Help me make my first VLAN with DHCP (it's not working)

jesterace · September 24, 2024, 12:58:24 PM

Hello,
I decided to venture into trying this great piece of software and so far enjoying learning how it works. I only have basic network knowledge but I am doing research and learning however I can.

I have Opnsense setup on a mini PC with one eth port (called WAN) going to a modem using PPPOE and the other port (called LAN) going to the rest of my network. DHCP on and everything works fine as a basic replacement for my netgear broadband router.

Next I wanted to learn to make a VLAN to start putting my CCTV onto a a separate subnet.

My Opnsense router LAN port currently goes into a managed switch on port 8 and i setup a computer to be connected on port 2 to see if I can get DHCP to work and place this computer on a new VLAN/subnet.

A VLAN number 9 was made on the switch and set as tagged for port 8 and untagged for port 2. I believe this means that traffic going to and from the computer on port 2 will be tagged by the switch automatically (labelling it as VLAN 9) but port 8 will allow traffic to be tagged as-is and pass through. If I'm wrong please correct me I'm learning.

Next I setup a VLAN in Opnsense, gave it the parent interface of the LAN port which goes to the switch port 8 and assigned it as VLAN 9.

A new interface was created, enabled and set with a static IP of 192.168.9.1. I then enabled the dhcp server in Services for the new vlan interface allowing it to give out ips in the range of 192.168.9.2 to 192.168.9.254.

After saving and trying to get a DHCP address on the connected computer, it just kept trying and then gives up with an auto generated address. Even if i set a static IP of 192.168.9.2 on the computer, I can't ping it from Opnsense.

I read that the firewall needs to be altered. So i created a rule to allow traffic on the vlan 9 interface anywhere (just left the default options it selected). This didn't help.

It's 99% possible I'm doing something wrong. I would really appreciate some advice where I may have slipped up or not understanding. Thanks.

James.

bimbar · September 24, 2024, 01:21:53 PM

You should not mix tagged and untagged on the same port. It might work, but then, it might not.

Did you also set the PVID (if necessary) on port 2? Many switches can configure the vlans that are output as untagged on a port, and the vlan id that is set on incoming untagged packets (the pvid) independently.

Then, of course, you need to the the L3 stuff on that port, like IP addresses and firewall rules.

jesterace · September 24, 2024, 01:35:28 PM

I didnt set a PVID on port 2. Wont this lock the port to only accepting packets from a specific VLAN? Port 2 is going to the Opnsense LAN port which would be carrying mixed packets, i guess this is what you might call a trunk from what ive read (the ability to carry multiple VLANs over one cable?). Ive only set a PVID on port 8 since this is absolutely going to be going to a device that should be on VLAN 9.

dseven · September 24, 2024, 04:23:52 PM

PVID for a port is the VLAN ID that untagged inbound frames will be associated with. You probably need to set it to VLAN 9 on switch port 2, unless you switch does it transparently or something.

Failing that, my next step would be to get a shell on the firewall and run something like `tcpdump -nnei igc0 'vlan and (port 67 or port 68)'` then try a DHCP client on port 2 - if VLANs are setup properly, you should see DHCP traffic on VLAN 9.

bimbar · September 24, 2024, 04:41:08 PM

Quote from: jesterace on September 24, 2024, 01:35:28 PM
I didnt set a PVID on port 2. Wont this lock the port to only accepting packets from a specific VLAN? Port 2 is going to the Opnsense LAN port which would be carrying mixed packets, i guess this is what you might call a trunk from what ive read (the ability to carry multiple VLANs over one cable?). Ive only set a PVID on port 8 since this is absolutely going to be going to a device that should be on VLAN 9.

You did write above that the client is untagged on port 2 and the opnsense as a trunk on port 8. So, PVID on port 2, no pvid on port 8.
Also, try not to mix tagged and untagged on port 8, it will probably not work.

dseven · September 24, 2024, 06:11:01 PM

Quote from: bimbar on September 24, 2024, 04:41:08 PM
You did write above that the client is untagged on port 2 and the opnsense as a trunk on port 8. So, PVID on port 2, no pvid on port 8.

Some switches require specifying the PVID for the port *in addition to* specifying that the VLAN be untagged on the port. It's not necessarily obvious, and easy to overlook.

Quote
Also, try not to mix tagged and untagged on port 8, it will probably not work.

I keep hearing this, but there's really no reason for it to not work unless there's something else in the mix, like bridges). There are some caveats, like Windows NIC drivers that blindly strip tags from VLANs that the NIC is not configured to access, but that still doesn't preclude mixing untagged and tagged on the firewall interface, and you'd still have to deal with VLANs for the Windows hosts if you tag everything......

bimbar · September 30, 2024, 10:02:48 AM

Half of the art of network engineering is to avoid certain things that you know are prone to be problematic. That doesn't mean it can't be made to work, but is it a good idea?

Help me make my first VLAN with DHCP (it's not working)

jesterace

September 24, 2024, 12:58:24 PM

bimbar

September 24, 2024, 01:21:53 PM #1

jesterace

September 24, 2024, 01:35:28 PM #2

dseven

September 24, 2024, 04:23:52 PM #3 Last Edit: September 24, 2024, 04:25:54 PM by dseven

bimbar

September 24, 2024, 04:41:08 PM #4

dseven

September 24, 2024, 06:11:01 PM #5

bimbar

September 30, 2024, 10:02:48 AM #6