DHCP on igb0 not working; DHCP on igb0_vlan2 etc working

[vidarlo]

I have the following configuration:

• IGB0 - LAN - 10.0.1.1/24
• IGB0_VLAN2 - 10.0.3.1/24
• IGB0_VLAN3 - 10.0.4.1/24
• IGB0_VLAN4 - 10.0.5.1/24

PF Rules are set to IPV4+IPV6 any type any source any destination allowed for now:


Firewall rules for IGB0.

DHCPv4 is set to hand out for 10.0.1.10-10.0.1.250:


However, clients are unable to get IP. They don't get a reply on DHCP queries. All other interfaces work just fine.

igb0 is attached to a Unifi switch, with tagged and untagged vlans. The setup was working after installation, and with pfsense previously - but at some point it stopped working. No modification was made to unifi side of network.

Any suggestions or pointers are welcome.

[Greelan]

Can’t see anything obvious that is wrong. Wouldn’t surprise me if the issue is on the switch

[vidarlo]

I've made *no* configuration changes on the switch - and it was working at some point with OPNsense - and it was working with same configuration on pfsense.

It should be noted that if I set static IP on a host that is connected to the native VLAN, I can ping opnsense just fine:

Code: [Select]

sudo ip addr add 10.0.1.190/24 dev enp2s0
[~]$ ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=0.157 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=0.133 ms
^C
--- 10.0.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.133/0.145/0.157/0.012 ms

In addition, IPv6 RA works; hosts get IPv6 SLAAC assigned. This points to the fact that L2 connectivity is correct and functioning.

[Greelan]

Well, I’ve got plenty of experience of UniFi gear working and then some aspect just randomly breaking lol

[vidarlo]

Well, I’ve got plenty of experience of UniFi gear working and then some aspect just randomly breaking lol

Please see my update above L2 connectivity is verified for IPv6 and IPv4 - but dhcp is not working.

[Greelan]

Tried a packet capture for DHCP traffic on igb0?

[vidarlo]

You're exactly right. It was Unifi that decided that the new DHCP server probably was a rogue one, and filtered offers from it.

Thanks for pointing me in the right direction

[Greelan]

UniFi ... sigh

[vidarlo]

Yep... Bought it for the wifi. Considering swapping the switch for a edgeswitch...

[franco]

I have the following configuration:

• IGB0 - LAN - 10.0.1.1/24
• IGB0_VLAN2 - 10.0.3.1/24
• IGB0_VLAN3 - 10.0.4.1/24
• IGB0_VLAN4 - 10.0.5.1/24

Just to be on the safe side here: rules from LAN will likely override VLANs by design of pf(4). You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.


Cheers,
Franco

[Maurice]

You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.

Ehh... what?? That's the first time I've heard about this. If this is indeed true (which I have no doubt about when you say it), shouldn't there be a big (BIG, HUGE, MASSIVE) warning in the UI and the docs? I just double-checked and can't find even the slightest hint about this.

Cheers

Maurice

[franco]

I can't remember a day when that wasn't the case -- maybe it was passed down as common knowledge until everybody using it forgot or never knew.

There are reports here about once a month about said "weirdness" so I would  say it's being reiterated regularly at least.


Cheers,
Franco

[Maurice]

Most OPNsense users are probably networking people, not die hard *BSD gurus. And I've never encountered a similar limitation on other devices. Consider the router-on-a-stick scenario with an untagged LAN and a tagged WAN. You're saying an "allow all" rule on the LAN might then also apply to the WAN? What a security nightmare.

"Passed down as common knowledge" and forum posts don't exactly qualify as documentation, do they?  I'll prepare a PR. interfaces_vlan.php might be a good place for a warning?

[rhubarb]

Just to be on the safe side here: rules from LAN will likely override VLANs by design of pf(4). You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.

  This is a first for me, but I'm new to OPNSense. 

So my Unifi Controller sits on Untagged VLAN1. If I give it gateway access to the internet with OPNSense, will this rule also pass traffic on my IoT VLAN to the internet as well?

[Greelan]

This really surprised me too. Guess I am moving my VLANs to igb2...