What's new

VLANs, DHCP, pfSense - Clients cannot get internet access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Pablo

Occasional Visitor
Hi, I've been fighting with this for a couple of days.
I have a pfSense router with a VLAN4 defined on the LAN interface tagged with id "4". That port is connected to port 1 on the router. My goal is to have a wlan on vlan4.

This is how I have configured it:

Code:
robocfg vlan 4 ports "1t 8t"
vconfig add eth0 4
ifconfig vlan4 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 vlan4
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan4 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

Port 1 is tagged because it is also used on VLAN3 (another VLAN defined in pfSense and on the phisical LAN interface).


This is the output of "robocfg show"

Code:
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
Port 1:  100FD enabled stp: none vlan: 1 jumbo: off mac: 52:54:00:0a:74:e6
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: a0:f3:c1:f8:6f:b0
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 78:0c:b8:37:58:61
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 8t
   2: vlan2: 0 8t
   3: vlan3: 1t 4t 8t
   4: vlan4: 1t 8t
1045: vlan1045: 0t 3 4t 8u
1046: vlan1046: 0 1 2 3 4 5 7t
1047: vlan1047: 0t 2t 4 5t 7
1099: vlan1099: 0t 4 5t 7t
1100: vlan1100: 2 3 7 8t
1101: vlan1101: 0t 1 3t 7
1102: vlan1102: 0 1 2t 3t 5 7t
1103: vlan1103: 0 1 8t

And this is the output from "brctl show"

Code:
bridge name     bridge id               STP enabled     interfaces
br0             8000.c40415238d25       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.022215a50305       no              vlan4
                                                        wl0.1
                                                        wl1.1

With this setup when I try to connect from a wifi device to the guest SSID (defined on the XWRT gui), I've get stucked at the point when it's trying to get the IP address. So, I can pass the authentication point successfully (tried both open and wpa2 with same results) and just keeps saying that the AP has no internet access.

pfSense shows that it has assigned the IP to the device, in this case a mobile phone, but the phone does not show the assigned IP, it just shows "some IP" totally different from the one it must be assigned by the DHCP pool on the pfSense box.

On the pfSense box I have VLAN3 working with a DHCP for VLAN3 and also VLAN4 defined the same as VLAN3 (just with different ID tag) and also a DHCP defined for VLAN4 with different ip address ranges (VLAN3 192.168.3.0 and VLAN4 192.168.4.0)

I also have flushed both iptables and ebtables rules so nothing can block the traffic, but it still don't work.

Code:
admin@Nighthawk:/jffs/scripts# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination

Chain logdrop (0 references)
target     prot opt source               destination

admin@Nighthawk:/jffs/scripts#
admin@Nighthawk:/jffs/scripts# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@Nighthawk:/jffs/scripts#

Anyone willing to troubleshoot this to help me?

Thanks,
Pablo
 
With this setup when I try to connect from a wifi device to the guest SSID (defined on the XWRT gui), I've get stucked at the point when it's trying to get the IP address.

XWRT - are you running Vortex on non-ASUS Hardware?

If so - contact Vortex directly...

As a little Tip - with VLAN's - might consider using VLAN ID's higher than 100, as some of the lower ID's are used internally.
 
I'll reply to myself so anyone with this problem can avoid loosing days trying to solve this...

The configuration is right, the only problem was that I forgot to specify in pfSense that the DNS resolver must serve addresses on all the VLANs and not just on the LAN..... :-(
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top