DHCP not working on whole network when enabled on VLAN with Unifi

I’ve run into an interesting issue I can’t seem to figure out:

Background info:
I have recently moved into a house I have been renovating for about a year. During that year I picked up 1 Switch Pro 24 and 2 U6Lite APs, I attached everything to an older router I had, and the ISP connected to that. Once I moved in, I moved my pfsense machine from my old house, and reconfigured a few things to match the gear I had already setup, and a new IP scheme I was going to be using. Not too many changes overall.

I previously had 3 VLANs (main network, office network, and a “no internet” VLAN for cameras) setup and working well over a LAGG on the pfsense machine into an older Netgear switch (one of their prosumer/low grade enterprise ones), this worked flawlessly for over 2 years. I now no longer require a LAGG and just want to use VLANs over 1 physical interface (later there will be 2, but they will be connected to different switches).

The issue:
I am unable to enable the DHCP service on the VLAN interface (VLAN10 for GuestNetwork) without making new connections on both the main network (default VLAN) AND the GuestNetwork via wired and wireless impossible.

The hardware setup:
pfsense 2.6.0 running on baremetal 1U supermicro server (1Xeon)

  • 4 Total interfaces, 2 copper, 2 SFP+
    Raspberry Pi running Unifi network application (port 1 on switch)
    1x USW Pro 24 Switch
    2x UAP 6 Lite

Physical Connections:
ISP → WAN_BC (em0) interface (static IP)
em1 - currently down (will be another WAN connection, dhcp)
ix0 - currently down (waiting for new switch)
ix1 - connects directly to USW Pro 24 switch (port 25)

I have the GuestNetwork on VLAN 10 on pfsense and the parent interface set to ix1
I have setup the firewall rules to allow all traffic (IPv4, IPv6 and IPv4+IPv6 all any/any)
I have setup the VLAN with a different subnet (10.10.10.1/24) then my main network (10.10.100.1/24)
I have all ports on the USW Pro 24 set to ALL
I have set the network on Unifi to VLAN Only and the ID is 10 (same as pfsense)
I have set both wifi SSIDs to use their own respective networks (main network and guest network)

I’m sorry there’s probably FAR too much in this post, but I’m really scratching my head here. Any help would be greatly appreciated. Please let me know what other info you may need and I’ll be happy to oblige. I’ve done some fairly exhaustive googling and not a whole lot has come up that I haven’t tried. I did also reboot the pfsense box… no change. Same with the rest of the gear.

Can you post screenshots of your config as shown in:

  • Interfaces / VLANs - [Vlan 10 interface]
  • Interfaces / Interface Assignments - [The interface created that is using your VLAN]
  • Services / DHCP Server - [Tab named after your interface assignment]

It unclear as to what you mean when you say that you’re “unable to enable the DHCP service”. I’m guessing that you may mean that the interface doesn’t show up in the DHCP server. If so my first guess is that when you defined the Interface assignment and set the static IP address that you set it as a /32. If so it would not show up as an interface you can run the DHCP server on.

For what it’s worth, I have pfSense connected to multiple Netgear switches over LAGG connections. What I have found is that, changing ports to different vlans post initial configuration is very temperamental. Many times I’ve needed to reset the secondary switch and reconfigure the switch. The LAGG is probably preventing the configuration, and / or I am not following the precise steps required.

If sounds like the LAGG config hasn’t been completely wiped. Flip a coin, try and troubleshoot, or rebuild pfSense then each switch.

@DroppedConnection, I’ll be posting all of the images right after this post. For a little more clarification, and as you see in the last picture, the DHCP service is indeed available, however if I turn it on, any new connections to the network (both the VLAN and the main network) will not work, and after a little while (say about 5 to 10 minutes or so) the unifi equipment no longer is reachable, and starts reverting to its default ip range (192.168.1.20). The quickest way I can fix the issue, is to remove the IP address from the VLAN interface using the console on the pfsense router.

@neogrid I appreciate the reply, I will not be using the netgear switches I had at the previous house in the same way and they are not currently in the configuration (I’m not sure I will use more than one of them). I would agree though its easier to reset when moving the LAGG ports or VLAN ports around on them.

Also for the Unifi side of things, below is the Guest network config.

And here is the Wireless network config for that Guest network:

I haven’t played with any of the advanced settings, I figured once it was working I would do that part.

I’m no pro but if I was you, at this point, I’d pull out Wireshark and start scanning for DHCP packets to see what’s actually being sent over both your main and guest VLANs.

I see the DHCP range for the guest network is only 30 addresses but I wouldn’t normally expect a home user’s guest network to burn through 30 addresses so quickly. Although having new devices fail to obtain an IP address often is the first symptom of the DHCP running out of available leases to give out.

Is that 192.168.1.20 subnet that the access points move to the subnet of your main network? Is there a third DHCP server running in your house somewhere on an ISP combo unit or another old router?

I found this video on youtube that at first glance appears to give you a good rundown on what to look for using wireshark. Give that a try and see if you can find a rouge DHCP server on your network.

The DHCP range for the Guest network is only 30 addresses, and according to pfsense, none of them are being obtained. The main network is able to give out a lot more (101) and is configured as below:

The 192.168.1.20 address is the default for Unifi gear from what I understand, and there are no DHCP ranges that would hand out a 192.x.x.x in the house (there are no other devices capable of DHCP connected other than the router). The ISP modem/router/gateway mess is a static IP, and is bridged, so that device is all set as well.

I need to run a series of cables to a room and I’ll be doing some more experimenting once I have a consistent cabled connection versus only plugging in if needed.

Good to know about the 192.168.1.20. I’ve set up a fair number of these access points but didn’t realize they’d set their own IP to that if they didn’t find a DHCP server.

Checking my AP I see that the default lease time that my unit is getting is 2 hours as expected per the default pfsense DHCP settings.

Is your device disconnects happening at that 2 hour mark as well?

Since the behaviour is strange as it is affecting your main DHCP when you change settings on your guest DHCP , I wonder if there’s a hardware issue. What’s the model of the NIC in your server? Might be worth looking into if there’s any known issues with that NIC and FreeBSD. If I wanted to dig in more I’d port mirror the port on the switch that the firewall is connected to and run wireguard to see what packets are actually being sent to the firewall.

Does anything useful show up in your DHCP logs on pfsense?

Another interesting test would be to take out the switch in question and directly connect an AP to the LAN port of your firewall and see if it still runs into your issues.

@DroppedConnection Thanks again for getting back!
I’ll have to do some digging tomorrow morning to see what I can find in the logs when I enable DHCP.

As for the logs on the AP, yep, mine get the same 7200 second lease as yours.

Regarding the model of the NIC for the LAN connection, its an AOC-STGN-I2S (Intel 82599 based) and I have a Finstar (FS?) 10G LCLC fiber SFP+ module installed. 1 Port is for the connection to the switch in the house, and the other port is currently down, as I am waiting to order an AGG switch for my rack. I did do some checks regarding compatibility as I know FreeBSD is a bit picky… though to be fair, I will have to do some digging on this one specifically for the VLANs.

I’m not sure if I will be able to mirror the port… just based on the speed… but I will try… I can see if I can force the negotiation down to 1G as well, just for this test, or I can mirror an AP port as well.

Sadly I can’t do a direct connection to an AP as I don’t have an RJ45 SFP to plug into the card, though I may grab one if I have to wait much longer to order the other switch.

So I will reply back with the following:

  1. if anything is going on in the dhcp logs when I turn on the server on the VLAN.
  2. if I can get the port mirroring to work when forcing the connection to 1G, or possibly just mirroring a port that one of the APs is connected to.

I haven’t yet had the time to mirror the port. But this is the extract from the logs…

Oct 21 12:51:52 	dhcpd 	38631 	Internet Systems Consortium DHCP Server 4.4.2-P1
Oct 21 12:51:52 	dhcpd 	38631 	Copyright 2004-2021 Internet Systems Consortium.
Oct 21 12:51:52 	dhcpd 	38631 	All rights reserved.
Oct 21 12:51:52 	dhcpd 	38631 	For info, please visit https://www.isc.org/software/dhcp/
Oct 21 12:51:52 	dhcpd 	38631 	Config file: /etc/dhcpd.conf
Oct 21 12:51:52 	dhcpd 	38631 	Database file: /var/db/dhcpd.leases
Oct 21 12:51:52 	dhcpd 	38631 	Internet Systems Consortium DHCP Server 4.4.2-P1
Oct 21 12:51:52 	dhcpd 	38631 	PID file: /var/run/dhcpd.pid
Oct 21 12:51:52 	dhcpd 	38631 	Copyright 2004-2021 Internet Systems Consortium.
Oct 21 12:51:52 	dhcpd 	38631 	All rights reserved.
Oct 21 12:51:52 	dhcpd 	38631 	For info, please visit https://www.isc.org/software/dhcp/
Oct 21 12:51:52 	dhcpd 	38631 	Wrote 0 class decls to leases file.
Oct 21 12:51:52 	dhcpd 	38631 	Wrote 0 deleted host decls to leases file.
Oct 21 12:51:52 	dhcpd 	38631 	Wrote 0 new dynamic host decls to leases file.
Oct 21 12:51:52 	dhcpd 	38631 	Wrote 16 leases to leases file.
Oct 21 12:51:52 	dhcpd 	38631 	Interface ix1 matches multiple shared networks
Oct 21 12:51:52 	dhcpd 	38631 	If you think you have received this message due to a bug rather
Oct 21 12:51:52 	dhcpd 	38631 	than a configuration issue please read the section on submitting
Oct 21 12:51:52 	dhcpd 	38631 	bugs on either our web page at www.isc.org or in the README file
Oct 21 12:51:52 	dhcpd 	38631 	before submitting a bug. These pages explain the proper
Oct 21 12:51:52 	dhcpd 	38631 	process and the information we find helpful for debugging.
Oct 21 12:51:52 	dhcpd 	38631 	exiting.
Oct 21 12:51:52 	dhcpleases 	98218 	Sending HUP signal to dns daemon(31790)
Oct 21 12:51:52 	dhcpleases 	98218 	Sending HUP signal to dns daemon(31790)
Oct 21 12:52:17 	dhcp6c 	75464 	Sending Solicit
Oct 21 12:52:17 	dhcp6c 	75464 	advertise contains NoAddrsAvail status
Oct 21 12:53:25 	dhcpleases 	31514 	Sending HUP signal to dns daemon(31790)
Oct 21 12:53:25 	dhcpleases 	31514 	Could not deliver signal HUP to process 31790: No such process.
Oct 21 12:53:26 	dhcpd 	69862 	Internet Systems Consortium DHCP Server 4.4.2-P1
Oct 21 12:53:26 	dhcpd 	69862 	Copyright 2004-2021 Internet Systems Consortium.
Oct 21 12:53:26 	dhcpd 	69862 	All rights reserved.
Oct 21 12:53:26 	dhcpd 	69862 	For info, please visit https://www.isc.org/software/dhcp/
Oct 21 12:53:26 	dhcpd 	69862 	Config file: /etc/dhcpd.conf
Oct 21 12:53:26 	dhcpd 	69862 	Database file: /var/db/dhcpd.leases
Oct 21 12:53:26 	dhcpd 	69862 	Internet Systems Consortium DHCP Server 4.4.2-P1
Oct 21 12:53:26 	dhcpd 	69862 	PID file: /var/run/dhcpd.pid
Oct 21 12:53:26 	dhcpd 	69862 	Copyright 2004-2021 Internet Systems Consortium.
Oct 21 12:53:26 	dhcpd 	69862 	All rights reserved.
Oct 21 12:53:26 	dhcpd 	69862 	For info, please visit https://www.isc.org/software/dhcp/
Oct 21 12:53:26 	dhcpd 	69862 	Wrote 0 class decls to leases file.
Oct 21 12:53:26 	dhcpd 	69862 	Wrote 0 deleted host decls to leases file.
Oct 21 12:53:26 	dhcpd 	69862 	Wrote 0 new dynamic host decls to leases file.
Oct 21 12:53:26 	dhcpd 	69862 	Wrote 16 leases to leases file.
Oct 21 12:53:26 	dhcpd 	69862 	Listening on BPF/ix1/0c:c4:7a:1e:41:57/10.10.100.0/24
Oct 21 12:53:26 	dhcpd 	69862 	Sending on BPF/ix1/0c:c4:7a:1e:41:57/10.10.100.0/24
Oct 21 12:53:26 	dhcpd 	69862 	Sending on Socket/fallback/fallback-net
Oct 21 12:53:26 	dhcpd 	69862 	Server starting service.
Oct 21 12:53:27 	dhcpleases 	31514 	Sending HUP signal to dns daemon(62891)
Oct 21 12:53:27 	dhcpleases 	31514 	Sending HUP signal to dns daemon(62891) 

I’m looking at this preliminarily… and it looks like something may be up with DNS? Am I reading that right?

… I think I figured it out… I will report back here shortly, I have a little configuration changing to do, but I believe it to be a conflict with pfblockerng.

Confirmed!
The issue has been resolved!

What got me on the line of thinking was that I don’t think what I was seeing in the DHCP log was correctly being identified as a DNS issue (per-se)… but something else… and that train of thought led me down what turned out to be the correct path.

pfBlockerNG’s default address is 10.10.10.1… which just so happens is the start of the range I picked out of a hat for my guest network. Which that clearly conflicted… and I’m not sure why it took out the entirety of the main network as well… but that’s less of a concern. The fix i performed, simple, use a different range for the guest network.

Saved, and checked, no further issues. The GuestNet interface now has a 192.168.10.1 range.

1 Like

Hah! That’s useful information. My main network runs on 10.10.10.1/24. I’ve yet to enable pfblockerNG at home but I’m likely to at some point. I would have run into this myself in the future. Thanks for troubleshooting for my future self.

Quite Welcome! Yeah I now have a bit of ip work to do, but that’s quite alright as I’m still in a flexible state of my plan :slight_smile:
Glad to help the future you!