DHCP "Leakage" Between VLANs

nfld.republic · April 12, 2020, 6:21pm

I seem to experiencing some DHCP “leakage” between VLANs.

I have my switches on the 10.100.200.x/24 network (VLAN 200).

There are three “user” VLANs:

VLAN 25 - Trusted wired devices using the 192.168.25.0/24 network
VLAN 30 - Trusted WiFi devies using the 192.168.30.0/24 network
VLAN 100 - Untrusted wired and WiFi devices on the 192.168.100.0/24 network

There is one server VLAN - VLAN 20 using the 192.168.20.0/24 network (not in the diagram below).

pfSense (2.4.5) is providing DHCP and DNS services.

The switches are a UniFi Switch 24 and 2 UniFi Switch 8s. The switches are using firmware 4.0.80.10875.

Trunks between the switches and the pfSense box are configured to “ALL” VLANs.

The user ports on the UniFi Switch 8 are tagged for VLAN 100 (Untrusted) for IoT devices or VLAN 25 for trusted wired devices (except for the uplink/downlink ports).

The problem is that when an IoT device (e.g. Roku, LG smart TV) on the switch in the TV room requests a DHCP address, it is receiving a VLAN 20 address from the 192.168.20.0/24 network (used by the servers) instead of a 192.168.100.0/24 network. It seems that a trusted device (e.g., a laptop) is plugged into a port tagged with VLAN 25 it receives an address on the 192.168.25.0/24 network as expected.

I have verified that switch port VLAN assignments are correct. The DHCP servers on the pfSense box has DHCP running for each of the subnets and there are available IPs for lease. Even statically assigning an IP (in the 192.168.100.0/24 subnet) to a device does not work - it still gets a 192.168.20.0/24 address.

I also rebooted the switches and pfSense firewall to “clear out” any lingering DHCP reservations without luck. (Yes, the IoT devices are using DHCP ).

Any ideas what is going on here?

Thanks

neogrid · April 12, 2020, 6:44pm

Vlans are straight forward to set up, so I would guess you have an error in the configuration.

You should be able to easily test you can get all the IPs assigned from each vLan on your main switch. If that is correct, test your other switches.

I have a similar set up with 4 switches connected via a LAGG trunk to a main switch, never had an issue with getting the correct IP for the vlan.

I don’t have that switch, but from memory my Netgear will assign a default vlan to a port unless it is changed, perhaps this is what you are experiencing.

brwainer · April 12, 2020, 7:02pm

Please share (via screenshot) the config of one of the misbehvaing ports, and if you made a custom switch port profile please share that as well.

To me it sounds like your IoT ports arre set up for untage VLAN20 and tag VLAN100, they should be untag VLAN100 only. In the Unifi controller, untagged is called “Native VLAN”.

nfld.republic · April 12, 2020, 11:53pm

I think I figured it out - it is more on the pfSense VLAN setup side of things than on the Unifi side.

Short-and-long-of-it: I made a WHOLE BUNCH of changes over the last few months as I rearranged things. Over the course of time, the configurations have gotten totally out of wack.

I have to re-architect things. I gotta lot of thinking and work to do. (Why didn’t I follow the processes we follow at work when I do things at home? )

neogrid · April 13, 2020, 8:27am

If you have the ability to instantly forget the change just made, Backup and Restore feature is your friend. Saved me on countless occasions.