Controllerless Networks

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

I setup the packet capture on my 24port switch from the 3 trunks that from my APs to the LAGG going to my firewall. It looks like all the IPs that are connected through the APs are generating duplicate DHCP requests traveling to my firewall. I did a packet capture on my firewall and it looks like it's dropping that additional request and everything is correct.

Regarding my configuration.... I really cobbled it together. 

I have the wired-SetMeUp access rules that can't seem to be changed and then a default_wired_port_profile that I set to allow all on each port. All three access points are fed individual by single trunk ports off my Cisco switch and I'm not sure if i have something misconfigured there. Should the uplink be using my untagged VLAN? 

With show ip route I can only see two routes configured. One to my vlan 27 and the management interface i configured. Then the other goes to that magic vlan. All of my wired connections to the APs are configured as trunks that carry all 4 vlans that I have individual SSIDs for and then the 1 that is for management vlan 27. Is the issue that they are all being carried through the uplink under that single vlan? There should be 1 route per vlan? 

I've included the following commands below,show ip route, show uplink status, show wired-port-settings,show uplink config,show ip interface brief. 

aruba-ap# show ip routedefault via 192.168.27.1 dev br0192.168.27.0/24 dev br0 src 192.168.27.20172.31.98.0/23 dev br0.3333 src 172.31.98.1aruba-ap#

Is my Management VLAN acting like my WAN on my AP?

aruba-ap# show uplink statusUplink preemption         :disableUplink preemption interval:600Uplink enforce            :eth0Uplink wired-27           :DHCPInternet failover         :disableInternet failover IP      :x.x.x.xMax allowed test packet loss:10Secs between test packets :30VPN failover timeout (secs):0Internet check timeout (secs):10APIX type                 :NONECertification type        :NONEValidate server           :NONEUplink Table------------Type      VLAN  State  Reach State  Prio  In Use  Interface  IP             Mask           GW           Sent  Lost  Cont lostEthernet  27    UP     UP           0     Yes     br0        192.168.27.20   255.255.255.0  192.168.27.1    0     0     0Cellular  -     INIT   INIT         7     No      ppp0       0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wifi-sta  -     INIT   INIT         6     No      wuplink0   0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wired Port Table----------------Port   State  Type  Bonding(Admin/Oper/Active)bond0  UP     WAN   No/No/Yesaruba-ap#

aruba-ap# show wired-port-settingsWired Port Profiles-------------------Name                        VLAN Mode  Allowed VLANs  Native VLAN  Admin Status  Role                        Speed  Duplex  POE  In Use  Authentication Method  STP  Trusted----                        ---------  -------------  -----------  ------------  ----                        -----  ------  ---  ------  ---------------------  ---  -------wired-SetMeUp               Access     all            guest        Up            wired-SetMeUp               auto   auto    No   Yes     None                   No   Nodefault_wired_port_profile  Trunk      all            888          Up            default_wired_port_profile  auto   full    No   Yes     None                   No   YesPort Profile Assignments------------------------Port  Profile Name----  ------------0     default_wired_port_profile1     default_wired_port_profile2     default_wired_port_profile3     default_wired_port_profile4     default_wired_port_profileUSB   wired-SetMeUparuba-ap# 

aruba-ap# show uplink configUplink preemption             :disableUplink preemption interval    :600Uplink enforce                :eth0Uplink wired-27         :DHCPInternet failover                        :disableInternet failover IP                     :172.64.x.1Max allowed test packet loss             :10Secs between test packets                :30VPN failover timeout (secs)              :0Internet check timeout (secs)            :10aruba-ap# 

aruba-ap-505-tvcabinet# show ip interface briefInterface                         IP Address / IP Netmask       Admin  Protocolbr0                              192.168.27.20 / 255.255.255.0    up     upbr0.3333                         172.31.98.1 / 255.255.254.0    up     uparuba-ap-505-tvcabinet# 

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

The untagged VLAN on your AP uplink should be the VLAN used to manage the AP.  If you are going to modify the wired port profile for the uplink, then make sure that the native VLAN matches what is on the switch.  There is a separate configuration item under System called "Uplink switch native VLAN" that should also match the native VLAN on the switch port.

The duplicated DHCP packets, you captured that on an AP uplink or at the uplink to the firewall?  Your LAG to the firewall, is that using LACP or did you configure statically?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 23, 2025 11:49 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

I setup the packet capture on my 24port switch from the 3 trunks that from my APs to the LAGG going to my firewall. It looks like all the IPs that are connected through the APs are generating duplicate DHCP requests traveling to my firewall. I did a packet capture on my firewall and it looks like it's dropping that additional request and everything is correct.

Regarding my configuration.... I really cobbled it together. 

I have the wired-SetMeUp access rules that can't seem to be changed and then a default_wired_port_profile that I set to allow all on each port. All three access points are fed individual by single trunk ports off my Cisco switch and I'm not sure if i have something misconfigured there. Should the uplink be using my untagged VLAN? 

With show ip route I can only see two routes configured. One to my vlan 27 and the management interface i configured. Then the other goes to that magic vlan. All of my wired connections to the APs are configured as trunks that carry all 4 vlans that I have individual SSIDs for and then the 1 that is for management vlan 27. Is the issue that they are all being carried through the uplink under that single vlan? There should be 1 route per vlan? 

I've included the following commands below,show ip route, show uplink status, show wired-port-settings,show uplink config,show ip interface brief. 

aruba-ap# show ip routedefault via 192.168.27.1 dev br0192.168.27.0/24 dev br0 src 192.168.27.20172.31.98.0/23 dev br0.3333 src 172.31.98.1aruba-ap#

Is my Management VLAN acting like my WAN on my AP?

aruba-ap# show uplink statusUplink preemption         :disableUplink preemption interval:600Uplink enforce            :eth0Uplink wired-27           :DHCPInternet failover         :disableInternet failover IP      :x.x.x.xMax allowed test packet loss:10Secs between test packets :30VPN failover timeout (secs):0Internet check timeout (secs):10APIX type                 :NONECertification type        :NONEValidate server           :NONEUplink Table------------Type      VLAN  State  Reach State  Prio  In Use  Interface  IP             Mask           GW           Sent  Lost  Cont lostEthernet  27    UP     UP           0     Yes     br0        192.168.27.20   255.255.255.0  192.168.27.1    0     0     0Cellular  -     INIT   INIT         7     No      ppp0       0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wifi-sta  -     INIT   INIT         6     No      wuplink0   0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wired Port Table----------------Port   State  Type  Bonding(Admin/Oper/Active)bond0  UP     WAN   No/No/Yesaruba-ap#

aruba-ap# show wired-port-settingsWired Port Profiles-------------------Name                        VLAN Mode  Allowed VLANs  Native VLAN  Admin Status  Role                        Speed  Duplex  POE  In Use  Authentication Method  STP  Trusted----                        ---------  -------------  -----------  ------------  ----                        -----  ------  ---  ------  ---------------------  ---  -------wired-SetMeUp               Access     all            guest        Up            wired-SetMeUp               auto   auto    No   Yes     None                   No   Nodefault_wired_port_profile  Trunk      all            888          Up            default_wired_port_profile  auto   full    No   Yes     None                   No   YesPort Profile Assignments------------------------Port  Profile Name----  ------------0     default_wired_port_profile1     default_wired_port_profile2     default_wired_port_profile3     default_wired_port_profile4     default_wired_port_profileUSB   wired-SetMeUparuba-ap# 

aruba-ap# show uplink configUplink preemption             :disableUplink preemption interval    :600Uplink enforce                :eth0Uplink wired-27         :DHCPInternet failover                        :disableInternet failover IP                     :172.64.x.1Max allowed test packet loss             :10Secs between test packets                :30VPN failover timeout (secs)              :0Internet check timeout (secs)            :10aruba-ap# 

aruba-ap-505-tvcabinet# show ip interface briefInterface                         IP Address / IP Netmask       Admin  Protocolbr0                              192.168.27.20 / 255.255.255.0    up     upbr0.3333                         172.31.98.1 / 255.255.254.0    up     uparuba-ap-505-tvcabinet# 

Original Message:
Sent: Jan 21, 2025 05:56 PM
From: Carson Hulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 05:27 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Original Message:
Sent: Jan 21, 2025 05:00 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:54 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

So, I solved the problem. It wasn't anything related to the APs or my misconfigured Native VLANs. I plan on fixing that this weekend, and thank you for pointing that out. It was duplicate DHCP processes running in the Netgate firewall. I raised a support ticket and they dialed into the modem and found some bad Kea DHCP processes running. Support terminated these and the leases started populating.  🤦🏻‍♂️. The LAGG is configured with LACP with Layer 2/3/4. 

I didn't quite understand the purpose of the Native VLAN, but after some reading I feel I understand more. My uplink switch is currently using Native VLAN 888. I'm still a bit confused on the correct way to set my "Uplink switch native VLAN". I see that I can set a "native-vlan" within my default_wired_port_profile. Additionally, when I execute show uplink config I can see Uplink wired-xx : DHCP.  There is a setting in Config -> Access points -> Uplink -> Uplink management VLAN. Is this related to that Uplink wired-xx or the "Uplink siwtch native vlan"? 

Is the "Uplink switch native VLAN" just the "native-vlan" that is set in the default_wired_port_profile? 

Also, how exactly do these default_wired_port_profiles work? My main conductor AP only has the single Eth port so what are these other ports referring to with this profile?

I have another question about the AP rules. I currently have all of my APs SSIDs setup as "Client IP & VLAN Assignment" set to network assigned and client vlan assignment as static. I see my Wired Port Table is showing my ETH0 as WAN. Do the devices that are connected on the AP have to travel back to the firewall to be re-routed or is their any routing enabled at the AP level? I want to control all my intervlan routing from my firewall. 

Wired Port Table------------------Port  State  Type  Bonding(Admin/Oper/Active)----  -----  ----  --------------------------eth0  UP     WAN   Yes/Yes/Yeseth1  DOWN   WAN   Yes/Yes/Noeth2  DOWN   WAN   Yes/Yes/Noeth3  DOWN   WAN   Yes/Yes/Noeth4  DOWN   WAN   Yes/Yes/No

The untagged VLAN on your AP uplink should be the VLAN used to manage the AP.  If you are going to modify the wired port profile for the uplink, then make sure that the native VLAN matches what is on the switch.  There is a separate configuration item under System called "Uplink switch native VLAN" that should also match the native VLAN on the switch port.

The duplicated DHCP packets, you captured that on an AP uplink or at the uplink to the firewall?  Your LAG to the firewall, is that using LACP or did you configure statically?

I setup the packet capture on my 24port switch from the 3 trunks that from my APs to the LAGG going to my firewall. It looks like all the IPs that are connected through the APs are generating duplicate DHCP requests traveling to my firewall. I did a packet capture on my firewall and it looks like it's dropping that additional request and everything is correct.

Regarding my configuration.... I really cobbled it together. 

I have the wired-SetMeUp access rules that can't seem to be changed and then a default_wired_port_profile that I set to allow all on each port. All three access points are fed individual by single trunk ports off my Cisco switch and I'm not sure if i have something misconfigured there. Should the uplink be using my untagged VLAN? 

With show ip route I can only see two routes configured. One to my vlan 27 and the management interface i configured. Then the other goes to that magic vlan. All of my wired connections to the APs are configured as trunks that carry all 4 vlans that I have individual SSIDs for and then the 1 that is for management vlan 27. Is the issue that they are all being carried through the uplink under that single vlan? There should be 1 route per vlan? 

I've included the following commands below,show ip route, show uplink status, show wired-port-settings,show uplink config,show ip interface brief. 

aruba-ap# show ip routedefault via 192.168.27.1 dev br0192.168.27.0/24 dev br0 src 192.168.27.20172.31.98.0/23 dev br0.3333 src 172.31.98.1aruba-ap#

Is my Management VLAN acting like my WAN on my AP?

aruba-ap# show uplink statusUplink preemption         :disableUplink preemption interval:600Uplink enforce            :eth0Uplink wired-27           :DHCPInternet failover         :disableInternet failover IP      :x.x.x.xMax allowed test packet loss:10Secs between test packets :30VPN failover timeout (secs):0Internet check timeout (secs):10APIX type                 :NONECertification type        :NONEValidate server           :NONEUplink Table------------Type      VLAN  State  Reach State  Prio  In Use  Interface  IP             Mask           GW           Sent  Lost  Cont lostEthernet  27    UP     UP           0     Yes     br0        192.168.27.20   255.255.255.0  192.168.27.1    0     0     0Cellular  -     INIT   INIT         7     No      ppp0       0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wifi-sta  -     INIT   INIT         6     No      wuplink0   0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wired Port Table----------------Port   State  Type  Bonding(Admin/Oper/Active)bond0  UP     WAN   No/No/Yesaruba-ap#

aruba-ap# show wired-port-settingsWired Port Profiles-------------------Name                        VLAN Mode  Allowed VLANs  Native VLAN  Admin Status  Role                        Speed  Duplex  POE  In Use  Authentication Method  STP  Trusted----                        ---------  -------------  -----------  ------------  ----                        -----  ------  ---  ------  ---------------------  ---  -------wired-SetMeUp               Access     all            guest        Up            wired-SetMeUp               auto   auto    No   Yes     None                   No   Nodefault_wired_port_profile  Trunk      all            888          Up            default_wired_port_profile  auto   full    No   Yes     None                   No   YesPort Profile Assignments------------------------Port  Profile Name----  ------------0     default_wired_port_profile1     default_wired_port_profile2     default_wired_port_profile3     default_wired_port_profile4     default_wired_port_profileUSB   wired-SetMeUparuba-ap# 

aruba-ap# show uplink configUplink preemption             :disableUplink preemption interval    :600Uplink enforce                :eth0Uplink wired-27         :DHCPInternet failover                        :disableInternet failover IP                     :172.64.x.1Max allowed test packet loss             :10Secs between test packets                :30VPN failover timeout (secs)              :0Internet check timeout (secs)            :10aruba-ap# 

aruba-ap-505-tvcabinet# show ip interface briefInterface                         IP Address / IP Netmask       Admin  Protocolbr0                              192.168.27.20 / 255.255.255.0    up     upbr0.3333                         172.31.98.1 / 255.255.254.0    up     uparuba-ap-505-tvcabinet# 

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!

Your best bet for starting out is to ignore the wired port profiles.  Under normal operation there is zero reason to mess with them, and in fact the default wired port profile will (when using default configuration) be mostly ignored when the port is acting as an uplink.

As mentioned, what you are looking for is  "a separate configuration item under System called Uplink switch native VLAN".

Default behavior under IAP running some versions of AOS will bridge traffic between clients connected to the same IAP.  See https://arubanetworking.hpe.com/techdocs/CLI-Bank/Content/instant/deny-local-rout.htm

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 25, 2025 11:04 AM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

So, I solved the problem. It wasn't anything related to the APs or my misconfigured Native VLANs. I plan on fixing that this weekend, and thank you for pointing that out. It was duplicate DHCP processes running in the Netgate firewall. I raised a support ticket and they dialed into the modem and found some bad Kea DHCP processes running. Support terminated these and the leases started populating.  🤦🏻‍♂️. The LAGG is configured with LACP with Layer 2/3/4. 

I didn't quite understand the purpose of the Native VLAN, but after some reading I feel I understand more. My uplink switch is currently using Native VLAN 888. I'm still a bit confused on the correct way to set my "Uplink switch native VLAN". I see that I can set a "native-vlan" within my default_wired_port_profile. Additionally, when I execute show uplink config I can see Uplink wired-xx : DHCP.  There is a setting in Config -> Access points -> Uplink -> Uplink management VLAN. Is this related to that Uplink wired-xx or the "Uplink siwtch native vlan"? 

Is the "Uplink switch native VLAN" just the "native-vlan" that is set in the default_wired_port_profile? 

Also, how exactly do these default_wired_port_profiles work? My main conductor AP only has the single Eth port so what are these other ports referring to with this profile?

I have another question about the AP rules. I currently have all of my APs SSIDs setup as "Client IP & VLAN Assignment" set to network assigned and client vlan assignment as static. I see my Wired Port Table is showing my ETH0 as WAN. Do the devices that are connected on the AP have to travel back to the firewall to be re-routed or is their any routing enabled at the AP level? I want to control all my intervlan routing from my firewall. 

Wired Port Table------------------Port  State  Type  Bonding(Admin/Oper/Active)----  -----  ----  --------------------------eth0  UP     WAN   Yes/Yes/Yeseth1  DOWN   WAN   Yes/Yes/Noeth2  DOWN   WAN   Yes/Yes/Noeth3  DOWN   WAN   Yes/Yes/Noeth4  DOWN   WAN   Yes/Yes/No

Original Message:
Sent: Jan 24, 2025 09:49 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The untagged VLAN on your AP uplink should be the VLAN used to manage the AP.  If you are going to modify the wired port profile for the uplink, then make sure that the native VLAN matches what is on the switch.  There is a separate configuration item under System called "Uplink switch native VLAN" that should also match the native VLAN on the switch port.

The duplicated DHCP packets, you captured that on an AP uplink or at the uplink to the firewall?  Your LAG to the firewall, is that using LACP or did you configure statically?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 23, 2025 11:49 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

I setup the packet capture on my 24port switch from the 3 trunks that from my APs to the LAGG going to my firewall. It looks like all the IPs that are connected through the APs are generating duplicate DHCP requests traveling to my firewall. I did a packet capture on my firewall and it looks like it's dropping that additional request and everything is correct.

Regarding my configuration.... I really cobbled it together. 

I have the wired-SetMeUp access rules that can't seem to be changed and then a default_wired_port_profile that I set to allow all on each port. All three access points are fed individual by single trunk ports off my Cisco switch and I'm not sure if i have something misconfigured there. Should the uplink be using my untagged VLAN? 

With show ip route I can only see two routes configured. One to my vlan 27 and the management interface i configured. Then the other goes to that magic vlan. All of my wired connections to the APs are configured as trunks that carry all 4 vlans that I have individual SSIDs for and then the 1 that is for management vlan 27. Is the issue that they are all being carried through the uplink under that single vlan? There should be 1 route per vlan? 

I've included the following commands below,show ip route, show uplink status, show wired-port-settings,show uplink config,show ip interface brief. 

aruba-ap# show ip routedefault via 192.168.27.1 dev br0192.168.27.0/24 dev br0 src 192.168.27.20172.31.98.0/23 dev br0.3333 src 172.31.98.1aruba-ap#

Is my Management VLAN acting like my WAN on my AP?

aruba-ap# show uplink statusUplink preemption         :disableUplink preemption interval:600Uplink enforce            :eth0Uplink wired-27           :DHCPInternet failover         :disableInternet failover IP      :x.x.x.xMax allowed test packet loss:10Secs between test packets :30VPN failover timeout (secs):0Internet check timeout (secs):10APIX type                 :NONECertification type        :NONEValidate server           :NONEUplink Table------------Type      VLAN  State  Reach State  Prio  In Use  Interface  IP             Mask           GW           Sent  Lost  Cont lostEthernet  27    UP     UP           0     Yes     br0        192.168.27.20   255.255.255.0  192.168.27.1    0     0     0Cellular  -     INIT   INIT         7     No      ppp0       0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wifi-sta  -     INIT   INIT         6     No      wuplink0   0.0.0.0       0.0.0.0        0.0.0.0      0     0     0Wired Port Table----------------Port   State  Type  Bonding(Admin/Oper/Active)bond0  UP     WAN   No/No/Yesaruba-ap#

aruba-ap# show wired-port-settingsWired Port Profiles-------------------Name                        VLAN Mode  Allowed VLANs  Native VLAN  Admin Status  Role                        Speed  Duplex  POE  In Use  Authentication Method  STP  Trusted----                        ---------  -------------  -----------  ------------  ----                        -----  ------  ---  ------  ---------------------  ---  -------wired-SetMeUp               Access     all            guest        Up            wired-SetMeUp               auto   auto    No   Yes     None                   No   Nodefault_wired_port_profile  Trunk      all            888          Up            default_wired_port_profile  auto   full    No   Yes     None                   No   YesPort Profile Assignments------------------------Port  Profile Name----  ------------0     default_wired_port_profile1     default_wired_port_profile2     default_wired_port_profile3     default_wired_port_profile4     default_wired_port_profileUSB   wired-SetMeUparuba-ap# 

aruba-ap# show uplink configUplink preemption             :disableUplink preemption interval    :600Uplink enforce                :eth0Uplink wired-27         :DHCPInternet failover                        :disableInternet failover IP                     :172.64.x.1Max allowed test packet loss             :10Secs between test packets                :30VPN failover timeout (secs)              :0Internet check timeout (secs)            :10aruba-ap# 

aruba-ap-505-tvcabinet# show ip interface briefInterface                         IP Address / IP Netmask       Admin  Protocolbr0                              192.168.27.20 / 255.255.255.0    up     upbr0.3333                         172.31.98.1 / 255.255.254.0    up     uparuba-ap-505-tvcabinet# 

Original Message:
Sent: Jan 21, 2025 05:56 PM
From: Carson Hulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

OK, so from your questions:

1. If you've not configured something else on the network to provide DHCP, then nothing else should be managing DHCP unless you've got a rogue DHCP server active.
2. No, Instant or Controller based should have no impact on the DHCP behavior when managing from the network.
3. No, and remote AP isn't an option unless you have a controller for the AP to be managed by and build the VPN back to.
4. Easiest is to not configure IP interfaces on the client facing VLANs.

Run a packet capture between the firewall and switch, see if the entire DHCP exchange is being received/sent at that side.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 05:27 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

I can see all the missing IP addresses in the Dashboard -> Clients on the AP. I can also see the IPs in the ARP table on my firewall, but I cannot see the DHCP leases within the DHCP server on my firewall. I'm still getting that error on my firewall that their is another DHCP server active and it cannot bind. I mentioned that in my original post. 

Original Message:
Sent: Jan 21, 2025 05:00 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Can you please be a little more specific about what you mean here?  On the firewall? On the AP?

Devices connected to the IAPs should always show up in the client list on the IAP once they have an IP address assigned.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:54 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Everything is set as network managed. The DHCP server IP on the client is the gateway that is on the interface on the firewall. I'm sorry I am new to networking so trying my best here. I'm assuming they're managed there because they're showing up in the list of clients. 

Original Message:
Sent: Jan 21, 2025 04:44 PM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

The magic VLAN is what gets used when using "Virtual Controller managed" for client IP assignment, thus my comment about all WLANs being set to "Network assigned".

How do you know the devices are being managed by an AP?  What server IP is being reported for the DHCP information on the client?

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 21, 2025 04:35 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Thank you for your response! I want to clarify a few points:

1. I am not using VLAN 1 as the native VLAN in my network. That was just an example to simplify my explanation.

2. The DHCP server on my Netgate firewall is assigning IP addresses correctly to devices on VLANs 2–5. However, the leases are not consistently registering with the firewall. For example, a new device showed up in the lease table yesterday; however, most have not. Initially, the firewall was registering leases properly, allowing me to set static mappings. These static mappings still persist after lease expiration, even though the devices are now being managed by the AP instead of the firewall.

3. I ran show dhcp-allocation, and here is the output for dnsmasq.conf:

   show dhcp-allocation
   -------------------- /etc/dnsmasq.conf --------------------
   listen-address=127.0.0.1
   addn-hosts=/etc/ld_eth_hosts
   addn-hosts=/etc/ld_ppp_hosts
   dhcp-src=172.31.98.1
   dhcp-leasefile=/tmp/dnsmasq.leases
   dhcp-authoritative
   aruba-raw-socket-mode
   #magic-vlan
   {
     vlan-id=3333
     dhcp-range=172.31.98.3,172.31.99.254,255.255.254.0,12h
     dhcp-option=1,255.255.254.0
     dhcp-option=3,172.31.98.1
     dhcp-option=6,10.0.17.1
     dhcp-option=15,edge.exampledomain.com
   }
   -------------------- /tmp/dnsmasq.leases --------------------
   role:1 ipaddr#127.0.0.1
   -------------------- dhcp relay conf --------------------
   

   Could any of these configurations be contributing to the issue? I don't see any options in the GUI to adjust these parameters.

Thanks again for your help!

Original Message:
Sent: Jan 21, 2025 11:32 AM
From: chulcher
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

First and foremost, don't use VLAN 1 for production.

As long as the WLANs are all configured for network assigned addressing and no DHCP is configured on the APs, all DHCP should be coming from the network which should mean the firewall, maybe a switch, or a server on the network.  If you don't have helper addresses configured, then the only option is those devices that have an IP address in the network.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 18, 2025 10:51 PM
From: user0000
Subject: Help Managing DHCP Leases on Netgate Firewall with VLANs and APs

Hello,

Below is an overall diagram of my network setup. I'm having trouble managing all devices through the DHCP server on my Netgate firewall. The firewall gives an error stating that "a server is already listening on the expected port," but I have disabled all DHCP servers/relays in the GUI settings on my switches and access points (APs).

My network has VLANs 1–8:

• VLAN 1 is the native VLAN configured on my switches and also on the APs.
• VLANs 2, 3, 4, and 5 each have separate SSIDs mapped to them.

The DHCP server on the Netgate firewall is partially working because devices connecting to the SSIDs on VLANs 2–5 receive the correct IP addresses from the pools configured on the firewall. However, the firewall doesn't seem to "own" or recognize the DHCP leases, which prevents me from setting up static mappings.

My questions are:

1. What could be causing the firewall to not manage all DHCP leases?
2. Does this issue stem from operating the network without a controller?
3. Would converting the APs into Remote APs solve this, or is there a better approach?
4. What is the best way to configure my switches so they act as Layer 2 devices, and ensure that my Netgate firewall handles all DHCP leases?

Thanks in advance for your help!