Can't get DHCP to assign a VLAN address to a client
-
I've got a home network with a pfSense box and a wireless AP. I'm trying to create multiple isolated subnets to partition clients on my wireless networks.
I've assigned 192.168.0.1/24 to my LAN network, 192.168.1.1/24 to my VLAN1 network, etc. I then added a firewall rule to VLAN1 to allow all traffic everywhere – just trying to get things working. I disabled DHCP on my LAN and enabled it only on VLAN1 for now. I reserved an IP in the VLAN1 for my laptop and tried to acquire an IP address. It was unable to contact the DHCP server.
Am I missing something obvious, or am I just going about this completely wrong?
-
Sorry dude, crystal balls are sold out right before christmas.
How shall we now your setup and how you hooked up all the equipment without you telling us? -
VLAN1 is the default, untagged VLAN.
Try VLAN 2.
-
So does your switch support vlans? Does your AP support vlans?
You make no mention of doing any vlan config on your switch or your AP.
And you used the vlan id of 1 for your new vlan?? Yeah that would be a bad choice, how about 10 or 2 since as derelict vlan 1 is default.
-
Sorry dude, crystal balls are sold out right before christmas.
How shall we now your setup and how you hooked up all the equipment without you telling us?My apologies for not being specific enough. My router running pfSense is connected directly to the AP. All clients are connected wirelessly to the AP.
VLAN1 is the default, untagged VLAN.
Try VLAN 2.
Ooooh that's interesting. I'm away for the holidays but I'll try that when I get home on Saturday. Thanks.
So does your switch support vlans? Does your AP support vlans?
You make no mention of doing any vlan config on your switch or your AP.
And you used the vlan id of 1 for your new vlan?? Yeah that would be a bad choice, how about 10 or 2 since as derelict vlan 1 is default.
I don't have a switch. I don't know if my AP supports VLANs. As a relative networking novice, I don't understand why the AP would need to care about VLANs. Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?
-
I don't have a switch. I don't know if my AP supports VLANs. As a relative networking novice, I don't understand why the AP would need to care about VLANs. Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?
Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
Then come back if you still have questions. -
I'm trying to create multiple isolated subnets to partition clients on my wireless networks.
I don't have a switch. I don't know if my AP supports VLANs.
…
Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?Where do you expect the isolation to happen?
What you normally do looks like this physically:
pfSense –- switch --- AP --- WLAN --- clientsLogically it's this setup:
pfSense --- AP1 --- SSID1 --- client1
|---------- AP2 --- SSID2 --- client2
Everything between pfSense and clients is virtual -
"I'm trying to create multiple isolated subnets to partition clients on my wireless networks."
"I don't know if my AP supports VLANs"You need an AP that supports vlans - PERIOD!!!
What AP do you have? You cant just create some vlans and expect that to isolate wireless clients..
-
Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
Then come back if you still have questions.Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.
Where do you expect the isolation to happen?
What you normally do looks like this physically:
pfSense –- switch --- AP --- WLAN --- clientsLogically it's this setup:
pfSense --- AP1 --- SSID1 --- client1
|---------- AP2 --- SSID2 --- client2
Everything between pfSense and clients is virtualI would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP. If not, it responds that the address is unreachable.
-
Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
Then come back if you still have questions.Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.
You can use the firewall to block known clients from reaching the internet but you cannot use the firewall to block traffic from one device on a subnet to another device on the same subnet. Such traffic never goes through the firewall. It's all same-subnet.
Where do you expect the isolation to happen?
What you normally do looks like this physically:
pfSense –- switch --- AP --- WLAN --- clientsLogically it's this setup:
pfSense --- AP1 --- SSID1 --- client1
|---------- AP2 --- SSID2 --- client2
Everything between pfSense and clients is virtualI would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP. If not, it responds that the address is unreachable.
Again, you will need multiple pfSense interfaces (physical or VLAN) in order to have pfSense determine whether to forward the traffic.
You usually have to tag VLANs to an AP for a single AP to broadcast multiple SSIDs on different broadcast domains. The traffic will arrive on your switch tagged with the VLAN ID and the switch will forward it to the proper pfSense interface. -
I'm trying to create multiple isolated subnets to partition clients on my wireless networks.
I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP…
These are different setups with nearly opposite requirements.
Do you just want to block some hosts from reaching the internet or do you actually need isolated clients like "guest in their own WLAN"?
Everything Derelict and Johnpoz posted is absolutely correct if you need/want isolated hosts like guests on your WLAN.
-
Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.
Necessary? It's the name of the game… This is by design, and I cannot think of a way of bringing all those vlans back into one SSID without introducing a ton of potential misery. Even if it would be possible, it would break any advantage you had by creating those vlans.
For the record, this piece of your topic is all about Layer 2.I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP. If not, it responds that the address is unreachable.
That is only possible if the device needs to address it's gateway. In IPv4, all devices within the same subnet can freely communicate with each other (simplified explenation). It is when the destination address is outside the subnet (bound by the subnet mask), it wil forward the packet to its configured gateway (typically your router of firewall), and there you have control on what to do with that packet.
This part is all about Layer 3.If you can: Spend some time on reading more on Layer 2 and Layer 3 stuff. It will broaden your knowledge and view.
ps: in case your firewall has sufficient ports, and you are able to introduce a dumb switch, you could technically make "your ideal situation" happen: Multiple subnets within the same broadcast domain, controlled by your firewall. There are several caveats, and it is not defined as a "good design", but possible. Also be prepared to have a rather steep learning curve on L3.
-
You could assign the vlan per client based upon say radius auth all under 1 ssid, but yeah good luck setting that up without even basic understanding to start with… ;)
You can setup client isolation for wireless clients.. If your switch supports private vlans you can setup isolation between your wired and wireless clients without your AP supporting vlans. Pfsense is going to have nothing to do with this.
If all you want to control is client A from talking to the internet that is very easy with simple firewall rule on pfsense.. But pfsense has NOTING to with clients talking to each other the same network/vlan - only when you route the traffic does pfsense come into play with if the firewall rules allow that traffic.
If you want to isolate clients with the firewall, then they need to be on different networks. You can split your wifi and your wired into different network segments be it true physical different layer 2, or with vlans. But without vlan support on your AP you can not say client 1 wifi is on different then client 2 wifi.. You could put them on different wifi network all together with different APs..
-
What is the model of your AP?
