Dnsmasq-dhcp on multiple networks DHCPOFFER IP in wrong range for interface

Hi,

I have a system with multiple networks, each with its own VLAN.
Beside the main br-lan interface I created a br-guest (with relative wireless SSID) and a br-iot (with relative wireless SSID).

The issue is that dnmasq-dhcp often offers an IP address in the guest or iot ranges to devices connecting to lan, with the consequence that these devices then don't work, having acquired an IP in wrong VLAN range.

I have taken care of assigning each vlan interface and bridge a different MAC address to avoid any mixup, but it does not help, devices randomly are offered the wrong IP.
The firewall does not allow input from guest and iot vlans to 'device' but there are firewall rules to allow UDP ports 53 (DNS) and 67-68 (DHCP) for each VLAN.
When a device connects to either guest or iot SSID all is good in that they acquire the correct configuration from dnsmasq-dhcp, although I have a limited number of test cases to see whether a device from either guest or iot is DHCPOFFERed an IP in the wrong range.

Here is an excerpt of my /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
[...]

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option start '128'
	option limit '96'
	option force '1'
	option ra_offlink '1'
	option ra_preference 'low'
[...]

config dhcp 'guest'
	option interface 'guest'
	option leasetime '12h'
[...]
	option start '128'
	option limit '64'

config dhcp 'iot'
	option interface 'iot'
	option leasetime '12h'
[...]
	option start '128'
	option limit '64'

And here are log entries showing that dnsmasq-dhcp is offering the wrong IP range to br-lan connected devices:

zefiro.log:2023-02-02T12:25:46+01:00 zefiro dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.96.133 cc:50:e3:f4:e3:13
zefiro.log:2023-02-02T12:25:54+01:00 zefiro dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.96.133 cc:50:e3:f4:e3:13
zefiro.log:2023-02-02T12:26:12+01:00 zefiro dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.96.186 14:96:e5:6c:90:41
zefiro.log:2023-02-02T12:26:16+01:00 zefiro dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.96.133 cc:50:e3:f4:e3:13

Since I have about 40 devices connecting to lan SSID and network right now, statistically I can see a 5% of cases where the device is DHCPOFFERed an IP in one of the other networks.

Is this an openwrt/dnsmasq bug or is there an issue with my configuration?

Most likely you have bridged all the interfaces together.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Thank you for you kind reply. Please see below.

removed for security

All these are sharing the same port, so it is expected to get mixed up.
Follow the example of vlan tagging from the DSA tutorial to tag the frames if you are going to pass them from the same lan port.

Thank you, the vlan tagging guide did not help as my router no longer has those luci options in openwrt 22, beside, vlans are configured correctly to the best of my knowledge. I know sharing one interface is problematic and therefore I assigned a different mac address to each vlan.x virtual interface, hoping that it could help. That is the most I can do short of quadruplicating wiring and routers around the whole house to segregate each VLAN into physically separate LANs.

I found the following more helpful: