Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get DHCP to assign a VLAN address to a client

    Scheduled Pinned Locked Moved Routing and Multi WAN
    14 Posts 6 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ams2990
      last edited by

      I've got a home network with a pfSense box and a wireless AP. I'm trying to create multiple isolated subnets to partition clients on my wireless networks.

      I've assigned 192.168.0.1/24 to my LAN network, 192.168.1.1/24 to my VLAN1 network, etc. I then added a firewall rule to VLAN1 to allow all traffic everywhere – just trying to get things working. I disabled DHCP on my LAN and enabled it only on VLAN1 for now. I reserved an IP in the VLAN1 for my laptop and tried to acquire an IP address. It was unable to contact the DHCP server.

      Am I missing something obvious, or am I just going about this completely wrong?

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        Sorry dude, crystal balls are sold out right before christmas.
        How shall we now your setup and how you hooked up all the equipment without you telling us?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          VLAN1 is the default, untagged VLAN.

          Try VLAN 2.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So does your switch support vlans?  Does your AP support vlans?

            You make no mention of doing any vlan config on your switch or your AP.

            And you used the vlan id of 1 for your new vlan??  Yeah that would be a bad choice, how about 10 or 2 since as derelict vlan 1 is default.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              ams2990
              last edited by

              @jahonix:

              Sorry dude, crystal balls are sold out right before christmas.
              How shall we now your setup and how you hooked up all the equipment without you telling us?

              My apologies for not being specific enough. My router running pfSense is connected directly to the AP. All clients are connected wirelessly to the AP.

              @Derelict:

              VLAN1 is the default, untagged VLAN.

              Try VLAN 2.

              Ooooh that's interesting. I'm away for the holidays but I'll try that when I get home on Saturday. Thanks.

              @johnpoz:

              So does your switch support vlans?  Does your AP support vlans?

              You make no mention of doing any vlan config on your switch or your AP.

              And you used the vlan id of 1 for your new vlan??  Yeah that would be a bad choice, how about 10 or 2 since as derelict vlan 1 is default.

              I don't have a switch. I don't know if my AP supports VLANs. As a relative networking novice, I don't understand why the AP would need to care about VLANs. Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?

              1 Reply Last reply Reply Quote 0
              • B
                bennyc
                last edited by

                @ams2990:

                I don't have a switch. I don't know if my AP supports VLANs. As a relative networking novice, I don't understand why the AP would need to care about VLANs. Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?

                Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
                Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
                Then come back if you still have questions.

                4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                1x PC Engines APU2C4, 1x PC Engines APU1C4

                1 Reply Last reply Reply Quote 0
                • jahonixJ
                  jahonix
                  last edited by

                  @ams2990:

                  I'm trying to create multiple isolated subnets to partition clients on my wireless networks.

                  @ams2990:

                  I don't have a switch. I don't know if my AP supports VLANs.
                  …
                  Isn't it just reading all packets from its wlan0 interface and writing them onto its eth0 interface?

                  Where do you expect the isolation to happen?

                  What you normally do looks like this physically:
                    pfSense –- switch --- AP --- WLAN --- clients

                  Logically it's this setup:
                    pfSense --- AP1 --- SSID1 --- client1
                      |---------- AP2 --- SSID2 --- client2
                  Everything between pfSense and clients is virtual

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "I'm trying to create multiple isolated subnets to partition clients on my wireless networks."
                    "I don't know if my AP supports VLANs"

                    You need an AP that supports vlans - PERIOD!!!

                    What AP do you have?  You cant just create some vlans and expect that to isolate wireless clients..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • A
                      ams2990
                      last edited by

                      @bennyc:

                      Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
                      Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
                      Then come back if you still have questions.

                      Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.

                      @jahonix:

                      Where do you expect the isolation to happen?

                      What you normally do looks like this physically:
                        pfSense –- switch --- AP --- WLAN --- clients

                      Logically it's this setup:
                        pfSense --- AP1 --- SSID1 --- client1
                          |---------- AP2 --- SSID2 --- client2
                      Everything between pfSense and clients is virtual

                      I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP.  If not, it responds that the address is unreachable.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        @ams2990:

                        @bennyc:

                        Ehm… I would suggest to start at the beginning. In an effort to explain with less than 20 words : VLANs extend also in wireless, where typically a vlan (broadcast domain) equals an SSID (broadcast domain).
                        Read this: http://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/wireless_vlans.html
                        Then come back if you still have questions.

                        Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.

                        You can use the firewall to block known clients from reaching the internet but you cannot use the firewall to block traffic from one device on a subnet to another device on the same subnet. Such traffic never goes through the firewall. It's all same-subnet.

                        @jahonix:

                        Where do you expect the isolation to happen?

                        What you normally do looks like this physically:
                          pfSense –- switch --- AP --- WLAN --- clients

                        Logically it's this setup:
                          pfSense --- AP1 --- SSID1 --- client1
                            |---------- AP2 --- SSID2 --- client2
                        Everything between pfSense and clients is virtual

                        I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP.  If not, it responds that the address is unreachable.

                        Again, you will need multiple pfSense interfaces (physical or VLAN) in order to have pfSense determine whether to forward the traffic.
                        You usually have to tag VLANs to an AP for a single AP to broadcast multiple SSIDs on different broadcast domains. The traffic will arrive on your switch tagged with the VLAN ID and the switch will forward it to the proper pfSense interface.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • jahonixJ
                          jahonix
                          last edited by

                          @ams2990:

                          I'm trying to create multiple isolated subnets to partition clients on my wireless networks.

                          @ams2990:

                          I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP…

                          These are different setups with nearly opposite requirements.

                          Do you just want to block some hosts from reaching the internet or do you actually need isolated clients like "guest in their own WLAN"?

                          Everything Derelict and Johnpoz posted is absolutely correct if you need/want isolated hosts like guests on your WLAN.

                          1 Reply Last reply Reply Quote 0
                          • B
                            bennyc
                            last edited by

                            @ams2990:

                            Thanks, that was an interesting read. Is it necessary to have an SSID per VLAN? This seems to be a stronger level of isolation than I really want/need. I'm just looking to have access rules configured for a set of known wireless clients. e.g. my printer can't reach the internet, my lightbulbs can talk to each other but not my computers or the internet, etc.

                            Necessary? It's the name of the game… This is by design, and I cannot think of a way of bringing all those vlans back into one SSID without introducing a ton of potential misery. Even if it would be possible, it would break any advantage you had by creating those vlans.
                            For the record, this piece of your topic is all about Layer 2.

                            @ams2990:

                            I would like the isolation to happen on the router. In my ideal setup, all wireless clients talk to the AP, which forwards the packet to the router, which decides whether the communication is possible. If it is, it forwards the packet to the AP.  If not, it responds that the address is unreachable.

                            That is only possible if the device needs to address it's gateway. In IPv4, all devices within the same subnet can freely communicate with each other (simplified explenation). It is when the destination address is outside the subnet (bound by the subnet mask), it wil forward the packet to its configured gateway (typically your router of firewall), and there you have control on what to do with that packet.
                            This part is all about Layer 3.

                            If you can: Spend some time on reading more on Layer 2 and Layer 3 stuff. It will broaden your knowledge and view.

                            ps: in case your firewall has sufficient ports, and you are able to introduce a dumb switch, you could technically make "your ideal situation" happen: Multiple subnets within the same broadcast domain, controlled by your firewall. There are several caveats, and it is not defined as a "good design", but possible. Also be prepared to have a rather steep learning curve on L3.

                            4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
                            1x PC Engines APU2C4, 1x PC Engines APU1C4

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              You could assign the vlan per client based upon say radius auth all under 1 ssid, but yeah good luck setting that up without even basic understanding to start with… ;)

                              You can setup client isolation for wireless clients.. If your switch supports private vlans you can setup isolation between your wired and wireless clients without your AP supporting vlans.  Pfsense is going to have nothing to do with this.

                              If all you want to control is client A from talking to the internet that is very easy with simple firewall rule on pfsense..  But pfsense has NOTING to with clients talking to each other the same network/vlan - only when you route the traffic does pfsense come into play with if the firewall rules allow that traffic.

                              If you want to isolate clients with the firewall, then they need to be on different networks.  You can split your wifi and your wired into different network segments be it true physical different layer 2, or with vlans.  But without vlan support on your AP you can not say client 1 wifi is on different then client 2 wifi..  You could put them on different wifi network all together with different APs..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • kesawiK
                                kesawi
                                last edited by

                                What is the model of your AP?

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.