Clients not getting IP address from DHCP in DMZ



  • Problem is wireless clients that are supposed to be getting id address from DMZ DHCP are getting address from LAN DHCP.

    Here is my setup. I have two NICs on the server and running 2.2.6 on vmware.  Vmnet0 is bridged to WAN and vmnet1 is bridged to LAN (192.168.1.x).

    I wanted to use create a DMZ for webcams connecting via an AP (DHCP is disabled). AP is connecting via a physical switch on LAN NIC and DHCP is disabled to force the wireless clients to use pfSense DHCP.

    I added vmnet2 and assigned it as OPT1/DMZ (192.168.2.1) in pfsense.  Enabled DMZ DHCP server and reserved IP addresses based on wireless clients MAC. Removed the reservations for these clients from LAN DHCP.  Obviously I want webcams to get id address from DMZ DHCP but they are getting address from LAN DHCP (192.168.1.x).

    What do I need to do to force webcams to get IP address from DMZ DHCP instead of LAN DHCP server?  Will static IP assignment place them in the DMZ? 
    Thanks.


  • LAYER 8 Netgate

    Are you using the same switch for both networks?

    You have to isolate broadcast domains for each network. That means separate physical NICs switches or a smart/managed switch and VLANs.



  • Thanks.  I have two NICs on server.  I am connecting both networks on the same switch which is not managed.  I don't want to place other wireless clients (e.g. laptop) into the DMZ, only the webcams.  If I assign webcams with static IPs (DMZ subnet), will that work as separation of LAN and DMZ?


  • LAYER 8 Netgate

    You cannot segment two separate networks on a single, unmanaged switch. The switch is a single broadcast domain. Get another switch for the other network or use VLANs on a managed switch.



  • Thank you!  But how can I separate LAN wireless clients from DMZ webcams?  Wireless AP is connected to a single port on the switch (managed or not)


  • LAYER 8 Netgate

    separate switches or VLANs. (for the third time)



  • If the cameras are wireless, you will either need to get another AP and run it through another physical NIC in pfSense, or check if your current AP can do virtual SSIDs with VLAN tagging. If it is the latter, then you would still need to get a managed switch so you can handle the VLANs between your AP and pfSense if you want other wireless clients to be on the LAN subnet.



  • Yes, webcams are wireless too. My question was, can I separate "wireless" webcams (DMZ) from other wireless LAN clients connecting to a single AP. That AP connects to a physical switch and then to pfSense. I guess I can't do it with a single AP and I need the third NIC on the server. I thought there might be a non-physical way of doing it.


  • LAYER 8 Netgate

    Just like switches, an AP can put one wireless network on one VLAN and another wireless network on another VLAN, if it has the hardware and software necessary. The tagged switch port will keep them separate in the switch and the tagged switchport going to pfSense will give the traffic to the correct pfSense VLAN interface.



  • I might have to flash the AP with OpenWRT to do VLAN, currently Gargoyle doesn't.  If the AP can set VLANs, do I still need buy a managed switch?


  • LAYER 8 Netgate

    Almost certainly yes.



  • @Sekrit:

    I might have to flash the AP with OpenWRT to do VLAN, currently Gargoyle doesn't.  If the AP can set VLANs, do I still need buy a managed switch?

    I assume your path will be AP <-> Switch <-> pfSense. If you are going to be running VLANs on the AP then every device in the chain will need to be VLAN aware, this includes the switch. So in this setup you will need a managed switch. OpenWRT handles VLANs quite well provided the AP hardware has that feature.

    Another option is to put an additional physical NIC in pfSense and plug your AP into it. You could then create two VLANs for your WiFi LAN and DMZ. Downside is your wireless LAN devices would need to be on a different subnet from your wired LAN devices. This could cause issues for applications that need to be on the same subnet to function (Sonos speakers and the controller app is one example).

    A third option is to add a wireless NIC to pfSense and use it as an AP for the DMZ. I don't know enough about how it runs in your hypervisor to say whether it will let a virtual instance of pfSense directly manage a wireless NIC.

    The easiest option to setup and manage is probably a managed switch.



  • kesawi and derelict, thank you. this noob was thinking that DMZ is simply created by assigning clients on different IP subnets.



  • @Sekrit:

    kesawi and derelict, thank you. this noob was thinking that DMZ is simply created by assigning clients on different IP subnets.

    Glad to be able to assist. For the majority of home and small businesses networks the wireless AP does all three jobs (AP, switch & router), and it is just as simple  as that, since the AP takes care of the configuration of the VLANs, network bridging and SSIDs in the background when the user ticks the enable DMZ box in their web GUI. The guest network present on a lot of wireless routers is essentially a separate DMZ VLAN. When you start separating out functions and components, as you have, then you need to start managing and configuring them yourself.

    Check out the following for some information on VLANs in small networks to get a better understanding:



  • I like the smallnetbuilder.com. Which brand is better for home use?  Managed switch will be in my office, so I will prefer the fanless unit. GUI should be easy to use.  Zyxel, Netgear, Dlink, TP-Link?


  • LAYER 8 Global Moderator

    What is your budget for your managed switch?  I can say nothing but good things about the cisco sg300 line.. Currently at $130-135 at amazon.. Freaking STEAL!!  I picked mine up a $193 year and half ago..  And that was good price then..  Keep meaning to pick up another one to replace my OLD very limited netgear gs108t smart switch.

    http://www.amazon.com/Cisco-SG300-10-10-port-Gigabit-SRW2008-K9-NA/dp/B0041ORN6U

    The sg300 is a fully managed switch that even supports L3 mode if you want it.


Log in to reply