Direction for pfSense with ICX6610 and Unifi - how to DHCP and DNS

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

NYCone

Member
Jun 23, 2017
36
8
8
61
I few weeks ago I got an ICX6610 and with fodeesha's guide set up my network as follows:

ISP - All in One ESXi server - ICX6610 (via two 40GBe connections) - Unifi APs

The ESXi server runs a firewall (now ClearOS, but I tried pfsense), Ubuntu, Solaris for file server.

My issue is this, when I tried pfsense, I couldn't get DHCP and DNS to work consistently with the four vlans I was running via single nic. Since then, I came across the thread about needing dhcp to run from the switch, and perhaps dns doing so as well.

Can folks point me to a thread that outlines a AIO multi vlan unifi set up using pfsense? I'm passable as a computer guy, but I'm definitely not a pro at networking. When I've found things, a lot of it passes over my head.
 

mathiastro

New Member
Oct 12, 2016
14
2
3
33
Pfsense can't do what you want I'm in the same situation and I am considering to just host my dhcp in a vm.
 

epicurean

Active Member
Sep 29, 2014
785
80
28
What are the advantages to having a DHCP server in a VM? Does it simplify vlan management as oppose to having it all on the pfsense machine?
 

mathiastro

New Member
Oct 12, 2016
14
2
3
33
If you want to do the intervlan routing on the ICX you will only have a transit vlan between your pfsense and ICX thus pfsense will not have direct contact with the vlans to serve DHCP. Therefor you will have to find an other way to serve DHCP which are vlan aware. I dont remember what the feature is called.
 

itronin

Well-Known Member
Nov 24, 2018
1,233
793
113
Denver, Colorado
I dont remember what the feature is called.
some folks call it different things: DHCP RELAY, DHCP FORWARDING. On the ICX you are using an ip helper-address to make this work.

I think the most common use case is likely a DHCP helper per VLAN so the vlan needs to have an interface (ve) configured. in essence the ip address of the ve is going to dictate the dhcp scope that the dhcp server utilizes for the request, the helper address should be associated with the ve. ie. your ve IP address and the DHCP server's scope are in the subnet.

IIRC - if you have multiple IP addresses defined for the interface the lowest numbered IP address is used by the ICX in the updated DHCP request forwarded to the helper address.

You can have multiple DHCP servers "helping" ie. having scopes in the same subnet (for higher availability) but please don't overlap the scopes for the same subnet across multiple DHCP servers. Again if IIRC you can specify 16 or so ip helper-address per ve (or interface).
 

NYCone

Member
Jun 23, 2017
36
8
8
61
To be concrete, I have 4 Vlans promarily accessed from Unifi APs

My issue is how to best do DHCP and DNS on my network.

I have an all in one running ESXi using ClearOS now (I'd like to use pfSense) connected to the ICX6610 which connects to the Unifi APs.

ClearOS will serve DHCP and DNS to the vlans without issue. What's the best way to do DHCP and DNS under these circumstances?
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
If my memory serves me right, It's an old issue and afaik pfsense doesn't do DHCP for logical VLANs, only "physical" interfaces. You may want to try to disable the default DNS Resolver (unbound) and use DNS Forwarder (dnsmasq) which supports more advanced DHCP configs.
DNSMASQ DHCP configuration for multiple subnets | Networking and Data Center
I don't think that is correct (or if it is then my setup couldn't work).

pfSense does assign DHCP to each "interface". You assign interfaces to VLANs under the Interfaces>assign menu item. You can (and should) assign each vlan as an Interface in pfSense. You will then see an entry for each interface under the Services->DHCP Server menu and you can configure anything you need there.

You don't need to resort to disabling the built in DHCP and running dnsmasq separately.

The OPs problem is not (or should not be) setting DHCP separately per VLAN. Its related to embedding pfSense inside his AIO server and getting consistent treatment of the VLANs.
 

NYCone

Member
Jun 23, 2017
36
8
8
61
I don't think that is correct (or if it is then my setup couldn't work).

pfSense does assign DHCP to each "interface". You assign interfaces to VLANs under the Interfaces>assign menu item. You can (and should) assign each vlan as an Interface in pfSense. You will then see an entry for each interface under the Services->DHCP Server menu and you can configure anything you need there.

You don't need to resort to disabling the built in DHCP and running dnsmasq separately.

The OPs problem is not (or should not be) setting DHCP separately per VLAN. Its related to embedding pfSense inside his AIO server and getting consistent treatment of the VLANs.
 

NYCone

Member
Jun 23, 2017
36
8
8
61
How did folks handle DNS? That was the bigger issue when I tried the set up. I don't know if I'm correct, I'm a relative neophyte, but I think I got DHCP working (ish), but I could never get DNS to work consistently on all the vlans.

I got the impression, DHCP is not stable as well, but I don't know as much as others on this forum
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
How did folks handle DNS? That was the bigger issue when I tried the set up. I don't know if I'm correct, I'm a relative neophyte, but I think I got DHCP working (ish), but I could never get DNS to work consistently on all the vlans.

I got the impression, DHCP is not stable as well, but I don't know as much as others on this forum
Each interface gets its own DHCP server with independent parameters. You can set the advertised DNS server separately, per VLAN.

Lets assume you have three VLANs, 1, 2 & 3 with address ranges 192.168.1.0/24, 192.168.2.0/24 & 192.168.3.0/24, respectively. Also assume that their pfSense "interface" address is 192.168.{1,2,3}.1.

Just make sure your DNS resolver is advertising on all interfaces (default) and on each VLAN's DHCP page set the DNS address to 192.168.1.1, 192.168.2.1 or 192.168.3.1.

All good...its very stable.
 

NYCone

Member
Jun 23, 2017
36
8
8
61
I thought that's what I tried. It was quite stable on the main network (vlan ID 1), but hit or miss on the other vlans. It's easy enough to try again. This time I'll ask for help with the trouble shooting.

It was my first try with pfSense, and I kept thinking I had a configuration wrong somewhere, so I shouldn't ask for help until I figured it out. In the end, my wife and kids got tired of waiting for the network to be stable, so I reverted to ClearOS. I liked the power of pfSense, but I didn't fully understand all of its features.
 

arglebargle

H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈
Jul 15, 2018
657
244
43
I thought that's what I tried. It was quite stable on the main network (vlan ID 1), but hit or miss on the other vlans. It's easy enough to try again. This time I'll ask for help with the trouble shooting.

It was my first try with pfSense, and I kept thinking I had a configuration wrong somewhere, so I shouldn't ask for help until I figured it out. In the end, my wife and kids got tired of waiting for the network to be stable, so I reverted to ClearOS. I liked the power of pfSense, but I didn't fully understand all of its features.
pfSense does unexpected things with VLANs sometimes. I remember adding a VLAN interface to a running machine at one point and having things look fine but being totally unable to contact or route through the router on the new VLAN from the outside until I rebooted the pfSense instance.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
pfSense does unexpected things with VLANs sometimes. I remember adding a VLAN interface to a running machine at one point and having things look fine but being totally unable to contact or route through the router on the new VLAN from the outside until I rebooted the pfSense instance.
That's actually not unexpected - in fact, it is exactly what is expected (and is the correct behavior for a box that is primarily a firewall). Just adding the VLAN does not install any firewall rules. Even if your default rule would be to allow traffic to/from the new VLAN - you still have to reload the firewall rules to activate traffic to the new endpoint. You don't have to reboot the box. Just go to the firewall rules page and reload rules.
 

arglebargle

H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈
Jul 15, 2018
657
244
43
That's actually not unexpected - in fact, it is exactly what is expected (and is the correct behavior for a box that is primarily a firewall). Just adding the VLAN does not install any firewall rules. Even if your default rule would be to allow traffic to/from the new VLAN - you still have to reload the firewall rules to activate traffic to the new endpoint. You don't have to reboot the box. Just go to the firewall rules page and reload rules.
That .... actually makes perfect sense. I swear I did that but it's entirely possible (probable even) that I didn't. Thanks!
 

Callan05

New Member
Nov 8, 2018
18
7
3
I made a new vlan on pfsense last week, as part of an exercise to give my daughter her own wifi network using 1.1.1.3 dns. (Actually an IoT network for any in home devices I don't trust)

No reboot needed (for me), but when adding the vlan, the firewall ruleset is empty. I couldn't even connect to pfsense dns service.

DHCP worked fine as long as I tagged the port correctly in my switch/pfsense.

Keep an eye on the firewall logs - this is where I found that dns was being blocked.
 

NYCone

Member
Jun 23, 2017
36
8
8
61
I've seen references to having one's switch do DHCP relay. Is this what's best for my proposed set up? If so, is there a post showing something similar for a vlan (or vlan - unifi) setup? I've never tried to set up such a relay. I'm new to the ICX66110 as well.
 

Callan05

New Member
Nov 8, 2018
18
7
3
Maybe I missed it, what are you using the vlans for, and are all clients wireless?

Do you need to firewall traffic between the vlans?
What about between the vlans and the internet, what restrictions or reporting do you need?

There are pros and cons to having routing in the switch and in pfsense.

I use pfsense personally, but that's not ideal if you need 40gb inter vlan routing.