DHCP Request on VLAN is Blocked by FW according to log



  • I tried the irc over the weekend, but there's few to no one there when I'm active, so here goes:

    I setup a VLAN (tag 15, "WIFI", 10.0.2.1/29), intended for wireless use, on interface igb3 (of an SG-2440, pfSense v2.2.6-release).  I've followed steps in two HOWTOs I found online, but I'm finding blocked DHCP lease requests (S - 0.0.0.0:68, D - 255.255.255.255:67 UDP) in my logs for igb3 when I plug in the network cable from the AP.

    • There's only one firewall rule for the WIFI interface - to allow all IPv4 proto to anywhere from anywhere.

    • WIFI/VLAN 15/igb3 is statically assigned 10.0.2.1

    • DHCPd is enabled for WIFI interface, pool is 10.0.2.2 - 10.0.2.6

    • The AP was not able to connect/traffic out when statically assigning an IP (10.0.2.2), but I don't remember if there was anything in the logs

    • The Easy Rule add doesn't do anything - just takes to the page explaining how I got there, doesn't actually add any rule


  • Netgate

    DHCP rules are automatic when a DHCP server is enabled on an interface.

    Instead of posting what you think you've done or what you think you're seeing, post actual config data.

    This stuff really does "just work" unless you bugger it up somehow.

    That's an awfully small DHCP pool. I'd use statics for a /29.

    If I had to make a guess you have your VLAN tags hosed up somewhere. VLAN 15 has to be tagged on both sides.



  • What works best in situations like this for posting config data - webGUI screenshots?  If via Putty, pls tell me what command(s).

    It's my first time working with VLANs - I know "VLAN 15" is visible in the Interfaces > assign page.  Where's the "other side"?


  • Netgate

    The "other side" would be whatever's patched to the pfSense ethernet interface. Switch port, AP, whatever. It need to be expecting VLAN tag 15 too.

    Screenshots from the webgui generally work best.



  • I updated the other side to know about the tag.  Before this, I'd see the blocked DHCP requests for the igb3 interface ~4 times a minute.  Now that the tag has been added, the blocks only appear when I initiate a DHCP renew from the other side.

    Sorry, have to retrack that.  It's back to seeing DHCP requests being blocked in the fw log, ~4 times minute.


  • Netgate

    Like I said before, DHCP rules are automatic.

    I have configured 100s or DHCP interfaces.

    Every time DHCP doesn't work something is wrong at layer 2. Check your VLANs.

    Post what you've actually done, not what you think you have done. If you had done what you say you have done it would be working.



  • Thanks Derelict.

    I got fed up trying to configure a temp DD-WRT box.  Apparently it would revert VLAN settings if it didn't like the config, which explains why the logs would stop filling for a moment before resuming the pattern.

    I replaced with a switch that supported VLANs (ToughSwitch).  Once the VLANs were configured properly on the switch (VLAN15 added, untagged port for my AP, tagged port for connecting to pfSense) - DHCP worked.