This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clients don't receive an IP address from DHCP on newly created VLAN

Hi! I just created a new VLAN and DHCP server with firewall rule and clients are not able to get an IP address. My goal is to have my guest WIFI network (and if I can get this working, my IoT network) on a separate VLAN. I've restarted my switch, firewall, and DHCP server, removed and re-created everything a few times but no joy.

My newly created VLAN interface:

My new network IP host:

My newly created DHCP server on the firewall for the new VLAN:

The new firewall rule to allow traffic from the 192.168.200.0 network to the WAN (placed in top position):

I have a Unifi AP connected but have also tried a wired laptop to another dedicated VLAN port on the switch with the same results: can't get an IP address

Thanks for any help!



This thread was automatically locked due to age.
Parents
  • Please share a screenshot of your network topology (router/firewall, switches, clients / servers).
    Is the uplink from switch to firewall correctly tagged / untagged with the said VLAN?

    Also share informations with your interface settings - vlans, ips, ports on the firewall and switch.

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 MR 2

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Please share a screenshot of your network topology (router/firewall, switches, clients / servers).
    Is the uplink from switch to firewall correctly tagged / untagged with the said VLAN?

    Also share informations with your interface settings - vlans, ips, ports on the firewall and switch.

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 MR 2

    If a post solves your question please use the 'Verify Answer' button.

Children
  • looks like IP helpers are missing on the switches so the Request does not reach the Firewall. at least not on the VLAN interface.

    Restart the tcpdump for PortA without VLAN 200.

    tcpdump interface PortA  'port 67 or 68 -n

  • So I did get some results when excluding the VLAN from the filtering: 

  • The weird thing is that I have it set up pretty much exactly the same as another one of my sites and it still doesn't work. The same Sophos firewall system, same Datto switch manufacturer. All trunk ports on switch are tagged. I've tested this with a physically attached laptop and right now I'm testing it with a virtual machine (PC) on a Hyper-v server (which I did at my other site to confirm it worked). The VM network port is untagged as it should be.

    Pretty much the Sophos firewall connects the Datto switch, for that uplink port the VLAN is tagged, then I've tagged the port that goes to my Hyper-v server. Also I tagged the port that goes to the Unifi AP as well.

  • I've also now removed the Datto switch from the equation, and put a different switch, a Dell switch at the front. I tagged the trunk/uplink port to the firewall and untagged port 2 as a VLAN access port for VLAN 200, and plugged my laptop in again, and still no IP address from DHCP.

  • Can you share a screenshot from your interface configuration on the XG

    Did you configure Zones as well or just default LAN?

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 MR 2

    If a post solves your question please use the 'Verify Answer' button.

  • The port needs VLAN 200 to be tagged on Switch and the XG needs the VLAN adapter for PortA with VLAN200. So far so good. If that is true, it should work.

    If the DHCP requests arrive at the Physical interface of the XG, not the VLAN, something with the VLANs in virtual infrastructure or switch is wrong. Is that a virtual firewall?

    Adding to my first answer: you don't need DHCP relay / helper if the XG has the DHCP Server enabled on the VLAN interface which should be true here.

  • The VLAN 200 is tagged on the uplink port on the switch to the XG. I've also hooked up another switch, a Dell switch, and I'm getting the same issue. I've also plugged in a laptop and untagged a port and the laptop doesn't get an IP either.

    Yes the XG is a virtual firewall. This is connected to the uplink port on the switch which is tagged VLAN 200.

    So just to test, and to remove switches from the equation, I also created another LAN interface on the firewall "LAN 2" and set up another VLAN 100 and plugged the laptop directly into the firewall bypassing the switch but no IP address. I figure for that to work, I have to somehow untag VLAN 100 on the NIC of the laptop. But when I go into the advanced properties of the NIC I'm not sure what to select, and there's no place to put in a VLAN ID (Default is the one highlighted:

  • nothing there. you need intel proSet adapter configuration tool.

    and then something like this (if VLAN1) is the default untagged and 200 is tagged.

  • So installed the Intel tool and set it up for the laptop NIC. It's at VLAN100 as I've plugged it directly into "LAN2" interface on the firewall which has a test VLAN100 interface tied to it. But still it didn't give me an IP. (LAN2 interface has been confirmed working with it's own DHCP server, and the laptop can get an IP from it, but just not when configured with the VLAN)

  • I think the problem is, and sorry if I didn't mention this, but my XG resides on a VM on a Hyper-V machine. I've been doing some research and have found that there's possibly a Powershell command with settings I need to do on the Hyper-V machine to allow VLAN traffic for the the XG vm.