Troubleshooting DHCP Issues with UniFi and SonicWall
This document provides a comprehensive guide to diagnosing and resolving DHCP failures on a private wireless VLAN when using a UniFi controller, Ubiquiti access points, and a SonicWall firewall as the DHCP server.
1. Problem Overview
Users have reported that some devices on a private wireless network are unable to obtain an IP address from the SonicWall DHCP server and are instead assigned an Automatic Private IP Addressing (APIPA) address in the 169.254.x.x range. This issue does not occur on the guest wireless VLAN, where devices receive the correct IP addresses.
2. Potential Root Causes
Based on the symptoms and common network configurations, several potential root causes can be identified:
•VLAN Tagging and Configuration: Incorrect VLAN tagging between the UniFi access points, the switch, and the SonicWall firewall can prevent DHCP traffic from reaching the DHCP server on the correct VLAN.
•DHCP Relay (IP Helper): If the DHCP server (SonicWall) is on a different subnet than the wireless clients, a DHCP relay or IP helper is required to forward DHCP requests. Misconfiguration of the IP helper is a common cause of DHCP failures.
•Firewall Rules: Firewall rules on the SonicWall may be blocking DHCP traffic (UDP ports 67 and 68) between the private wireless VLAN and the DHCP server.
•DHCP Scope Exhaustion: The DHCP scope for the private VLAN may be exhausted, preventing new devices from obtaining an IP address.
•Spanning Tree Protocol (STP) Issues: In some cases, STP can cause delays in network connectivity, leading to DHCP timeouts. Disabling STP on the ports connected to the APs can sometimes resolve the issue.
3. Troubleshooting Steps
Follow these steps to systematically diagnose and resolve the DHCP issue:
3.1. Verify VLAN Configuration
1.UniFi Controller:
•Ensure that the private wireless network is configured with the correct VLAN ID.
•Verify that the switch ports connected to the Ubiquiti APs are configured as trunk ports and are tagged with the correct VLANs (both private and guest).
2.SonicWall Firewall:
•Confirm that the VLANs are correctly configured on the SonicWall, with the appropriate zones and interfaces.
•Ensure that the physical port on the SonicWall connected to the switch is configured to handle the tagged VLAN traffic.
3.2. Check DHCP Relay (IP Helper) Configuration
If the SonicWall is acting as the DHCP server and is on a different subnet than the private wireless clients, you must configure DHCP relay:
1.SonicWall Configuration:
•Navigate to Network > IP Helper.
•Enable IP Helper and ensure that DHCP is selected in the protocol list.
•Create a new IP Helper policy to forward DHCP requests from the private VLAN to the SonicWall’s LAN interface IP address.
3.3. Review Firewall Rules
1.SonicWall Firewall Rules:
•Create or verify firewall rules that allow DHCP traffic (UDP ports 67 and 68) from the private wireless VLAN to the LAN zone where the DHCP server resides.
•Ensure that there are no conflicting rules that might be blocking DHCP traffic.
3.4. Examine DHCP Scope
1.SonicWall DHCP Scope:
•Navigate to Network > DHCP Server.
•Check the DHCP scope for the private VLAN to ensure that there are available IP addresses.
•If the scope is exhausted, consider expanding the address range or reducing the lease time.
3.5. Investigate Spanning Tree Protocol (STP)
If the above steps do not resolve the issue, consider investigating STP settings:
1.Switch Configuration:
•On the switch ports connected to the Ubiquiti APs, try disabling STP or enabling a feature like “Portfast” or “RSTP” to speed up port forwarding and prevent DHCP timeouts.
4. Additional Considerations
•Firmware Updates: Ensure that the firmware on your UniFi APs, switches, and SonicWall firewall is up to date.
•Packet Capture: If the issue persists, perform a packet capture on the SonicWall to analyze DHCP traffic and identify where the communication is failing.
By following these troubleshooting steps, you should be able to identify and resolve the root cause of the DHCP failure on your private wireless network.