VLAN not getting DHCP or out to the internet



  • ​Hi Everyone, long time networking / IT guy here. Moving my house from a fortinet to PFSense. I am having an issue with one of my VLAN's that I just can't solve. VLAN60 is setup as you can see below but devices on the VLAN60 can't get a DHCP address from the PFSense box. If I assign a static ip (192.168.60.10) I can ping the gateway on that VLAN (192.168.60.2) the PFSense box can ping the device 192.168.60.10 but I can not get out to the internet!! I have made all the rules the same as the VLAN5 that works… Driving me up the wall thoughts??? I have tried bypassing the UniFI AP incase it wasn't tagging the traffic right and plugged my laptop with a tagged NIC directly into the switch and had the same issue. Here are the details of my network

    My setup is pretty simple Dual WAN connections, and two VLAN's. VLAN5 is a small vlan with a server that only gets internet access. VLAN60 is the guest network on our UniFi AP's. I setup the firewall last weekend had no issues with the dual wan or setting up VLAN5. I then added a OpenVPN interface for a VPN to Private Internet Access for one of my boxes to use. VLAN5 is currenty sharing the same interface as the internal network on the PFSense box. Orginally I had VLAN60 setup on the same internal interface but have since moved it to a dedicated interface on the firewall to see if it would fix my issues. Once I get my issues with VLAN60 solved I will move VLAN5 onto the dedicated VLAN interface.

    What is driving my completly nuts is VLAN5 works perfectly, and from what I can tell VLAN60 is seutp the same way. If you can shed some light on what I am doing wrong it would be much appricated. This setup worked perfectly with my Fortinet.

    LAN : 192.168.4.0/24
    VLAN 5 : 192.168.5.0 /24
    VLAN 60 : 192.168.60.0/24

    Netgear GS724Tv4
    Port 21 = pfsense firewall LAN igb3
    Port 14 = Server with NIC tagged VLAN 5
    Port 7 = PFsense Fiirewall igb2 dedicated VLAN Port
    Port 16 = Access Point SSID tagged VLAN60
    Port 21 - PFsense LAN igb3

    Untagged VLAN 1 (no vlan)
    Tagged VLAN5

    Port 14 - Server with NIC Tagged VLAN5
    Tagged VLAN5

    Port 7 - PFsense Firewall igb2 dedicated VLAN Port
    Tagged VLAN60

    Port 16 - Access point with SSID Vlan tagged VLAN60 and LAN no vlan (VLAN1)
    Untagged VLAN1 (no vlan)
    Tagged VLAN60
















  • Port 21 - PFsense LAN igb3

    Untagged VLAN 1 (no vlan)
    Tagged VLAN5

    forgot to tag vlan60 on that port ?



  • VLAN60 is tagged on Port 7 which is a dedicated VLAN port on my PFSense box igb2.  I assume that should work no problem.



  • Why is your static address for VLan60 192.168.60.2, is something else using the .1 address?

    Not a problem per se, but if you have another interface using that address you may have an issue?

    What does your Status>Interfaces screen shot look like?



  • It was 192.168.60.1 but when it wasn't working I was grasping at straws and set it to .2 to make sure the Unifi wasn't conflicting.  I will change it back to .1 once i get this resolved.

    See status->interfaces below :

    WAN1ROGERS interface (wan, igb0)
    Status up
    DHCP
    up    Release
    MAC address 0c:c4:
    IPv4 address 174.
    Subnet mask IPv4 255.255.254.0
    Gateway IPv4 174.
    IPv6 Link Local fe80:
    ISP DNS servers 127.0.0.1
    8.8.8.8
    4.4.2.2
    4.2.2.2
    4.2.2.3
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 64182915/7874142 (79.21 GB/941.65 MB)
    In/out packets (pass) 64182915/7874142 (79.21 GB/941.65 MB)
    In/out packets (block) 206949/0 (9.17 MB/0 bytes)
    In/out errors 0/0
    Collisions 0

    LAN interface (lan, igb3)
    Status up
    MAC address 0c:
    IPv4 address 192.168.4.1
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::ec4:7aff:fec3:8515
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 18516495/24948825 (8.27 GB/18.66 GB)
    In/out packets (pass) 18516495/24948825 (8.27 GB/18.66 GB)
    In/out packets (block) 63648/112 (10.90 MB/6 KB)
    In/out errors 0/0
    Collisions 0

    WAN2BELL interface (opt1, igb1)
    Status up
    MAC address 0c:
    IPv4 address 192.168.2.100
    Subnet mask IPv4 255.255.255.0
    Gateway IPv4 BellModel 192.168.2.1
    IPv6 Link Local fe80::513
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 23063693/62177 (30.33 GB/6.54 MB)
    In/out packets (pass) 23063693/62177 (30.33 GB/6.54 MB)
    In/out packets (block) 50820/0 (26.33 MB/0 bytes)
    In/out errors 0/0
    Collisions 0

    VLAN interface (opt2, igb2)
    Status up
    MAC address 0c:
    IPv6 Link Local fe80::ec4:7aff:fec3:8514
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 5/0 (904 bytes/0 bytes)
    In/out packets (pass) 5/0 (904 bytes/0 bytes)
    In/out packets (block) 1/0 (32 bytes/0 bytes)
    In/out errors 0/0
    Collisions 0

    VLAN5DSM interface (opt3, igb3_vlan5)
    Status up
    MAC address 0c:
    IPv4 address 192.168.5.1
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::ec4:7aff:fec3:8515
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 49252809/76382717 (5.45 GB/97.17 GB)
    In/out packets (pass) 49252809/76382717 (5.45 GB/97.17 GB)
    In/out packets (block) 0/0 (0 bytes/0 bytes)
    In/out errors 0/0
    Collisions 0

    PIAVPN interface (opt4, ovpnc1)
    Status up
    MAC address 00:00:00:00:00:00
    IPv4 address 10.
    Subnet mask IPv4 255.255.255.255
    Gateway IPv4 10.
    IPv6 Link Local fe80::ec4:7aff:fec3:8512
    MTU 1500
    In/out packets 309678/50575601 (65.03 MB/6.69 GB)
    In/out packets (pass) 309678/50575601 (65.03 MB/6.69 GB)
    In/out packets (block) 147/0 (0 bytes/0 bytes)
    In/out errors 0/0
    Collisions 0

    VLAN60 interface (opt5, igb2_vlan60)
    Status up
    MAC address 0c:c4:7a:c3:85:14
    IPv4 address 192.168.60.2
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::ec4:7aff:fec3:8514
    MTU 1500
    Media 1000baseT <full-duplex>In/out packets 18/8 (3 KB/672 bytes)
    In/out packets (pass) 18/8 (3 KB/672 bytes)
    In/out packets (block) 0/0 (0 bytes/0 bytes)
    In/out errors 0/0
    Collisions 0</full-duplex></full-duplex></full-duplex></full-duplex></full-duplex></full-duplex>


  • LAYER 8 Netgate

    Run a packet capture on VLAN60 and get a new or renew a lease.



  • @Derelict:

    Run a packet capture on VLAN60 and get a new or renew a lease.

    Great idea, will do that tonight and report back.


Log in to reply