This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clients don't receive an IP address from DHCP on newly created VLAN

Hi! I just created a new VLAN and DHCP server with firewall rule and clients are not able to get an IP address. My goal is to have my guest WIFI network (and if I can get this working, my IoT network) on a separate VLAN. I've restarted my switch, firewall, and DHCP server, removed and re-created everything a few times but no joy.

My newly created VLAN interface:

My new network IP host:

My newly created DHCP server on the firewall for the new VLAN:

The new firewall rule to allow traffic from the 192.168.200.0 network to the WAN (placed in top position):

I have a Unifi AP connected but have also tried a wired laptop to another dedicated VLAN port on the switch with the same results: can't get an IP address

Thanks for any help!

This thread was automatically locked due to age.

Top Replies

dsurfer over 1 year ago in reply to dsurfer +2 suggested

After I put the LAN2 virtual Hyper-V NIC in trunk mode, the laptop got an IP from the VLAN 100 network and it can get out to the internet!

0 emmosophos over 1 year ago

Hello there,

Thank you for contacting the Sophos Community.

I see in your other post you have the same VLAN configured for a different purpose https://community.sophos.com/sophos-xg-firewall/f/discussions/136551/vlan-clients-receives-ip-from-dhcp-but-can-t-access-internet, make sure you are not overlapping the subnets!

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 dsurfer over 1 year ago in reply to emmosophos

No this is for a different site. I'm just using the same VLAN 200 for all my sites for guest wifi networks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to dsurfer

Hi dsurfer ,

Tcpdump will help us to find whether the request reaches Firewall or not from the switch

console> tcpdump interface PortA.200 'port 67 or 68

09:12:51.593198 PortA.200, IN: IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 50:22:00:06:00:00, length 300

If no IN packet is received with the above tcpdumps, we need to confirm from the switch VLAN configuration and VLAN interface are properly set on the switch.

tcpdump command :

tcpdump interface <interface> 'port <port-number>'

Thanks and Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 dsurfer over 1 year ago in reply to Bharat J

There doesn't seem to be anything when checking:
Cancel
Vote Up 0 Vote Down

Cancel
0 Thomas_XG over 1 year ago

Please share a screenshot of your network topology (router/firewall, switches, clients / servers).
Is the uplink from switch to firewall correctly tagged / untagged with the said VLAN?

Also share informations with your interface settings - vlans, ips, ports on the firewall and switch.

_______________________________________________________

Sophos SG 210 with Sophos XG Home - 20.0 MR 1

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 1 year ago in reply to Thomas_XG

looks like IP helpers are missing on the switches so the Request does not reach the Firewall. at least not on the VLAN interface.

Restart the tcpdump for PortA without VLAN 200.

tcpdump interface PortA 'port 67 or 68 -n
Cancel
Vote Up +1 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to dsurfer

Please check with other managed switch, as you have issues with the switch end.

below is the configuration of the working switch.

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 dsurfer over 1 year ago in reply to LHerzog

So I did get some results when excluding the VLAN from the filtering:
Cancel
Vote Up 0 Vote Down

Cancel
0 dsurfer over 1 year ago in reply to Thomas_XG

The weird thing is that I have it set up pretty much exactly the same as another one of my sites and it still doesn't work. The same Sophos firewall system, same Datto switch manufacturer. All trunk ports on switch are tagged. I've tested this with a physically attached laptop and right now I'm testing it with a virtual machine (PC) on a Hyper-v server (which I did at my other site to confirm it worked). The VM network port is untagged as it should be.

Pretty much the Sophos firewall connects the Datto switch, for that uplink port the VLAN is tagged, then I've tagged the port that goes to my Hyper-v server. Also I tagged the port that goes to the Unifi AP as well.
Cancel
Vote Up 0 Vote Down

Cancel
0 dsurfer over 1 year ago in reply to Thomas_XG

I've also now removed the Datto switch from the equation, and put a different switch, a Dell switch at the front. I tagged the trunk/uplink port to the firewall and untagged port 2 as a VLAN access port for VLAN 200, and plugged my laptop in again, and still no IP address from DHCP.
Cancel
Vote Up 0 Vote Down

Cancel