New VLANs do not provide lease from DHCP server

[01cooperl]

Hi all,

I recently performed a fresh install of Opnsense using a config backup, mainly because Suricata was creating huge log files (99G files within 10 mins). I have since tried to create a VLAN for a set of new IP cameras, however they are unable to get an IP from the DHCP server for the new VLAN which has been set-p (with VLAN tag 30). I have configured my unifi lite 8 POE in the same way I have configured my other two VLANs. See below for the summary of the set-up.
I have tried to reboot Opnsense, try re-create the VLAN with a different ID, open up the firewall temporarily to see if it a firewall issue, but all to no avail.

Unifi switch set-up for IP cam ports:
VLANs
1=Default > Blocked
10=IOT > Blocked
20=PCs > Blocked
30=Cameras > Native

VLANs for Trunk port to Opnsense:
1=Default > Native
10=IOT > Tagged
20=PCs > Tagged
30=Cameras > Tagged

Opnsense and a few other devices are on the physical LAN using a .68 subnet, however the traffic all runs through this unifi switch.

Any ideas to help would be greatly appreciated. I'm hoping I don't need to yet again wipe and start again!

[EricPerl]

You've enabled ISC on the new interface with a proper pool, right?

Native means Untagged and PVID set to that VLAN?

There have been a few posts recommending not to mix untagged and tagged (as seems to be the case between the router and the switch).
While it has not been an issue for me while I was still doing, I no longer do so I don't know if it's worse under current versions.

[01cooperl]

Thanks for the reply EricPerl.

Yes I've enabled ISC, as it comes up under ISC DCHPv4 as an entry and the DHCP server is enabled on the interface. I've checked the configuration via the Opnsense UI and it seems to mirror the configuration I have with the IOT VLAN which works as expected.

As I understand it for Unifi switches, "Native" means untagged, but I'm happy to be corrected on this.

So are you suggesting that all traffic is therefore on a VLAN and nothing should therefore hit the physical LAN interface on Opnsense?

[01cooperl]

Looking at the DHCP logs on Opnsense I can see the following (vlan0.30 is the Cameras VLAN):
DHCPDISCOVER from [IP CAM MAC ADDRESS] via vlan0.30

I also tried to assign the unifi port the IOT VLAN to compare and the following was in a multiple entries in the logs (em2_vlan10 is the IOT VLAN):
DHCPDISCOVER from [IP CAM MAC ADDRESS] via em2_vlan10
Then a second later
DHCPOFFER on 192.168.10.138 to [IP CAM MAC ADDRESS] via em2_vlan10
DHCPREQUEST for 192.168.10.138 (192.168.10.1) from [IP CAM MAC ADDRESS] via em2_vlan10
DHCPACK on 192.168.10.138 to [IP CAM MAC ADDRESS] via em2_vlan10

I cannot see what config differences there are to cause differing behaviour here

[dseven]

If the DHCP server is receiving the DHCPDISCOVER but not responding with a DHCPOFFER, it suggests that it (the DHCP server, for that subnet) is not configured properly. Take another look there. Have you specified an address range?

[01cooperl]

From the ISC DHCPv4 page for that interface:
The DHCP server is enabled
Deny unknown clients > unchecked
Ignore Client UIDs > unchecked
Subnet > 192.168.30.0
Subnet mask > 255.255.255.0
Available range > 192.168.30.1 - 192.168.30.254
Range > 192.168.30.100 - 192.168.30.200
All other configuration is blank/not filled in

This mirrors the configuration for the IOT interface but with 10 as the subnet

[dseven]

Hmm. If you set the level to "Debug" when viewing the ISC DHCPv4 log file, does anything else show up?

[01cooperl]

Do you know where I can change the log level to "Debug"? I can only find the log level option for IPv6 DHCP.

[Cyberloard]

Doing this from my phone so forgive any formatting issues, but you did tag and allow the vlan on the trunk/uplink going to opnsense right? I only ask as I've forgotten myself more then once and had this very issue.

Edit: Disregard I read part of the post as on opnsense not to, my bad.

[01cooperl]

No problem Cyberloard

I checked the config again on the GUI, I cannot seem to find a way of getting debug level logging for DHCPv4 but if there is a way please let me know.

FWIW, Before I found this issue, I performed a fresh install of Opnsense a few days ago to resolve an issue with Suricata dumping huge logs to disk and locking up the router. I restored the configuration from a backup. I also greatly reduced the rulesets for Suricata as well as installed Zenarmour. Not sure if any of this is relevant but I thought I would add this.

[EricPerl]

Do you know where I can change the log level to "Debug"? I can only find the log level option for IPv6 DHCP.

Just in the log view, because you can filter to various levels.

What I would do next is use a test machine in VLAN 30.
See if it can get a DHCP lease.
If it can't, set a compatible static IP and test connectivity (ping GW and internet host, DNS with corresponding FW rules).
This is mostly to check if something is weird at the interface level.

[julsssark]

The terminology Unifi uses for VLAN tagging is seriously bonkers and it is very easy to misconfigure. Assuming you have no VLAN aware devices on VLAN 30, your switch configuration should be the same as mine (except my cameras are on VLAN 40). See my screenshot.

[01cooperl]

Ok, I got it working now...

Really odd behaviour, but I rebooted my Opnsense machine several times in the hope this would resolve the issue. So now I power cycled all switches and Opnsense (power down and back up), and now I'm successfully getting the DHCP allocations to the .30 subnet.

Thanks all for you help and replies!