VLAN and DHCP Problems

Hi,
I'm trying to clean up my Network at home, but ran into a problem I don'd understand.

My setup should look like the following

Archer C7 with OpenWRT as router
Proxmox with some VM's and containers
all connected to a managed switch : Zyxel GS1900-24E

Default setup works fine, WAN is setup via DHCP over my existing network, LAN/WLAN ist set up with
DHCP Server. Now I want to add a new VLAN on the router, and there I'm stuck.

I added a VLAN 3 on OpenWRT, setting switch port LAN 3 exclusively be used by VLAN 3 and setting it to 'untagged' (as i understand, this will add the VLAN tag to all outgoing packets?)
I added a new network interface with static IP and correspondending DHCP server settings, and created an new firewall zone named DMZ.

I also created a new VLAN 3 on the zyxel switch and set it to use port '20', which is connected to LAN3 on the Archer C7.

Now I set VLAN Id to one of my VM's can watch the following (with help of wireshark on the VM and logread -f on the Archer)

The CM sends a DHCPDISCOVERY which reaches the router (seen in wireshark and log), the router sends a DHCPOFFER, but this will not show up on the VM (only in log on router, but not in wireshark).
I played with tagged/untagged settings on the router and switch, but it does not work. What am I doing wrong here????

It looks like the DHCPOFFER never leaves the router?
Thanks for any tips!

additional info : I disabled the VLAN ID in Proxmox and set it directly at the network adapter in the windows guest, which lead to the following output :

Sat Nov 14 15:39:52 2020 daemon.info dnsmasq-dhcp[2215]: DHCPOFFER(eth0.3) 192.168.43.237 ca:3f:15:6a:8f:fa
Sat Nov 14 15:40:00 2020 daemon.info dnsmasq-dhcp[2215]: DHCPDISCOVER(eth0.3) ca:3f:15:6a:8f:fa
Sat Nov 14 15:40:00 2020 daemon.info dnsmasq-dhcp[2215]: DHCPOFFER(eth0.3) 192.168.43.237 ca:3f:15:6a:8f:fa
Sat Nov 14 15:40:55 2020 daemon.info dnsmasq-dhcp[2215]: DHCPREQUEST(eth0.3) 192.168.42.163 ca:3f:15:6a:8f:fa
Sat Nov 14 15:40:55 2020 daemon.info dnsmasq-dhcp[2215]: DHCPNAK(eth0.3) 192.168.42.163 ca:3f:15:6a:8f:fa wrong network
Sat Nov 14 15:40:55 2020 daemon.info dnsmasq-dhcp[2215]: DHCPREQUEST(eth0.3) 192.168.42.163 ca:3f:15:6a:8f:fa
Sat Nov 14 15:40:55 2020 daemon.info dnsmasq-dhcp[2215]: DHCPNAK(eth0.3) 192.168.42.163 ca:3f:15:6a:8f:fa wrong network

while switching, the vm got an IP from my main Network while not having a VLAN id set, so my VLAN seems to work as expected, but why is the dhcpoffer never reaching my vm?

running tcpdump -i eth0.3 shows the following :

15:47:14.416773 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ca:3f:15:6a:8f:fa (oui Unknown), length 300
15:47:14.417842 ARP, Request who-has 192.168.43.237 tell ArcherC7.lan, length 28
15:47:15.462157 ARP, Request who-has 192.168.43.237 tell ArcherC7.lan, length 28
15:47:16.502154 ARP, Request who-has 192.168.43.237 tell ArcherC7.lan, length 28
15:47:18.067699 IP ArcherC7.lan.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
15:47:19.290176 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ca:3f:15:6a:8f:fa (oui Unknown), length 300
15:47:19.291619 IP ArcherC7.lan.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
15:47:24.227479 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ca:3f:15:6a:8f:fa (oui Unknown), length 300
15:47:24.228924 IP ArcherC7.lan.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
15:47:32.696316 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ca:3f:15:6a:8f:fa (oui Unknown), length 300
15:47:32.697792 IP ArcherC7.lan.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
15:47:34.475300 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from da:d7:77:9e:7b:c1 (oui Unknown), length 300

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

On the contrary, it will send untagged, but incoming will be tagged for vlan3.

If you set the port on the router belonging to vlan3 as untagged, make sure you have the same on the switch. Otherwise they must be both tagged.
Also the CPU on the router must be tagged on vlan3 in both cases.

Hi! The current config is :

openwrt switch : vlan ID 3: CPU 'tagged' LAN3 'tagged'
LAN3 connected to ZyXel port 20, VLAN ID 3 'tagged'
VM connected to Zyxel port 1, VLAN 1 'untagged', Virtual NIC configured with VLAN ID 3

with this config I see the DHCPDISCOVER from the VM at eth0.3 of the router

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:9733:04fd::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.6'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ifname 'eth0.6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 4t'

config interface 'DMZ'
        option ifname 'eth0.3'
        option proto 'static'
        option ipaddr '192.168.43.1'
        option netmask '255.255.255.0'
        option delegate '0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '6'
        option ports '0t 1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option ft_over_ds '1'
        option key '0829511F7'
        option encryption 'psk2'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option ft_over_ds '1'
        option key '0829511F7'
        option encryption 'psk2'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'DMZ'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'DMZ'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option network 'DMZ'
        option name 'DMZ'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

Looks right to me. I suspect some issue on the switch or the VM.
Make a switch port access to vlan3 and connect any device as dhcp client. Verify it works.
Then I would not combine tagged and untagged frames on the same port. That means on port 1 of the switch make vlan 1 tagged or remove it.

While googling i found some problems with KVM virtualization (which proxmox uses) and DHCP from DNSMASQ, so my next try is to hook up a physical machine to the switch with VLAN ID 3 set.
The tagged and untagged frames on same port is one thing i think i need, I want to do the following :
I have the edge router, the switch and the proxmox host in my basement, and one CAT6 cable running to the upper floor. On the upper floor I also want acces to the untagged and the tagged VLAN using a second openwrt router (an old TD-8980W) , so I can have additional systems in my VLAN3 from the upper floor. So all packets, tagged and untagged have to go over the same wires.

I don't see why this is a problem tagging vlan1 where needed and leaving it untagged someplace else. Unless you think that a vlan can only be tagged or untagged, which is not correct. You can have trunk ports carrying vlan 1,3, whatever and on a switch to configure some ports access/untagged to vlans 1,3,whatever.

Oh, well, right, didn't think about that So I can just have all VLANs between the two routers tagged, going over the same port and distibute them over different ports drom my basement router, maybe even let my zyxel switch out there Thanks a lot for the metaphoric knock on my head

Hmm, one question left : my proxmox host has only one physical NIC, but I want some VM's bridged to that NIC in VLAN 3 and some others accessible over untagged LAN. Have to think about that a bit more....

I don't see why they cannot be all tagged. I suppose proxmox can distribute the tagged frames accordingly and make them untagged in case there are windows hosts.

Well, thats my problem, it seems like tagged frames from openwrt wont get to my VM's. BUT it looks like I'm just too stupid to configure my Zyxel GS1900-24E right But it's too late today, just generated a loop two times, annoying my house mates with internet loss for two minutes So good night, thanks for the help, and tomorrow I'll pull some cables of the switch.

GRMPF, below is the way to do it, as long as you use the right port...... my brain seems to have problems with the way the ports are numbered, port 1 is outer left DOWN, port 2 is outer left UP. Oh my.

Hello, its me again
I tried my configuration with a dumb netgear switch, and there it works as expected. So it has to be my Zyxel config.
As far as I understand, it should work like the following :

default VLAN is 1, 'untagged' to all ports, PVID set to 1 for all ports, reassembles a 'dumb' switch, dhcp is running with 192.168.1.0/24 untagged (another openwrt connected to any of the untaggeg VLAN 1 ports)

now I add a VLAN ID 3, set it to 'tagged' on Port 20 and 21, and exclude port 20 from VLAN ID 1

now I connect my openwrt to port 20, setting the router port also to 'tagged', interface on eth0.3, running anoother DHCP server 192.168.3.0/24

then I connect my PC to port 21, without setting VLAN ID I get an IP in the 192.168.1.x range, setting VLAN ID 3 should give me an IP from the .3.x range

My understanding is, that, if an untagged frame enters port 21, it will be forwarded to VLAN 1 ports, leaving them untagged, and a tagged frame will be sent to ports 20 and 21, leaving them tagged?

At least thats what my dumb miniswitch does, but the managed Zyxel not. It looks like the tagged frames from the Client reach the router on port 20, but the packets from the router will not leave the zyxel switch. Can anyone help here?

I also tried setting the switch on the router to 'untagged', also port 20 on the zyxel and set the PVID to '3', which, as far as I understood, add VLAN tag 3 to untagged packets, but this doesnt work either.

I told you already not to mix tagged and untagged frames. If you tag, tag them all on a trunk port. Otherwise send untagged to an access port.

Thanks, yes, but now it works like expected. Keeping all ports untagged for VLAN 1 let me the possibility to just plugin someting in any port and it will end up in my 'normal' network, but some of my servers and my IOT stuff is nicely seperated. My 'uplink' to the other floor is now a direct cable between the two openwrt devices, carrying all VLANs tagged with a bridge between one VLAN and one WLAN upstairs. Thanks for your help!

You don't need to do that on all ports. You can leave one port on the OpenWrt untagged on vlan1 and bridge it to an SSID.