DHCP between OPNsense und Ubiquiti (VLANs) not working

Started by Jessfu, July 25, 2018, 08:47:27 AM

Previous topic - Next topic
Hi.

Some guys in the German forum are looking for help because they do not get a DHCP lease on an untagged port of their UniFi switch (https://forum.opnsense.org/index.php?topic=9227.0).

This is the setup:
                                                                                             <-> UniFi Controller (Port 7)
ISP / WAN <-> Modem / Router <-> OPNSense (18.1.6) <-> UniFi Switch (UniFi Switch 8 POE-60W) <-> UniFi UAP-AC-Lite (Port 6)
                                                                                             <-> Laptop (Port 2 or 3)


Those interfaces are configured at OPNsense:
Interface     Port   
------------------------------------------
DEFAULT       re0 (physikalischer Port)
DMZ           VLAN 20 auf re0 (DMZ)
GUEST         VLAN 40 auf re0 (GUEST)
LAN           VLAN 10 auf re0 (LAN)
MANAGEMENT    VLAN 50 auf re0 (MANAGEMENT)   
VOICE         VLAN 30 auf re0 (VOICE)
WAN           re1


The VLAN interfaces have static IPs (192.168.X.100). For each VLAN a DHCP range from 192.168.X.1 to 192.168.X.99 is configured.

The uplink port (port 1) of the UniFi switch has profile "All", i.e. configured as Trunk or tagged port. Port 2 is configured as VLAN 10 (LAN). If a laptop is plugged to this port 2 it gets no IP. No DHCP lease is provided. This only works for the ports that are configured for the DEFAULT net (VLAN 0). On those ports a lease is provided immediatelly.

Anyone who has an idea what's wrong here? Many thanks!

Greetings
Joe

G'day,

There is no chance your OPNsense is in a virtual environment is there? e.g. ESXi

I had something similar occur but it was because I had forgotten to set the virtual switch ports appropriately... so no VLAN tags got through. ::)

I'm not to familiar with Unifi. But I noticed you didn't specified PVID. Have you set PVID on port 2?

Did you enable the DCHPv4 service for the network interface? Under Services -> DHCPv4 -> NetworkName, and have it enabled with the specified range?

My OPNsense is not running in a virtual environment.

As far as I know it is not necessary/possible to set a PVID via the UniFi web interface. But I enabled the DHCP service and set a specified range. But no IP is provided.

I'll start by saying I have slightly different gear here to use as examples: Unifi Switch 24 and an UAP-AC-Pro. I am currently running firmware 3.9.42.9152 on both. The Unifi Controller is version 5.8.24 and runs in a VM alongside my OPNsense 18.1.12 ... but lets try to nut it out anyway!

My interfaces appear to be set up similar to how you showed yours. IPv4 only, upstream gateway as none. All the vlans are on the same base LAN interface which is untagged.

Quote from: Jessfu on July 25, 2018, 08:47:27 AM
The VLAN interfaces have static IPs (192.168.X.100). For each VLAN a DHCP range from 192.168.X.1 to 192.168.X.99 is configured.
The static IPs, in my case are 172.17.X.1/24 and the DHCP server range is set 172.17.X.100-199 with all other settings on that page blank. I'm guessing your differing X locations may just have been typos?

In the Unifi Controller, I have added Networks as 'VLAN Only' for each vlan, IGMP snooping enabled but the DHCP guarding disabled. In Profiles -> Switch Ports, I have a profile set up for each vlan where the native network for each vlan is simply selected as the associated vlan network (I have not selected any of the other vlans as tagged networks - I did intend playing with this eg. VOIP but never found the need).

On the switch ports, I have simply selected the appropriate port profile created above.

I *think* I may have used this how-to when configuring things - but it was a long time ago and I may have changed a few things! https://nguvu.org/ubiquiti%20unifi/ubiquiti-unifi-setup/

My DHCP log shows the following during a connection:
Jul 27 20:59:24 dhcpd: DHCPACK on 172.17.20.103 to 00:1b:24:9f:xx:05 (nc2400) via em2_vlan20
Jul 27 20:59:24 dhcpd: DHCPREQUEST for 172.17.20.103 (172.17.20.1) from 00:1b:24:9f:xx:05 (nc2400) via em2_vlan20
Jul 27 20:59:24 dhcpd: DHCPOFFER on 172.17.20.103 to 00:1b:24:9f:xx:05 (nc2400) via em2_vlan20
Jul 27 20:59:23 dhcpd: DHCPDISCOVER from 00:1b:24:9f:xx:05 via em2_vlan20

What does your log show?


Hi youngman,

first off all, thank you very much for your help!

I configured everything the same way you did (vlans (only), profiles), but it won`t work.

My log shows the following:


Jul 29 22:27:52 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:52 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:44 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:44 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:40 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:39 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b via re0


The "LiLaLaptop" doesn`t get an IP on Switchport 2 (VLAN 10), although the Firewall has an virtual Interface (VLAN 10 on re0) with a DHCP Server enabled (Range like written above 192.168.10.1 - 192.168.10.99) configured and offers an IP --> but from the wrong Range?!?!?!?!

IP-Adress of the virtual Interface (VLAN 10) is 192.168.10.100

So there is no Request coming from the Laptop and no final ACK?!

For an Access Point, which gets an IP on a Port with "all" VLANs configured (trunk port), the DHCP-Log looks like this:


Jul 29 22:35:47 dhcpd: DHCPACK on 192.168.0.5 to 78:xx:20:50:xx:1c (UniFiAP-AC-LiteGalerie) via re0
Jul 29 22:35:47 dhcpd: DHCPREQUEST for 192.168.0.5 (192.168.0.100) from 78:xx:20:50:xx:1c (UniFiAP-AC-LiteGalerie) via re0
Jul 29 22:35:47 dhcpd: DHCPOFFER on 192.168.0.5 to 78:xx:20:50:xx:1c (UniFiAP-AC-LiteGalerie) via re0
Jul 29 22:35:46 dhcpd: DHCPDISCOVER from 78:xx:20:50:xx:1c (UniFiAP-AC-LiteGalerie) via re0


I doubble checked the configured DHCPv4 config an the range is correct (192.168.10.X)?! So why does the firewall offer an IP from the DEFAULT VLAN?

Any Idea?

Thanks in advance for your help!

Regards Ric

An additional question.

Did you delete the physikal interface (on my APU-Board it`s called "re0") in the "Interface" -> "Assignment" menu? So you only have the VLANs (for example VLAN10 on re0) or did you leave it?

Regards,
Ric

No probs!

Quote from: RicAtiC on July 29, 2018, 10:44:06 PM
My log shows the following:


Jul 29 22:27:52 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:52 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:44 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:44 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:40 dhcpd: DHCPOFFER on 192.168.0.6 to 34:xx:a9:7f:xx:8b (LiLaLaptop) via re0
Jul 29 22:27:39 dhcpd: DHCPDISCOVER from 34:xx:a9:7f:xx:8b via re0


I doubble checked the configured DHCPv4 config an the range is correct (192.168.10.X)?! So why does the firewall offer an IP from the DEFAULT VLAN?

Any Idea?
It certainly looks like your VLAN tag is being dropped - hence OPNsense offering an IP from your untagged 192.168.0.X network. (This was the same symptom as I previously experienced when I neglected to add the relevant ports to the vswitches within my ESXi install). Is there any way to check whether your tags are getting through at all? Perhaps a manual setup on one of the laptops to confirm it can access only via that set vlan?

Quote from: RicAtiC on July 29, 2018, 10:58:31 PM
Did you delete the physikal interface (on my APU-Board it`s called "re0") in the "Interface" -> "Assignment" menu? So you only have the VLANs (for example VLAN10 on re0) or did you leave it?
I have left the untagged interface and in fact have a number of machines connected to it - one of which is my AP similar to how yours seems to act.

Are you running all the latest unifi firmware & controller software? I'm assuming you've checked that first?

Hey youngman,

firmware and controller software is up to date, yes. Was one of my first "fixes" :)

A question, have you done something additional with the VLANs on the Firewall?! I created them, assigned them to Port "re0" and created the DHCPv4 servers/ranges. No further config needed, right? Like an additional explicit "tagging" on Port "re0" (in my case)...

Regards
Ric

I do have a full set of firewall rules set up for each of the vlans, but I don't think this would enable the dhcp serving appropriately.

I honestly do not remember requiring any other settings. My untagged emulated ESXi lan network is exactly that; untagged... but yours is bare metal. It may act differently due to brand/drivers/configuration.

Check this howto out: https://nguvu.org/pfsense/pfsense-baseline-setup/ it includes an interesting tidbit under the "Setup VLAN Interfaces" heading (pfsense but I'd assume OPNsense may act the same with these 'inconsistent' NICs):
QuoteWe need to identify a parent interface before we start configuring VLANs, the parent interface refers to the physical interface where the VLANs will reside, e.g igb3 or ix0. Due to inconsistent behaviour with some NICs, you should not assign your parent interface to any interface in pfSense. Its sole function is to act as the parent interface to the VLANs we create.

Might be worth a shot... but means you won't have an untagged interface at all.

The issue for me was apparently caused by the Intrusion Detection system.
Disabling Intrusion Detection meant that DHCP on the VLAN interface would work. Enabling it and it wouldn't work.

Not wanting to the leave the Intrusion Detection system disabled, I then discovered that disabling VLAN hardware filtering on the Interface settings also meant that DHCP on the VLAN interface would work even with the Intrusion Detection Enabled.

So the solution is: Interfaces->Settings-> disable Hardware checksum offload, disable hardware TCP S O,disable Hardware L R O and lastly but most importantly Disable VLAN Hardware Filtering.