[solved] DHCP OFFER is not sent to bridge interface with VLAN

I run into following problem. I have 2 OpenWRT routers - gateway and roaming.

Gateway has DHCP server and is configured in following way:

  • Lan port is part of a lan bridge. Bridge is not VLAN filtered
  • Lan bridge is split on vlans
  • Vlans are part of bridges with WLAN
  • The bridges on WLAN has DHCP server

Roaming device is getting DHCP via VLAN without problems. However device connected to roaming device is not getting IP address. By using tcpdump I noticed that:

  • DHCP OFFER is sent to LAN bridge properly tagged as VLAN
  • DHCP OFFER is not sent to LAN port - only DHCP REQUEST

I'm stuck - why is DHCP OFFER not sent to the port?

let's see the configs... please make it clear which router is which...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I took liberty of also cutting down to relevant parts (yeah, I'm paranoid :wink: ) - but removing unrelated config parts (like DHCP static leases, wan etc.) really cut down on already large text I need to sanitize.

# router /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'wan6'
	option ip6weight '0'
	option ipaddr '192.168.XX.1'

config device
	option type 'bridge'
	option name 'br-lan-vlan'
	option bridge_empty '1'
	list ports 'br-lan.vlan'

config interface 'LAN_VLAN'
	option proto 'static'
	option device 'br-lan-vlan'
	option ipaddr '192.168.XY.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6weight '1'

config device
	option type '8021ad'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.vlan'
# router /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path '...'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option channel '36'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path '...'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'
	option channel '1'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'vlan'
	option key '<VLAN_KEY>'
	option disassoc_low_ack '0'
	option macaddr 'XX:XX:XX:XX:XX:XX'
	option encryption 'psk2'
	option wpa_disable_eapol_key_retries '1'
	option network 'LAN_VLAN'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ifname 'wlan1-vlan'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'vlan'
	option disassoc_low_ack '0'
	option key '<VLAN_KEY>'
	option encryption 'psk2'
	option wpa_disable_eapol_key_retries '1'
	option network 'LAN_VLAN'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ifname 'wlan0-vlan'

# router /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'LAN_VLAN'
	option interface 'LAN_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'LAN'
	option interface 'LAN'
	option start '100'
	option limit '150'
	option leasetime '12h'

# This is leftover from original interface I think? But including in case
# interfaces were case insensitive
config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option ra_slaac '0'
	option dhcpv6 'server'
# router /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan_vlan'
	list network 'LAN_VLAN'

config forwarding
	option dest 'wan'
	option src 'lan_vlan'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'LAN'
	option name 'lan'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

There is no /etc/firewall.user file.

Unfortunately on roaming system ssh doesn't work yet (not network related as I see packets going back and forth, still need to figure it out - I have access via serial and luci). However since packet is dropped before that point I don't think it will be needed?

I dumped packets on br-lan (has DHCP REQUEST and DHCP OFFER) and lan1 (has DHCP REQUEST only).

It is not necessary to redact things like the RFC1918 addresses or VLAN IDs. They're not considered sensitive or identifying information.

In the below, is 'br-lan-vlan' and 'br-lan.vlan' actually the text that is there, or did you redact an actual VLAN ID?

It's actual text. The vlan id is here:

config device
	option type '8021ad'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.vlan'

Understood...

I think you really should be using bridge VLAN for your configuration. There is an explainer in the DSA mini tutorial... but here's the basic config that I'd recommend... using port lan1 tagged as the example, here:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'

config interface 'LAN_VLAN'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '192.168.XY.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6weight '1'

also, remove the 8021ad device config section.

You may need to adapt this to fit your specific needs, but this should theoretically work... give it a shot and report back.

Ok. That worked.

great! If you have any additional questions about how to get the specific config you're looking for (in terms of port membership for each of the VLANs, etc.), let me know.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Look like I concurrently marked it as solved.

I wrote on roaming:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:t'
	list ports 'lan1:u'

to direct content of lan1 to VLAN 1. The non-VLAN enabled network doesn't seem to work anymore on wan but that's least of my problems (it was set up only for debugging).

I assume I need to have set forward as ACCEPT in zone? I had hard time understanding if forward chain of nft is for bridges or passing between networks.

Which device are we talking about now (I'm guessing AP, but want to verify).

On the AP, the firewall rules will not be used at all because the traffic will never be routed (only switched/bridged).

It is important to make sure that the bridge is configured properly, though... let's see the complete network config file from the AP (assuming this is the one in question).

Which device are we talking about now (I'm guessing AP, but want to verify).

Both

On the AP, the firewall rules will not be used at all because the traffic will never be routed (only switched/bridged).

Ok. So the roaming device should have it as REJECT and gateway as ACCEPT? Calling either AP is confusing as both are APs.

It is important to make sure that the bridge is configured properly, though... let's see the complete network config file from the AP (assuming this is the one in question).

# gateway
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

# This doesn't work. I assume it needs to be on vlan and marked as 'lan1:u', 'lan2:u' etc.
config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'wan6'
	option ip6weight '0'
	option ipaddr '192.168.XX.1'

config device
	option type 'bridge'
	option name 'br-lan-vlan'
	option bridge_empty '1'
	list ports 'br-lan.1'

config interface 'LAN_VLAN'
	option proto 'static'
	option device 'br-lan-vlan'
	option ipaddr '192.168.XX.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6weight '1'

# roaming
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'XX:XX:XX:XX:XX:XX'
	option empty_bridge '1'
	list ports 'wan'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:t'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:u'

# This doesn't work. I assume I need vlan with 'wan:u'?
config interface 'LAN'
	option device 'br-lan'
	option proto 'dhcp'

#config interface 'LAN6'
#	option device 'br-lan'
#	option proto 'dhcp6'

config device
	option name 'br-lan-vlan'
	option type 'bridge'
	option empty_bridge 1
	list ports 'br-lan.1'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'LAN_VLAN'
	option device 'br-lan-vlan'
	option proto 'dhcp'

Have what as reject and accept?

Let's call the device that does the routing the "router" (it is clear it is both routing and serving as an AP), and the other device as a "dumb AP" or just "AP"

In the section below, you've redacted the lan address... it is not necessary to do that, and it actually is helpful if it is not redacted. RFC1918 addresses are not sensitive data.

Meanwhile, I'm pretty sure that ip6class should be removed.

Probably not -- you're using br-lan for this, which is already untagged on all ports.

When you say it is not working, can you elaborate, please? How are you testing it? The best way to test the standard lan here is to plug a regular computer into one of the ethernet ports and see if it gets a DHCP lease. If it does, this is working correctly.

This below is incorrectly specified all around, and doesn't actually connect to any ports. For this VLAN, which physical ports do you want as members here?

it should already be untagged on the wan, so don't make any changes here yet.

Delete all of the stuff below:

Below should be br-lan.1 (not br-lan-vlan). Also, it is recommended to only have an address on one interface on the the AP -- this will be the one used to manage the device. The other one does not need an address. make it proto 'none'