Messages

I have a switch A that gets its address via DHCP. The switch is connected to opnsense in this way:

switch A (port 8 ) - VLAN 1 - opnsense (interface 3)
switch A (port 4 ) - VLAN 2 - switch B - opnsense (interface 2)

Both VLANs have DHCP activated and some clients are getting addresses. However, the switch (and also another switch I have) are not getting any address.
- I could see on Wireshark (VLAN 1 computer) the repeated requests from the switch to get an address (not the answers, though, if any exist).
-The firewall has the autogenerated rules to allow DHCP, and I even created a floating rule for that.
- I cannot see any request in the DHCP log

How can I troubleshoot this? Is there any option I might be missing for opnsense not to lease an address?

-----
UPDATE: I captured packets from Interfaces - diagnostics - Packet capture  and I can't see the request from the switch. However, I can see the request from a client. Is it possible that the DHCP request is not sent over the tagged port?  I think this worked for me in the past

1- ping will submit an ICMP echo request, so the destination must have an IP address. You just need to assign an IP to the VLAN interface of opnsense. If you mean "parent" as the original interface (e.g. LAN em1) no, you don't need that

2- This depends on what you want. If you want to assign IPs manually, you don't need DHCP. If you want devices to request an IP from opnsense, yes you do need DHCP.

The performance lag might be unappreciated but I have implemented 1 (A) as you suggested. I think it is better to isolate VLAN 1 from the main switch

I see... Thanks for the advise. I will check TP-link, they are N but valid nevertheless.

In my network I have different APs to get wifi clients.
The problem is that the firewall rules I have defined in opnsense wrt these clients are basically useless. For example, I am blocking ping access to the wifi camera at 192.168.0.5. However, any client connected to the same AP can ping the camera, since the request is received by the AP, which deals with it immediately without having to pass through opnsense.  Is there a way I can force all traffic to go through opnsense?

I have an opnsense with a WAN and a LAN connection. The LAN has 3 VLANs and is connected to a switch.

I am a bit concerned about performance, so taking advantage I recently got a second switch I am thinking on an improvement. Since the 3 VLANs share the same network cable, it seems reasonable to me that this could cause performance issues, if the three VLANs move a lot of data at the same time. So I am considering two scenarios:

A) Spliting the VLANs, placing VLAN 1 (the most important) on its own cable and VLAN2 and 3 on another. The second switch will also have some VLAN 2 devices that will be routed through the main switch.

B) Just connecting the new switch to the main one. Opnsense will manage the 3 VLANs on a single cable as before.

So, out of these two options (A and B, as shown in the image). What is more "correct"?
(Note: maybe there is another option that I am not contemplating)

Thanks for your help.

What I meant with "the Ping with the domain accesses the wan address" is that the ping command with explicit domain was using the WAN address out of all router addresses.
So, the router has 4 addresses (xx.xx.xx.xx, 192.168.10.1, 10.1.1.1, 192.168.0.1) and by using "ping computer1.domain" Windows used the WAN address out of them:
"Pinging computer1.domain[xx.xx.xx.xx] with 32 bytes of data:"

Maybe Windows picked this address at random from the DNS responses.

You are right.

I tested it on Linux and it worked, it's not opnsense related.

On Windows, I could fix it via:
System - Advanced system settings - Computer Name - Change - More
and set "domain" in Primary DNS suffix of this computer.

Alternatively, this can aslo be done in the TCP/IP properties of the specific interface from the "Network Connections".

It is not the cleanest solution, as it is input manually and not obtained dynamically from the network.
I have the "Change primary DNS suffix..." option enabled so I am not sure why it is not picking the domain name from the DNS server. And I assigned a static DHCP lease, so it is supposed to get the domain from there...

See also: https://serverfault.com/questions/44030/local-dns-not-resolving-host-name-but-will-resolve-fqdn

What can be the reason for mine not to work?

[ping computer1]

I am using Windows 10. The ping with the domain accesses the WAN address:

ping computer1
Ping request could not find host computer1. Please check the name and try again.

ping computer1.domain

Pinging computer1.domain[xx.xx.xx.xx] with 32 bytes of data:
Reply from xx.xx.xx.xx: bytes=32 time<1ms TTL=64
Reply from xx.xx.xx.xx: bytes=32 time<1ms TTL=64
...

nslookup computer1
Server:  computer1.domain
Address:  10.1.1.1

Name:    computer1
Addresses:  xx.xx.xx.xx
          192.168.10.1
          10.1.1.1
          192.168.0.1

I used the "Register DHCP static mappings" to get the computer names into the DNS.

However:
ping computer1 cannot be resolved
But:
ping computer1.domain can.

Is there a way to allow DNS request without the domain?