Perplexing DHCP Problem With Android

Networking & Firewalls
1

I have been beating my head on a problem that I encountered while moving things from one subnet / VLAN to another.

I have six VLANS set up on my network:

VLAN 1 192.168.1.0/24 Not generally used

VLAN 5 192.168.5.0/24 Guest

VLAN 10 192.168.10.0/24 Tv stuff

VLAN 15 192.168.15.0/24 Experimental

VLAN 100 192.168.100.0/24 General

VLAN 1101 192.168.200.0/24 Admin

The 5, 10,15, 100 VLANs are set up with separate SSIDs on my wireless access point as well as several wired connections to computers and things around the house.

The network is

Pfsense router ← Trunk 1,5,10,15,100,1101→ Zyxel GS1900-24 switch ← Trunk 1,5,10,15,100,1101 → TP Link EAP245 Access point.

The problem I am having is trying to connect my Pixel 5a and Fire tablet to VLAN 10. They are failing to get an IP address. I can connect to that wireless network with my laptop and it works fine. I can connect the phone and tablet to the network by using a static IP. The phone and tablet both connect to VLAN 5 or VLAN 15 flawlessly.

I have compared the setup on the DHCP servers for each of the VLANs, looked at the setup of the trunked links to both the router and access point with no success.

I also set up a second access point and added the offending VLAN and one of the usable ones with the same result.

Does anyone here have any ideas on what other steps I can take short of rebuilding the PFSense configuratin or Switch config from scratch?

This is what shows up in the DHCP log when a failed connection occurs.

Jan 17 15:07:36 dhcpd 65713 DHCPOFFER on 192.168.100.154 to a2:7e:0c:cb:6e:4c (Pixel-5a) via lagg0.100
Jan 17 15:07:36 dhcpd 65713 DHCPDISCOVER from a2:7e:0c:cb:6e:4c (Pixel-5a) via lagg0.100
Jan 17 15:07:36 dhcpd 65713 DHCPOFFER on 192.168.10.113 to a2:7e:0c:cb:6e:4c (Pixel-5a) via lagg0.10
Jan 17 15:07:36 dhcpd 65713 DHCPDISCOVER from a2:7e:0c:cb:6e:4c (Pixel-5a) via lagg0.10

Sorry if this post is too long but I wanted to include the pertinent info and let everyone know what steps have been taken.
Thanks for your help
Ken

2

Make sure you have the proper allow rules in pfsense so that the device can get an DHCP address.

3

I tried that already. I think it may be a quirk in the DHCP implementation on the phone / tablet. I have also had problems changing networks or IP addresses on PFSense due to some kind of address to mac address cache. So perhaps that is it.
Probably one of those problems that you can’t figure out until you do then you slap your forehead because it is so simple.

4

Here is an update. So far I’ve tried moving from a LAG connection to a single port from PFSense to the switch placed a different switch from a different mfg between PFSense and the main switch and feeding the WAP from that.
I Mirrored the port to the WAP and sniffed it with Wire Shark which showed that the router was sending a DHCP offer to the phone and not being acknowledged. One curious thing is that the router sends responses on both the expected VLAN and the PVID vlan when replying to the DHCP request… Full disclosure this is the first time I tried Wire
Shark.
Things work fine on a different SSID with a different VLAN and when I assign a static IP.
I have decided to assign static IP’s to any device that fails to accept a DHCP offer until I get around to tearing the whole network down and starting over.

5

Final update.

Everything seems back to normal. My best guess at the cause was changing IP ranges and the phone asking for an old address that was no longer in the range. I also got dinged by PFSense logging new entries at the bottom of the list. I will know better next time.