VLAN priority for DHCP not working

[Ilford]

Hello,

I'm running Opnsense 24.7.3_1.

I have a VLAN interface with VLAN priority set to 0. Then my WAN is on that VLAN device.

I need to set VLAN priority to 6 on DHCP packets, but the setting on wan's interface has no effect on DHCP packets, as if the VLAN settings overwrites it.

In the config file "dhclient_wan.conf" there is vlan-pcp 6, but all DHCP packets are still in priority 0.

Is there a known issue about that ? How can I fix this ? 

[bartjsmit]

What provides your WAN connection? Is it a modem that requires VLAN 6?

How can I fix this ? 

If it is, I would configure the OPNsense WAN port on your switch as an access port to VLAN 6 and make the device (modem or otherwise) that requires the traffic to be tagged to be a trunk port on VLAN 6

Bart...

[doktornotor]

I have a VLAN interface with VLAN priority set to 0.

But why when you need prio 6?

@bartjsmit - tag and priority are two different things.

[Ilford]

Yep I'm talking about PCP at the VLAN level (tag is 832). Not even DSCP.

WAN is directly connected to ISP (FTTH), so WAN has a public IP. They require PCP 6 on DHCP (Orange France). Doc I followed is here : https://docs.opnsense.org/manual/how-tos/orange_fr_fttp.html

[doktornotor]

They require PCP 6 on DHCP (Orange France).

Yes, what I meant is - does it work when set directly on the VLAN?

[dseven]

This thread might be an interesting read. There was an issue with this in the 23.1 era, but a fix was introduced, so the configuration you have described should work, IIUC.

I also came across this, which suggests that virtuali[sz]ation was interfering in that case.

How are you observing the PCP on DHCP packets?

[Ilford]

@doktornotor Yeah if I set pcp 6 on the VLAN interface, DHCP works, but ISP limits the bandwidth if I tag everything with pcp 6


@dseven Yep I came across these threads, I don't use virtualization, I run Opnsense on a Sophos SG230 rev2 appliance, optic fiber is plugged to a SFP ONU on the firewall.

I'm observing the PCP by capturing packets on the GUI on the physical interface (not VLAN) and then I open the capture with Wireshark.

[doktornotor]

@doktornotor Yeah if I set pcp 6 on the VLAN interface, DHCP works, but ISP limits the bandwidth if I tag everything with pcp 6

Sheeesh... Well, I'd tag the outgoing DHCP via firewall rules and move on. Good luck.

[Ilford]

I tried but do you know how can I do that ? It needs to be done before VLAN encapsulation so it won't be a rule on the WAN interface I guess. Do I need to assign the physical interface underneath the VLAN to create such a rule ?

[doktornotor]

Just create the rule on the 832 VLAN.

[Ilford]

It never matches :( Maybe the automatic rule "Allow DHCP client on WAN" matches before ?

[doktornotor]

Perhaps post what you have created...

[Ilford]

Perhaps post what you have created...

[meyergru]

It never matches :( Maybe the automatic rule "Allow DHCP client on WAN" matches before ?

I think so. The automatic rule that is activated once you enable DHCP on your WAN will fire first, IFF you create your rule for WAN. You should create it as a floating rule to have your rule applied first.

[doktornotor]

In the first place, I don't understand what's that dhclient vlan-pcp 6 stuff about. The priority is already set in the pf rules, why would you be messing with some cryptic option in dhclient on top of that...

https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L407-L409
https://github.com/opnsense/core/blob/d3a12a6d62e765f0a9f520f67933f0d584eae505/src/etc/inc/filter.lib.inc#L371-L373