLANs. The switch is an HP Procurve with a very robust feature set and management tools. I don't think I even need to tell pfSense what's going on downstream of it, do I?
-
The switch is an HP Procurve with a very robust feature set and management tools. I don't think I even need to tell pfSense what's going on downstream of it, do I?
All PFS needs is a default gateway out from it's WAN interface and one or more internal interfaces (LAN/DMZ/LAN2, etc), depending on your requirements. If you're question concerns the switch, then I can't comment as I know nothing about it and it's a little out of scope for this forum anyway.
-
Well, the VLAN trick didn't work. The only way I can get internet access on any wirlessly connected client is to assign them fixed IP addresses.
I've tried turning two different routers into WAPs, and both result in the same thing. With DHCP-assigned addresses on the wireless clients, I can get LAN access only. I can only get internet access from fixed IPs. This happens whether DHCP is served by pfSense, the WAP router, or disabled totally.
Any help?
-
Well your not doing it correctly then… To turn your typical home wifi router into an AP... You connect it to your network via one of its lan switch ports, turn off its DHCP server.. And most likely set its lan IP to be on your network so you can admin the wifi from your network.
If your getting dhcp from your old wifi router, then yeah its going to be broken, since most of them point their lan IP as your gateway, and many don't allow you to even change that.. So yeah not going to work as AP if you let it hand out dhcp, or its not really an AP and your double natting, etc..
In your typical home wifi router the wifi is bridged to the switch ports.. So both wifi and wired devices should get dhcp from dhcp server your running connected to its switch port, ie pfsense dhcp server.
If you want wifi devices to be on different vlans, then again you need a real ap that allows you to assign vlan to SSID, and your switch needs to allow for vlans as well and be correctly configured.
-
If your getting dhcp from your old wifi router, then yeah its going to be broken, since most of them point their lan IP as your gateway, and many don't allow you to even change that.. So yeah not going to work as AP if you let it hand out dhcp, or its not really an AP and your double natting, etc..
To clarify, the AP(old router) will pass DHCP from pfSense when I have the internal DHCP disabled. Or it will hand out DHCP if I turn off pfSense's DHCP and turn on the AP's DHCP server.
I think you are getting at the crux, which is that the AP does not want to stop being a router and its own gateway (it has gateway capability because it is a Cradlepoint MBR1000 with WIMAX/3G/4G interfaces). However, it will allow me to create manual routing table entries. I'm not experienced in that area, but do you think there is a way to build a set of routing table rules that will force it to send all traffic through the pfSense box? n.b.- No wifi clients will require access to any other machine on the LAN; they just need to get through the LAN to get to the interwebs.
