DHCP / VLAN Issues

[CruseOPNsense]

Hello, I'm trying to get my first OPNSense box up and running with one Virtual Lan Area Networks (VLAN). This is a fresh install with the default LAN subnet 192.168.1.0/24 and WirelessVLAN (VLAN TAG: 15) at subnet: 192.168.15.0/24 using the latest OPNSense version.

I followed this guide: https://homenetworkguy.com/how-to/configure-vlans-opnsense/ for creating a VLAN; in short, here's what I did:

• Created a new VLAN interface [VLAN: 15]
• Assigned the VLAN to the LAN interface [Ix0]
• Enabled the interface and set a static Internet Protocol (IP) address and subnet to 192.168.15.1/24
• After that, I enabled the DHCP server on the VLAN 15 interface and created a scope
• Other than the default DHCP firewall rules, I copied the Any-to-Any default LAN firewall rule to the VLAN 15 interface and changed the source to 'VLAN net'

While connected directly into the OPNSense box, I'm able to ping both the LAN and VLAN 15 gateway's. I've added a ZyXel GS1900-48 Managed Switch into my network and I'm able to grab a Dynamic Host Configuration Protocol (DHCP) address while all the ports are untagged. Once I establish a VLAN on the switch, tag and un-tag the ports, I'm unable to pull a DHCP address from the untagged (VLAN 15) port on the switch.

I worked with ZyXel to ensure my VLAN settings are correct and they can be confirmed here: https://mysupport.zyxel.com/hc/en-us/articles/360008607580--Switch-How-to-configure-VLAN-on-GS1900-xx-switches-firmware-2-40-and-newer-.

When I review the DHCP service logs, I don't even see an attempt for an address to be assigned on the 192.168.15.0/24 subnet; the normal LAN subnet works fine when the ports are untagged on the switch.

Any direction would be much appreciated; I tried different guides online and on YouTube to no avail.

[Demusman]

You can say "I did everything right" but if you did, it would work. So post pictures of all relevant setup from router and switch if you really want anyone to be able to help.

[CruseOPNsense]

You can say "I did everything right" but if you did, it would work.

Not really the vibe I was trying to give off, I just didn't have time to post the pictures first thing. This is my first setup, I was simply trying to get the situation established / give background information.

I will include all relevant screenshots below of my setup:

Establishing VLAN Interface:


Enabling the Interface:


Setting a Static IP:


Firewall Rules Assigned to VLAN:


Network diagram:


This is on a ZyXel GS1900-48. Port 48 is the uplink from the OPNSense box (Set to Trunk) and Port 4 is my access port (I.e. port the computer is connected to).

VLAN Ports 1:


VLAN Ports 15:


Ports:


I did not grab a screenshot of the DHCP services enabled on VLAN 15 so you will have to believe me on this one.

[Demusman]

Pictures are too large to see the whole thing but vlan 1 should be excluded on port 4, not tagged.
Shouldn't cause any problems but not needed.

You say you have dhcp enabled but your picture says you have the pc set statically, which is it?
If static, make sure the gateway is set correctly.

Do a packet capture on the vlan interface, do you see anything from the pc's IP?

[CruseOPNsense]

Pictures are too large to see the whole thing but vlan 1 should be excluded on port 4, not tagged.
Shouldn't cause any problems but not needed.

You should be able to scroll to the side to see the entire picture; I did end up changin VLAN 1 to be Excluded on Port 4.

You say you have dhcp enabled but your picture says you have the pc set statically, which is it?
If static, make sure the gateway is set correctly.

That was the wrong diagram, the endpoint's Network Interface Card (NIC) is set for DHCP.

Do a packet capture on the vlan interface, do you see anything from the pc's IP?

So I ran a

Code Select Expand

ipconfg /release && ipconfig /renew on two different machines at the same time, one connected on Port 4 (Untagged VLAN 15) and the other to Port 6 (Untagged VLAN 1).



I did also take a screenshot of the DHCP server enabled on VLAN 15:

[jlab]

You need to apply the tag on port 48 ( trunk ) for all vlans

Port 48 Tagged for vlan 1
Port 48 tagged for Vlan 15

Port 4 on vlan 15 un-tagged & exclided.

Should fix it.

[CruseOPNsense]

You need to apply the tag on port 48 ( trunk ) for all vlans

Port 48 Tagged for vlan 1
Port 48 tagged for Vlan 15

Port 4 on vlan 15 un-tagged & exclided.

Should fix it.

I appreciate the response jlab, but your solution did not work unfortunately. When I Tag VLAN 1 on Port 48, I'm unable to navigate to the OPNSense box anymore.

[Demusman]

You don't want vlan1 Tagged as you found out already.
The config's look good, are you sure there's nothing else configured on port 4 that may be interfering?

Maybe add another port to vlan15 and try that.

The packet capture doesn't show anything from vlan15 but it's just a small picture of it, did you see any 15 traffic?

[CruseOPNsense]

You don't want vlan1 Tagged as you found out already.
The config's look good, are you sure there's nothing else configured on port 4 that may be interfering?

Maybe add another port to vlan15 and try that.

The packet capture doesn't show anything from vlan15 but it's just a small picture of it, did you see any 15 traffic?

Do you have anything in mind that would interfere with VLAN's on switches? I confirmed that the uplink port is untagged with VLAN 15 tagged and Port 4 has VLAN 1 Excluded and VLAN 15 Untagged.

I also changed the PVID to 15, Excluded VLAN 1 and Untagged for VLAN 15 on Ports 48-45 but none of those ports worked either.

I did try a longer packet capture (Maybe 10 Minutes Long) and that also displayed no network traffic. Could this be a hardware issue on the OPNSense box? I thought OPNSense would not let you create a VLAN if the hardware does not support it.

Thanks so much for your input thus-far!

[Demusman]

Doubting it's a problem with opnsense, more likely something on the switch.
That said, are you sure you applied all settings in opnsense?
You can't just click save, after that a button appears at the top of the page to "apply settings".
You didn't post pictures of the whole page so no way of knowing if they were applied but that was an issue with someone else not too long ago on here. If you see the "apply" button on any page, you didn't apply.

Other thing you can do, if you have a pc that can be tagged with a vlan, tag it with 15, plug directly into opnsense and you should get connectivity on vlan15. All intel nics support vlans if you install their Proset drivers.
If you try that and it fails, it's a problem with the opnsense config for sure.

[CruseOPNsense]

Doubting it's a problem with opnsense, more likely something on the switch.
That said, are you sure you applied all settings in opnsense?
You can't just click save, after that a button appears at the top of the page to "apply settings".
You didn't post pictures of the whole page so no way of knowing if they were applied but that was an issue with someone else not too long ago on here. If you see the "apply" button on any page, you didn't apply.

I did select the 'apply settings' button on each page initially; nonetheless, I went through each page and re-saved and re-applied the settings.

Other thing you can do, if you have a pc that can be tagged with a vlan, tag it with 15, plug directly into opnsense and you should get connectivity on vlan15. All intel nics support vlans if you install their Proset drivers.
If you try that and it fails, it's a problem with the opnsense config for sure.

I plugged in a Windows 10 host and set the NIC to pull an address from the default LAN, that worked without issue; I was able to ping the 192.168.1.1 default gateway. When I manually set the host's IP to the 192.168.15.x subnet (192.168.15.11 in this case), I'm unable to ping the 192.168.15.1 gateway. I did run a packet capture while doing all of this and there is activity on the VLAN 1 NIC but there was no activity captured on VLAN 15.

[CruseOPNsense]

As for my OPNSense motherboard, its an ASRock Rack D1541D4U-2T8R (https://www.asrockrack.com/general/productdetail.asp?Model=D1541D4U-2T8R#Specifications) with 2x Intel(R) 10GbE Network Adapters.

[jlab]

As for my motherboard, its an ASRock Rack D1541D4U-2T8R (https://www.asrockrack.com/general/productdetail.asp?Model=D1541D4U-2T8R#Specifications) with 2x Intel(R) 10GbE Network Adapters.

Wait a second, your pc should be receiving untagged traffic, you can't just statically set the ip and it will work with the traffic, the pc's is not looking at Tagged traffic, unless you tell it to look at that.

If you plug your pc into the port #4 and you get vlan 1 network then its not configured properly.

If you want your pc' to see the tagged traffic for the other vlan you have to tell it to look at it.

Follow this : http://woshub.com/configure-multiple-vlan-on-windows/

[CruseOPNsense]

Wait a second, your pc should be receiving untagged traffic, you can't just statically set the ip and it will work with the traffic, the pc's is not looking at Tagged traffic, unless you tell it to look at that.

jlab, I'm not sure you're following the post correctly; when I'm testing with the switch, I'm trying to grab a 192.168.15.x address from VLAN 15's DHCP Server.

I'm currently trying to test pinging the 192.168.15.1 gateway plugged directly into the OPNSense box's LAN NIC with the client's IP Address assigned at 192.168.15.11.

If you plug your pc into the port #4 and you get vlan 1 network then its not configured properly.

If you want your pc' to see the tagged traffic for the other vlan you have to tell it to look at it.

Follow this : http://woshub.com/configure-multiple-vlan-on-windows/

Above I indicate that when I connect to Port 4 (Untagged VLAN 15 and Excluded VLAN 1), I'm pulling an APIPIA Address.

[jlab]

Wait a second, your pc should be receiving untagged traffic, you can't just statically set the ip and it will work with the traffic, the pc's is not looking at Tagged traffic, unless you tell it to look at that.

jlab, I'm not sure you're following the post correctly; when I'm testing with the switch, I'm trying to grab a 192.168.15.x address from VLAN 15's DHCP Server.

I'm currently trying to test pinging the 192.168.15.1 gateway plugged directly into the OPNSense box's LAN NIC with the client's IP Address assigned at 192.168.15.11.

If you plug your pc into the port #4 and you get vlan 1 network then its not configured properly.

If you want your pc' to see the tagged traffic for the other vlan you have to tell it to look at it.

Follow this : http://woshub.com/configure-multiple-vlan-on-windows/

Above I indicate that when I connect to Port 4 (Untagged VLAN 15 and Excluded VLAN 1), I'm pulling an APIPIA Address.

That's not going to work, if you have your Lan port setup with vlans and you plug your computer into it, it won't see the vlan15 unless you tell your pc to look at tagged traffic, if you plug your pc in you will get the untagged traffic from vlan1 default.

Sent you a pm.