ROAS, and DHCP addresses in different VLANs

Ahoy friends.
I'm going to simplify my setup a little bit.
Currently i got a network consisting 3 VLANs.
VLAN 1 is my "WAN", VLAN 3 my VLAN for trusted devices, and VLAN 3 is my management VLAN.
In this case i didn't set up the management VLAN to make the config easier to read.
I use a Raspberry Pi 4 as router, and i got a VLAN 1 which should be the WAN zone, and VLAN 3 which should be the "LAN", or the VLAN for trusted devices.
This interface, in this case eth0.3 should assign ip addresses to connected clients.
Unfortunately it doesn't work, so i have to use static addresses on the clients, in order to may be able to access and ping the router. Clients do not receive any ip by the OpenWRT router.

What's wrong here?

I got eth0, which should represent the VLAN 1, which is the native VLAN on the given trunk port.
eth0.3 is the interface representing VLAN 3 which should assign ip addresses to connected clients.

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option allservers '1'
	list server '62.210.136.158'
	list server '8.8.8.8'
	list server '192.168.2.1'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'Trusted'
	option interface 'Trusted'
	option limit '150'
	option leasetime '12h'
	option start '20'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd58:04fd:0088::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'OpenWRT'

config device 'eth0_110'
	option name 'eth0.110'

config device 'eth0_2'
	option name 'eth0.2'

config device 'eth0_3'
	option name 'eth0.3'

config device 'eth0_4'
	option name 'eth0.4'

config device 'eth0_200'
	option name 'eth0.200'

config device 'eth0_220'
	option name 'eth0.220'

config device 'eth0_240'
	option name 'eth0.240'

config device 'eth0_260'
	option name 'eth0.260'

config device 'eth0_300'
	option name 'eth0.300'

config device 'eth0_320'
	option name 'eth0.320'

config device 'eth0_340'
	option name 'eth0.340'


config interface 'Trusted'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'
	list dns '192.168.2.1'
	list dns '8.8.8.8'

I hope someone could help. Thanks in advance!

No, that should be the CPU. eth0.1 is VLAN 1. See any Linux manual.

Also, why do you only have one Interface setup?

You need one for each VLAN.

I only got one physical interface because it's a Raspberry Pi 4.
So I want to use a Router on a Stick setup, where only one physical interface is being used, using a trunk port. So i'd like to route between the different interface, like eth0.110 and eth0.200 ..
Only problem i got is with the eth0. (dot) interfaces, because they don't assign ip addresses to it's connected clients. I currently have to use external DHCPs to solve that.
Also eth0 (br-lan) is working fine as expected, as DHCP client.

But what's the reason why only static addresses work in each VLAN but not DHCP?

Have you tried changing eth0 to eth0.1?

And why do you have all of these in your network config?

The other ones, i'd like to use later, when i got this minimal setup working.
The eth0 to eth0.1 i'll try out, let's see what happens.

Btw. are there any logs that might be useful in my case?

My query was more around why you have them at all. They're not necessary.

Can you start with a quick diagram of your physical network? Is the config you have listed for the RPi? Are there any other routers connected to the network? If so, please include them in the diagram and note the networks/VLANs that they control and if they are also running OpenWrt. What brand/model switches are you using?

All of these things provide context upon which the rest of the configuration will be built. There are likely some errors in your current config, but it is critical that the topology is understood in order to provide the right guidance.

Thanks for your help.
Here i got a quick diagram of my network setup.

And my VLANs

VLAN 1 Untrusted OK
VLAN 2 Lab
VLAN 3 Trusted Devices
VLAN 110 Management, Zabbix
VLAN 300 VoIP
VLAN 200 Virtual Machines, Server
VLAN 220 Storage Server
VLAN 320 Guest
VLAN 340 CCTV

Currently i'd like to talk only about the minimal setup i got, in order to understand it all.
I got my router, Fritz 7490, which should do the dialing in process, and provide the network, and dhcp von untrusted devices, VLAN 1.
The OpenWRT Router, should connect to VLAN 1, and use it as WAN zone. It will be an exposed host on the Fritz! 7490.
The OpenWRT device should deal with everything, except VLAN 1.
The WAN thing seems to work fine, eth0.1 is configured as DHCP Client. Alright. I'll also create the necessary routes to the Fritz! 7490 device, for other purposes later.

So i currently gut my VLAN 3 in addition to the VLAN 1 which is WAN.
VLAN 3 should be my LAB network, and it should assign IP addresses to connected devices, on VLAN 3.
Unfortunately connected clients to VLAN 3 do not receive any IP lease. Instead i can give them a static ip, and they are able to access the OpenWRT device from now on, and able to ping the gateway (which is the OpenWRT device) But they do not get a lease from the router.
Due to the fact of talking from VLAN 3 here, there is no other DHCP interacting.

I also got my VLAN 110, which is not included here, to deal with static ip addresses for my management vlan 110, this works fine, because there is no DHCP necessary.

I hope it's possible to understand my setup a little bit.
The Inter-VLAN routing can be done by the switches, because i got SG300 switches which are layer 3 aware.
So the router should do almost nothing, but assigning ip addresses to their given VLAN clients.

Untitled Diagram(2)898×711 85.1 KB

Post your firewall file, maybe the issue is there.

another thing you should consider is resetting back to defaults and just working on a single VLAN at a time. It often makes it easier to start with a clean slate.

This should be set up so the Fritzbox is only Internet access, not a router. So it would be on its own VLAN which feeds only to the OpenWrt Pi and is the Pi's wan network. Then the Pi sends back on the trunk cable the other VLANs for the various lan type networks, and the switches are configured so each endpoint (computer printer etc.) is mode access on one of them.

Thanks, so you are talking about PPPoE, in order to only use it as modem?

Yes if the ISP and modem supports that you would run a pppoe bridge so that the OpenWrt router holds your public IP address directly. Then incoming connections would be firewalled or accepted by OpenWrt.

Ahoy friends.
So what did i try? I have set the OpenWRT router's lan port to access mode, using VLAN 2.
Then i set my PC's lan port also to VLAN 2, but no ip is being assigned by the DHCP. Talking about OpenWRT default settings. When using OpenWRT attached to the computer without network, it works.
So it must be something with the network, but any clue what?

Unfortunately the PPPoE way is not that easy, because i also have to use the device as DECT base, because of my phones.

My Coreswitch's config:

config-file-header
CRSW-K-01
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
spanning-tree loopback-guard
spanning-tree priority 4096
vlan database
vlan 2-4,110,200,220,240,260,300,320,340,360 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable 
errdisable recovery interval 6000 
errdisable recovery cause loopback-detection 
errdisable recovery cause stp-bpdu-guard 
errdisable recovery cause stp-loopback-guard 
hostname CRSW-K-01
no passwords complexity enable 
passwords aging 0 
username admin password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
username cisco password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
ip ssh server
snmp-server server
snmp-server location KELLER
snmp-server contact HOLZ
snmp-server community holz ro view Default 
clock timezone DFL +1
clock summer-time web recurring eu 
sntp server 134.130.4.17 
sntp source-interface vlan 110 
!
interface vlan 110
 name MGMNT 
 ip address 172.20.32.100 255.255.224.0 
 no ip address dhcp 
!
interface gigabitethernet1
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet2
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet3
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet4
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet5
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet6
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet14
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet15
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet16
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet17
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet18
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet23
 channel-group 2 mode auto 
!
interface gigabitethernet24
 channel-group 2 mode auto 
!
interface gigabitethernet25
 channel-group 2 mode auto 
!
interface gigabitethernet26
 channel-group 2 mode auto 
!
interface gigabitethernet27
 channel-group 1 mode auto 
!
interface gigabitethernet28
 channel-group 1 mode auto 
!
interface Port-channel1
 flowcontrol auto 
 loopback-detection enable 
 switchport trunk allowed vlan add 2-4,110,200,220,240,260,300,320 
 switchport trunk allowed vlan add 340,360 
!
interface Port-channel2
 loopback-detection enable 
 description Core-PoE
 switchport trunk allowed vlan add 2-4,110,200,220,240,260,300,320 
 switchport trunk allowed vlan add 340,360 
!
exit
ip default-gateway 172.20.32.1 
encrypted ip ssh-client key rsa key-pair

The switch below the coreswitch, which is connected to the AP in the mid of the diagram.
According to Wireshark listening on the VLAN 2 interface, there is no DHCPOFFER from the router. Only DHCPDISCOVER from the client.

Now i got some news. Quite annoying.
According to Wireshark there is an ICMPv6 router advertisement.
So i've activated IPv6 on my client for now. It seems to receive something, because according to Gnome NetworkManager my device is "connected" successfully.
But i want to let it work with IPv4, how to do so?

EDIT: Some news. Now receiving an IPv4 lease, after disabling all the IPv6 stuff on the OpenWRT interface, and after disabling bridge multicast filtering on the Cisco Switch. Now i'll try with VLANs.

Things work fine when using DHCP on the eth0 interface not the dotted ones, like eth0.2.
Do i have to create the VLANs with bridged interfaces, or directly assing the dotted one?

config-file-header
PSW-K-01
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch queues-mode 4 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
spanning-tree loopback-guard
spanning-tree priority 12288
bridge multicast filtering 
vlan database
vlan 2-4,110,200,220,240,260,300,320,340,360 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable 
errdisable recovery interval 6000 
errdisable recovery cause loopback-detection 
errdisable recovery cause stp-bpdu-guard 
errdisable recovery cause stp-loopback-guard 
no boot host auto-config 
no boot host auto-update 
no bonjour enable
hostname PSW-K-01
no passwords complexity enable 
passwords aging 0 
username admin password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
username cisco password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
ip ssh server
snmp-server server
snmp-server location KELLER
snmp-server contact HOLZ
snmp-server community holz ro view Default 
clock timezone DFL +1
clock summer-time web recurring eu 
sntp server 134.130.4.17 
sntp source-interface vlan 110 
!
interface vlan 110
 name MGMNT 
 ip address 172.20.32.231 255.255.224.0 
 no ip address dhcp 
!
interface gigabitethernet1/1/1
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet1/1/12
 channel-group 2 mode auto 
!
interface gigabitethernet1/1/24
 channel-group 2 mode auto 
!
interface gigabitethernet1/1/25
 channel-group 2 mode auto 
!
interface gigabitethernet1/1/26
 channel-group 2 mode auto 
!
interface Port-channel2
 loopback-detection enable 
 switchport trunk allowed vlan add 2-4,110,200,220,240,260,300,320 
 switchport trunk allowed vlan add 340,360 
!
exit

ip default-gateway 172.20.32.1 
encrypted ip ssh-client key rsa key-pair

And the last switch on the bottom

config-file-header
PSW-D-01
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
spanning-tree loopback-guard
spanning-tree priority 12288
bridge multicast filtering 
vlan database
vlan 2-4,110,200,220,240,260,300,320,340,360 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
loopback-detection enable 
errdisable recovery interval 6000 
errdisable recovery cause loopback-detection 
errdisable recovery cause stp-bpdu-guard 
errdisable recovery cause stp-loopback-guard 
no boot host auto-config 
no boot host auto-update 
no bonjour enable
hostname PSW-D-01
no passwords complexity enable 
passwords aging 0 
username admin password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
username cisco password encrypted 2bdd1322fd78e4df8d37249a406cd6e8b5359741 privilege 15 
ip ssh server
snmp-server server
snmp-server location KELLER
snmp-server contact HOLZ
snmp-server community holz ro view Default 
clock timezone DFL +1
clock summer-time web recurring eu 
sntp server 134.130.4.17 
sntp source-interface vlan 110 
!
interface vlan 110
 name MGMNT 
 ip address 172.20.32.232 255.255.224.0 
 no ip address dhcp 
!
interface gigabitethernet1
 loopback-detection enable 
 spanning-tree portfast 
 switchport mode access 
 switchport access vlan 110 
!
interface gigabitethernet10
 loopback-detection enable 
 spanning-tree portfast 
!
interface gigabitethernet21
 switchport trunk allowed vlan add 110 
!
interface gigabitethernet27
 channel-group 1 mode auto 
!
interface gigabitethernet28
 channel-group 1 mode auto 
!
interface Port-channel1
 loopback-detection enable 
 switchport trunk allowed vlan add 2-4,110,200,220,240,260,300,320 
 switchport trunk allowed vlan add 340,360 
!
exit

encrypted ip ssh-client key rsa key-pair

Did you set eth0 to eth0.1 like you were advised? When you're testing the VLAN are you connecting devices directly to the OpenWRT device or is it through one of your switches?

The switch port connected to the Pi must be mode trunk, and transmit all the relevant VLANs with tags. This is also how all the VLANs move from one switch to another-- trunk ports on each end of the inter-switch cable. I don't remember exactly how to set that in Cisco. One thing I do remember is that the default setting "auto" does strange things especially when trying to trunk to non-Cisco equipment, so it should not be used. On the trunk ports explicitly configure mode trunk.

Then on the Pi, pick up VLANs to attach to each OpenWrt interface with the notation eth0.x. Do not have plain eth0 anywhere. It would be best to log into the Pi via its wifi or serial so you don't lose access if the Ethernet is not working.

Start with a default configuration with wan and lan and place the VLAN that goes to the Fritzbox in wan, and all the other ones in LAN, so you can confirm that DHCP and Internet access works for each VLAN through all the switches. Then you can refine the OpenWrt configuration by building new networks and firewall rules to separate the VLANs out.

I tried both. Using the "eth0" default br-lan through all the VLANs, DHCP works fine.
But the dotted ones are not able to assign ip addresses.
Even though, native vlan on all trunk ports is 1.
So now i tried to remove the eth0 without the dot, and tried to replace it by eth0.1, but in this case, it doesn't receive any ip address by VLAN 1 router, even if this interface is in wan zone.
For some reason only eth0 is able to receive an ip address by the other router. Also i'm not able to solve this problem with static ip addresses. So for some reason i have to use the normal eth0 in order to get the dhcp lease for wan zone.

So in conclusion it seems like the eth0 interface always works with everything (No matter if DHCP, or DHCP Client), and the dotted ones not (Not receiving leases, and not able to assign IP addresses to clients)

According to Wireshark .1Q tagging works fine even on OpenWRT, but not the DHCP issue.

Going back to my earlier post... maybe it would be best if you reset everything to defaults (take backups first). This includes the switches.

Start with just a single switch and make sure it is in the default state.

The default configuration of OpenWrt is such that the ethernet port should be LAN (untagged) with the DHCP server enabled. Make sure that you can get an IP address from the ethernet port when connected directly to a computer and then when connected through the switch.

Next, add a single VLAN to the switch (let's call it 10, but you can select a different VLAN ID) -- this will serve as the WAN. Make a switch port a member of VLAN 10 as untagged and then ensure that the PVID/default/native/untagged (all the same idea, different terminology for different brands) is set to VLAN 10. Connect your modem to this port.

Next, on the port that has the RPi, add VLAN 10 as a tagged network.

Now, in OpenWrt on the Pi, edit the WAN (or create the wan interface if not there) such that it is defined as eth0.10, protocol as DHCP client, and firewall zone wan.

Check to see if the interface gets an IP address from the modem. If that does work, congratulations, you now have a ROAS. You can add VLANs, adjust the tagging, etc.. but you should do it one VLAN at a time and make sure that the switch is also updated for any new VLAN IDs along the way,

If the WAN didn't get an IP, stop here and we'll troubleshoot.

If you're still having trouble here's what I did to set up a Cisco port for OpenWrt router on a stick. This is tested on a 3750-P (very old) with IOS 12.2(55) (also very old)

interface FastEthernet1/0/22
 description ROAS Trunk
 switchport mode trunk
 switchport trunk encapsulation dot1q

I think that newer versions dropped the Cisco proprietary encapsulation, so dot1q is the only choice.

 switchport trunk native vlan 4093

This is critical. Packets sent on the port's "native VLAN", which defaults to 1, will be untagged. Mixing tagged and untagged packets on the same cable does not work well with Linux / OpenWrt. So set the native VLAN to a dummy one which is not actually used for data. Then all VLANs including 1 will be tagged.

 switchport nonegotiate

This is probably not essential but it prevents the port from emitting proprietary packets that negotiate auto changing from access to trunk.

 spanning-tree bpdufilter enable

Without this setting, the STP BPDU packets sent by Linux are seen as improper by the Cisco spanning-tree system, and it will block the port. The filter means don't process any BPDU packets, basically no spanning-tree on this port.

I have never had any issues using an untagged network on a trunk, but I do know that there is a school of thought that trunk lines should never have an untagged network as part of the mix. This opinion has a number of angles including avoiding ambiguity, security, reduction of potential human error, etc. -- all of which are valid considerations.

The 802.1q standard does allow for an untagged network on trunk lines, and I have used them regularly with no problems. However, I am in a home environment with little-to-no likelihood of encountering issues such as those I mentioned above. In fact, on devices like the Unifi Security Gateway and other UI kit, it is common to have an untagged network on the trunk.

To use untagged or not to use untagged, that is the question -- I think the answer is part personal preference (possibly based on how/where you learned about VLAN trunking) as well as considerations I mentioned above and equipment compatibility.

In the case of this particular thread, if the OP decides to use only tagged networks, I would personally recommend that they start untagged with LAN only (i.e. default state), then configure the switch and the OpenWrt LAN to operate with a tag to ensure that both devices are configured properly for normal LAN connectivity (i.e. access to the OpenWrt system, DHCP functional, etc.). At that point, the additional VLANs for WAN and any additional networks can be added, one at a time.

Hey friends, it's working quite fine, now with the suggestion from mk24.
I've set the native VLAN to an unused one, and now, the eth0.1 is already obtaining an address as DHCP client.
It's working very well now!!! I've done some testing using a minimal setup, and later i've used my old config again, and it worked.
All different VLANs and interfaces are receiving their addressing now.
So it seems like it has something to do with the native vlan stuff!!! Thank's a lot friends.