VLANs with DHCP + DNS...almost

I recently found this comment by @slowlearner showing how to add VLANs.

I followed it to the letter. I didn't change any existing .conf files and I only created one: 10-vlans.conf. It looks like this:

#2020-08-29 2:01 PM
#Adding VLANs for Pi-Hole to run DHCP + DNS
# 96, 98, 99, 104, 151

#Source @slowlearner on discourse.pi-hole.net/t/extra-dhcp-server-options/6416/5

#Step 4
log-dhcp

#Step 5 - Configure VLANS
# Start IP Range at .3 to avoid Gateway on .2
# Stop IP Range at .250 because I like round numbers

#Example Line 1: dhcp hyphen range equals set colon VLANID comma IPRangeStart comma IPRangeEnd comma SubnetMask comma LeaseDuration
#Example Line 2: dhcp hyphen option equals tag colon VLANID comma option colon router comma GatewayIP

dhcp-range=set:151,192.168.151.3,192.168.151.250,255.255.255.0,24h
dhcp-option=tag:151,option:router,192.168.151.2

dhcp-range=set:96,192.168.96.3,192.168.96.250,255.255.255.0,24h
dhcp-option=tag:96,option:router,192.168.96.2

dhcp-range=set:97,192.168.97.3,192.168.97.250,255.255.255.0,24h
dhcp-option=tag:97,option:router,192.168.97.2

dhcp-range=set:98,192.168.98.3,192.168.98.250,255.255.255.0,24h
dhcp-option=tag:98,option:router,192.168.98.2

dhcp-range=set:99,192.168.99.3,192.168.99.250,255.255.255.0,24h
dhcp-option=tag:99,option:router,192.168.99.2

dhcp-range=set:104,192.168.104.3,192.168.104.250,255.255.255.0,24h
dhcp-option=tag:104,option:router,192.168.104.2

When I ran dnsmasq --test, it returned syntax check OK.

The trouble that I run into is that some machines on some VLANs are not working. Some show up in the DHCP leases but cannot be reached. Some don't show up anywhere.

Can you confirm that this .conf matches my objective? Any idea what is wrong?

NB: This was a VLAN setup on a Meraki MX84 that was migrated to Pi-Hole when I found out (the hard way) that the Meraki will not handle internal DNS, so I had a severe deficiency in the area of internal hostname resolution. None of the wiring has changed. Patch panels and managed switches are the same as they were before. Any input is appreciated.

Cannot be reached from the devices in their own VLAN, from devices in the other VLANs or not at all? Do these devices have Internet access or can they reach the Pi-hole?

Hi @Coro, Cannot be reached means no contact from any direction. No ping from the same VLAN or by ping from the Pi-Hole server or with our remote access program (Veyon).

These machines cannot connect out to the internet.

Are you sure the respective gateways (like 192.168.99.2, 192.168.98.2, etc.) do all exist and know the routes from everywhere to everywhere else? And why are they at .2 ? This is unusual at least.

Yes, the gateways are all set up. They were working fine when DHCP was on another server.

I didn't set up the Router, so I don't know why they are on .2 but I don't want to change too many things at once, so I left them that way until I got the DHCP working properly.

The weird part is that some of the workstations are fine, but some of them don't work at all. Does that mean that the issue is somewhere else? (I wonder if the managed switch is the problem.)

Maybe, do you have some Linux machines seeing the issue? If so, use the other DHCP server and run

sudo nmap -e eth0 --script broadcast-dhcp-discover

then run the same with the Pi-hole DHCP server and watch out for any differences. (I borrowed the command from @deHakkelaar)

1 Like

Thank you for your input. I got some help from a friend who knows DNSmasq. He created a dnsmasq.conf file for me and I was able to use it with Pi-Hole. I renamed it 03-custom.conf and it worked like a charm.

For anyone joining this topic later, yes, you can run DHCP on multiple VLANs with Pi-Hole.
(As a token of my appreciation, I have added my monthly support on Patreon.) This will save us a LOT of time, money, and hardware in the long run. Feel free to message me with any specific questions. I took notes on my experience.

Here's a copy of our DNSmasq.conf file:

# Never forward plain names (without a dot or domain part)
domain-needed
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then uncomment this.
no-resolv
# Put DNS server IP addresses in here
server=1.1.1.1
server=1.0.0.1
# Put IP address of DHCP server here
listen-address=192.168.211.187
# Make sure this is the domain name you want the clients to have
domain=example.com
# This is an example of a DHCP range where the netmask is given. This is needed for networks we
reach the dnsmasq DHCP server via a relay agent. If you don't know what a DHCP relay agent is,
you probably don't need to worry about this.
dhcp-range=set:subnet96,192.168.96.10,192.168.96.250,255.255.255.0,12h
dhcp-range=set:subnet97,192.168.97.10,192.168.97.250,255.255.255.0,12h
dhcp-range=set:subnet98,192.168.98.10,192.168.98.250,255.255.255.0,12h
dhcp-range=set:subnet99,192.168.99.10,192.168.99.250,255.255.255.0,12h

# Do the same thing, but using the option name
dhcp-option=tag:subnet96,option:router,192.168.96.1
dhcp-option=tag:subnet97,option:router,192.168.97.1
dhcp-option=tag:subnet98,option:router,192.168.98.1
dhcp-option=tag:subnet99,option:router,192.168.99.1

Plus you learned something and shared your insight. Thank you.

For those joining in later, only the following lines are relevant:

the others are already contained in other files of Pi-hole, duplicating them may result in errors