No announcement yet.

Issue with VLANs and DHCP

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with VLANs and DHCP

    Okay so I have been doing some testing as a way to revamp our current network with a trial version of Untangle and once I have it figured out I will just copy the config to my licensed unit.

    I have an Untangle Box spun up that connects to a UniFi Switch. This Switch has my AD/DHCP Server on it which is on the same subnet as the internal interface of Untangle which they both are apart of. My Windows DHCP server has multiple scopes configured to point to different VLAN IPs that are set up on the Untangle box with the parent interface being the internal interface. I set up all my tags and untags as you normally would do on the switch but I can't get DHCP to cross and I just wanted to ask if there was anything I was missing on the untangle side that would prevent my Windows Server from handing out IPs for each VLAN router IP I configured.

    I know that if I tag a port on the switch with the correct VLAN and manually give myself an IP I can ping the interface IP but no DHCP. This could totally just be an issue with my windows server doing DHCP incorrectly.

    Subnet Internal Interface is on, switch, and server are with being the gateway of course.

    VLAN 6 set up with with being the gateway.

    The Windows Server hands out DHCP to the 10.50 range perfectly fine but not the others.

    I did test having Untangle HAnd out DHCP on each VLAN and this functioned correctly.

    Can Untangle prevent DHCP from going across VLANs without something set?

  • #2
    I'm not a networking guru by any means however I'd like to say this. You are not alone in your quest for the perfect balance of hardware.

    I've been a faithful user of Untangle since 2008 EXCEPT for the the last year. One of my close friends talked me into going UniFi and I went all the way. USG 4 PRO, 16 port 150 watt switch, 24 port switch, AC PRO, AC LR and two AC-M for exterior use.

    It looked awesome and management was easy. However, after being hacked and data stolen, I decided to pop my Untangle box back in place while keeping the Cloudkey Gen 2, switches and APs. It was then that I realized that somethings go good together, like milk and cookies. Other things don't! ALL of my UniFi equipment is now boxed up and ready for resale.

    For me it's Untangle, Netgear POE managed switches and Grandstream APs. With this setup I'm having zero issues with DHCP, VLANS or my severs. One other note, I was never hacked during all the years I ran Untangle.

    I hope you find your balance in life and I'm sure one of the moderators will assist you shortly.


    • #3
      Untangle + Unifi Switches and WAPs are my go to combination, they very much "go together like milk and cookies".

      What the OP is missing is a DHCP relay, which Untangle has a service that can do this (DNSMasq) but use of it is "advanced" and it's "not supported." I'm not about to get into the middle of that either... Not for free anyway.

      Let Untangle do the DHCP for the VLANs that the MS DHCP server isn't directly attached to... OR configure a VLAN interface on the DHCP server itself for each and every VLAN on the network so I can directly connect. Those are the "easy and supported" ways out.

      But, if you want to try the DHCP-Relay, which is what the OP is actually going for... You need this:

      Specifically this:

      --dhcp-relay=<local address>,<server address>[,<interface]
      Configure dnsmasq to do DHCP relay. The local address is an address allocated to an interface on the host running dnsmasq. All DHCP requests arriving on that interface will we relayed to a remote DHCP server at the server address. It is possible to relay from a single local address to multiple remote servers by using multiple --dhcp-relay configs with the same local address and different server addresses. A server address must be an IP literal address, not a domain name. In the case of DHCPv6, the server address may be the ALL_SERVERS multicast address, ff05::1:3. In this case the interface must be given, not be wildcard, and is used to direct the multicast to the correct interface to reach the DHCP server.

      Access control for DHCP clients has the same rules as for the DHCP server, see --interface, --except-interface, etc. The optional interface name in the --dhcp-relay config has a different function: it controls on which interface DHCP replies from the server will be accepted. This is intended for configurations which have three interfaces: one being relayed from, a second connecting the DHCP server, and a third untrusted network, typically the wider internet. It avoids the possibility of spoof replies arriving via this third interface.

      It is allowed to have dnsmasq act as a DHCP server on one set of interfaces and relay from a disjoint set of interfaces. Note that whilst it is quite possible to write configurations which appear to act as a server and a relay on the same interface, this is not supported: the relay function will take precedence.

      Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay DHCPv4 to a DHCPv6 server or vice-versa.
      And the advanced section DHCP & DNS tab. Beware... screw that up and DHCP and DNS on Untangle will simply stop. And again, this isn't "supported". I will say it does work! Good luck.
      Last edited by sky-knight; 09-18-2021, 08:27 PM.
      Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
      Phone: 866-794-8879 x201
      Email: [email protected]


      • #4
        I also use Untangle + UNIFI switches + UNIFI AP's as our default setup and have been for quite some time. Runs great if you know how to configure everything.

        Nothing but issues, lost configs (have lots of backups) disconnected devices all when using Cloud Keys...No thanks.

        We have 100's of devices on our Vultr hosted UNIFI controller, super easy to manage and problem free.

        UNIFI routers on the other hand are a JOKE compared to Untangle! The "Enterprise Hardware" label they give their routers is simply a marketing ploy. No OPEN VPN or Wireguard, the IPSEC PSK VPN they do have is problematic at best constantly with issues... and let's not talk about reporting on Untangle routers, there is none.

        Dream Machine Pro is a GREAT home power user router over your shitty ISP provided rental router but that's about it.

        Rant over. Haha