VLAN traffic returning on untagged network

Hi,

I am trying to setup VLANs on 1.2 and am having issues, I cannot seem to get traffic to connect on the vlans. From my logs when it tries to get a dhcp lease it seems to be routing to the untagged lan, and returning on that interface.
It does not appear to be an issue with firewall rules as I have tried opening up all ports.

I am using a unifi switch and AP, and there is a snippit of my config below.

Any ideas on what could be causing this?

Thanks.

My interfaces:

 ethernet eth0 {
     duplex auto
     hw-id ac:1f:6b:26:ab:98
     smp-affinity auto
     speed auto
     vif 10 {
         address dhcp
         description WAN
     }
 }
 ethernet eth1 {
     address 192.168.10.1/24
     description LAN
     duplex auto
     hw-id ac:1f:6b:26:ab:99
     smp-affinity auto
     speed auto
     vif 20 {
         address 192.168.20.1/24
         description CAMERA
     }
     vif 30 {
         address 192.168.30.1/24
         description IOT
     }
     vif 40 {
         address 192.168.40.1/24
         description GUEST
     }
 }
 loopback lo {
 }

The DHCP log:

Aug 26 05:50:59 router kernel: [160011.573268] [GUEST-LOCAL-700-A] IN=eth1.40 OUT= MAC=ff:ff:ff:ff:ff:ff:36:b6:f4:86:f8:12:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=326 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=306
Aug 26 05:50:59 router dhcpd: DHCPDISCOVER from 36:b6:f4:86:f8:12 (Pixel-4a) via eth1
Aug 26 05:50:59 router dhcpd: DHCPOFFER on 192.168.10.40 to 36:b6:f4:86:f8:12 (Pixel-4a) via eth1

hi @blair5032 , could you please send dhcp configuration part as well? Thanks.

Hi @e.khudiyev,

My DHCP config:

 shared-network-name CAMERA {
     authoritative
     subnet 192.168.20.0/24 {
         default-router 192.168.20.1
         dns-server 192.168.20.1
         domain-name camera.home
         ntp-server 192.168.20.1
         range 0 {
             start 192.168.20.50
             stop 192.168.20.250
         }
     }
 }
 shared-network-name GUEST {
     authoritative
     subnet 192.168.40.0/24 {
         default-router 192.168.40.1
         dns-server 192.168.40.1
         domain-name guest.home
         ntp-server 192.168.40.1
         range 0 {
             start 192.168.40.50
             stop 192.168.40.200
         }
     }
 }
 shared-network-name IOT {
     authoritative
     subnet 192.168.30.0/24 {
         default-router 192.168.30.1
         dns-server 192.168.30.1
         domain-name iot.home
         ntp-server 192.168.30.1
         range 0 {
             start 192.168.30.20
             stop 192.168.30.250
         }
     }
 }
 shared-network-name LAN {
     authoritative
     subnet 192.168.10.0/24 {
         default-router 192.168.10.1
         dns-server 192.168.10.1
         domain-name home
         ntp-server 192.168.10.1
         range 0 {
             start 192.168.10.30
             stop 192.168.10.250
         }
     }
 }

From your DHCP logs actually seems that both discover and offer packets processed without tag which looks correct. I’ve tried the similar configuration on VyOS 1.3.0-rc6:

interfaces {
    ethernet eth0 {
        address dhcp
        hw-id 50:06:00:08:00:00
    }
    ethernet eth1 {
        address 192.168.10.1/24
        hw-id 50:06:00:08:00:01
        vif 20 {
            address 192.168.20.1/24
        }
        vif 30 {
            address 192.168.30.1/24
        }
        vif 40 {
            address 192.168.40.1/24
        }
    }
    ethernet eth2 {
        hw-id 50:06:00:08:00:02
    }
    ethernet eth3 {
        hw-id 50:06:00:08:00:03
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        shared-network-name IOT {
            authoritative
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 192.168.30.1
                domain-name camera.home
                ntp-server 192.168.30.1
                range 0 {
                    start 192.168.30.50
                    stop 192.168.30.250
                }
            }
        }
        shared-network-name camera {
            authoritative
            subnet 192.168.20.0/24 {
                default-router 192.168.20.1
                dns-server 192.168.20.1
                domain-name camera.home
                ntp-server 192.168.20.1
                range 0 {
                    start 192.168.20.50
                    stop 192.168.20.250
                }
            }
        }
        shared-network-name guest {
            authoritative
            subnet 192.168.40.0/24 {
                default-router 192.168.40.1
                dns-server 192.168.40.1
                domain-name camera.home
                lease 300
                ntp-server 192.168.40.1
                range 0 {
                    start 192.168.40.50
                    stop 192.168.40.250
                }
            }
        }
        shared-network-name lan {
            authoritative
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name camera.home
                ntp-server 192.168.10.1
                range 0 {
                    start 192.168.10.50
                    stop 192.168.10.250
                }
            }
        }
    }
}

Everything works as expected, non tagged packets processed on 192.168.10.0/24 subnet and vlan tag 40 packets are processed on 192.168.40.0/24 subnet:

Aug 26 11:09:22 vyos dhcpd[1639]: DHCPDISCOVER from 50:06:00:0a:00:00 via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPOFFER on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 (192.168.40.1) from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:11:53 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:11:53 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:41 vyos dhcpd[1639]: DHCPDISCOVER from 00:50:06:00:0b:00 via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPOFFER on 192.168.10.50 to 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPREQUEST for 192.168.10.50 (192.168.10.1) from 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPACK on 192.168.10.50 to 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:16:53 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:16:53 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:19:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:19:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40

Is the underlying switch configured properly? On switch, port connected to VyOS interface eth1 should have tagged VLANS 20, 30 and 40.
And also, check port switch where your device 36:b6:f4:86:f8:12 is connected to: port should be untagged on vlan 20, 30 or 40. (or if device is vlan capable, you may configure it on the device, and configure port switch with tagged vlan)

HI thanks for the responses and taking the time to help me.

I have checked the network configuration, and it seems all good.
The controller has network profiles for vlans 20, 30 and 40.
The port to the router is configured for all networks, so should be tagged for all my profiles.
My example was from a wifi client, where the wlan was set tovlan 40, but I also set a port to on the switch to vlan 40 which i connected a computer to. Both examples had the same issue.

Any further ideas?

@blair5032 is there native-vlan configuration on the port towards the router on the switch side? Maybe you can check if DHCP client mac-address is being learned on correct VLAN and capture traffic on router side using “monitor traffic interface eth1” to check how packets from that host are being processed (tagged or untagged)?

@e.khudiyev I ran the commands and no packets are being received from the host on the eth1 interface. I see DHCP and other requests coming in on the eth1.40 interface from the host.
configure
So it looks like the traffic is being received on the eth1.40 interface?

@blair5032 from your first post it looks like packets was received on eth1, not eth1.40:

Have you tried to check static IP config on host side? Does it work correctly in that case?

Please share the full dhcp log as a file and “show configuration commands | strip-private” and the port configuration on switch side towards router and AP if possible.

@e.khudiyev Setting a static IP does not allow me to ping the router

DHCP log:

cat /var/log/messages | grep DHCP
Aug 27 10:03:13 router dhcpd: DHCPREQUEST for 192.168.10.39 from 3c:06:30:24:ee:64 via eth1
Aug 27 10:03:13 router dhcpd: DHCPACK on 192.168.10.39 to 3c:06:30:24:ee:64 via eth1
Aug 27 10:03:19 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:20 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:24 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:24 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:32 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:32 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:48 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:48 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:17 router dhcpd: DHCPREQUEST for 192.168.10.39 from 3c:06:30:24:ee:64 via eth1
Aug 27 10:04:17 router dhcpd: DHCPACK on 192.168.10.39 to 3c:06:30:24:ee:64 via eth1
Aug 27 10:04:20 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:20 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:24 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:24 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:25 router dhcpd: DHCPREQUEST for 192.168.10.45 from ae:35:f1:f2:bb:8d via eth1
Aug 27 10:04:25 router dhcpd: DHCPACK on 192.168.10.45 to ae:35:f1:f2:bb:8d (Pixel-4a) via eth1
Aug 27 10:04:32 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:32 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1

Interface log:

vyos@router:~$ monitor traffic interface eth1.40
listening on eth1.40, link-type EN10MB (Ethernet), capture size 262144 bytes
10:03:16.722763 IP6 fe80::9ca3:4b21:4ceb:b48a.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
10:03:17.113165 ARP, Request who-has 169.254.180.138 tell 169.254.180.138, length 46
10:03:17.115137 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
10:03:17.115163 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.115183 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
10:03:17.115188 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.117216 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
10:03:17.117242 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.193260 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.613390 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 2 group record(s)
10:03:17.613432 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
10:03:17.941485 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.941545 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.941554 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.113244 IP6 fe80::9ca3:4b21:4ceb:b48a > ip6-allrouters: ICMP6, router solicitation, length 16
10:03:18.691628 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.691667 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.691676 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.394751 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:19.441588 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.441630 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.441639 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.559643 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 1c:1b:0d:9a:dd:be (oui Unknown), length 300
10:03:20.722827 IP6 fe80::9ca3:4b21:4ceb:b48a.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
10:03:21.457493 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:21.457532 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:21.488717 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.488756 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.519995 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:21.520032 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:21.551082 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.551119 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.582526 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.582565 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.613786 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:22.113663 IP6 fe80::9ca3:4b21:4ceb:b48a > ip6-allrouters: ICMP6, router solicitation, length 16
10:03:22.396510 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:24.239937 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 1c:1b:0d:9a:dd:be (oui Unknown), length 300
10:03:24.613924 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:24.613959 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:24.645280 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119

My config:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group HOME-ASSISTANT-IP address 'xxx.xxx.10.4'
set firewall group address-group HOME-ASSISTANT-IP description 'IP address for Home Assistant Server'
set firewall group port-group PORT-DHCP port '67'
set firewall group port-group PORT-DHCP port '68'
set firewall group port-group PORT-DNS port '53'
set firewall group port-group PORT-MQTT port '1883'
set firewall group port-group PORT-MQTT port '1884'
set firewall group port-group PORT-MQTT port '8883'
set firewall group port-group PORT-MQTT port '8884'
set firewall group port-group PORT-NTP port '123'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name GUEST-LOCAL default-action 'drop'
set firewall name GUEST-LOCAL enable-default-log
set firewall name GUEST-LOCAL rule 10 action 'accept'
set firewall name GUEST-LOCAL rule 10 state established 'enable'
set firewall name GUEST-LOCAL rule 10 state related 'enable'
set firewall name GUEST-LOCAL rule 11 action 'drop'
set firewall name GUEST-LOCAL rule 11 log 'enable'
set firewall name GUEST-LOCAL rule 11 state invalid 'enable'
set firewall name GUEST-LOCAL rule 100 action 'accept'
set firewall name GUEST-LOCAL rule 100 log 'enable'
set firewall name GUEST-LOCAL rule 100 protocol 'icmp'
set firewall name GUEST-LOCAL rule 400 action 'accept'
set firewall name GUEST-LOCAL rule 400 destination group port-group 'PORT-NTP'
set firewall name GUEST-LOCAL rule 400 log 'enable'
set firewall name GUEST-LOCAL rule 600 action 'accept'
set firewall name GUEST-LOCAL rule 600 destination group port-group 'PORT-DNS'
set firewall name GUEST-LOCAL rule 600 log 'enable'
set firewall name GUEST-LOCAL rule 700 action 'accept'
set firewall name GUEST-LOCAL rule 700 destination group port-group 'PORT-DHCP'
set firewall name GUEST-LOCAL rule 700 log 'enable'
set firewall name GUEST-WAN default-action 'accept'
set firewall name IOT-LAN default-action 'drop'
set firewall name IOT-LAN enable-default-log
set firewall name IOT-LAN rule 10 action 'accept'
set firewall name IOT-LAN rule 10 state established 'enable'
set firewall name IOT-LAN rule 10 state related 'enable'
set firewall name IOT-LAN rule 11 action 'drop'
set firewall name IOT-LAN rule 11 log 'enable'
set firewall name IOT-LAN rule 11 state invalid 'enable'
set firewall name IOT-LAN rule 100 action 'accept'
set firewall name IOT-LAN rule 100 description 'Allow IoT access to Home Assistant'
set firewall name IOT-LAN rule 100 destination group address-group 'HOME-ASSISTANT-IP'
set firewall name IOT-LAN rule 100 destination group port-group 'PORT-MQTT-TCP'
set firewall name IOT-LAN rule 100 protocol 'tcp'
set firewall name LAN--ALLOW default-action 'accept'
set firewall name LOCAL-WAN default-action 'accept'
set firewall name LOCAL--DHCP default-action 'drop'
set firewall name LOCAL--DHCP enable-default-log
set firewall name LOCAL--DHCP rule 10 action 'accept'
set firewall name LOCAL--DHCP rule 10 state established 'enable'
set firewall name LOCAL--DHCP rule 10 state related 'enable'
set firewall name LOCAL--DHCP rule 11 action 'drop'
set firewall name LOCAL--DHCP rule 11 log 'enable'
set firewall name LOCAL--DHCP rule 11 state invalid 'enable'
set firewall name LOCAL--DHCP rule 100 action 'accept'
set firewall name LOCAL--DHCP rule 100 log 'enable'
set firewall name LOCAL--DHCP rule 100 protocol 'icmp'
set firewall name LOCAL--DHCP rule 700 action 'accept'
set firewall name LOCAL--DHCP rule 700 destination group port-group 'PORT-DHCP'
set firewall name TO-LOCAL--INTERNAL default-action 'drop'
set firewall name TO-LOCAL--INTERNAL enable-default-log
set firewall name TO-LOCAL--INTERNAL rule 10 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 10 state established 'enable'
set firewall name TO-LOCAL--INTERNAL rule 10 state related 'enable'
set firewall name TO-LOCAL--INTERNAL rule 11 action 'drop'
set firewall name TO-LOCAL--INTERNAL rule 11 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 11 state invalid 'enable'
set firewall name TO-LOCAL--INTERNAL rule 100 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 100 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 100 protocol 'icmp'
set firewall name TO-LOCAL--INTERNAL rule 400 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 400 destination group port-group 'PORT-NTP'
set firewall name TO-LOCAL--INTERNAL rule 400 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 700 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 700 destination group port-group 'PORT-DHCP'
set firewall name TO-LOCAL--INTERNAL rule 700 log 'enable'
set firewall name WAN-GUEST default-action 'drop'
set firewall name WAN-GUEST enable-default-log
set firewall name WAN-GUEST rule 10 action 'accept'
set firewall name WAN-GUEST rule 10 state established 'enable'
set firewall name WAN-GUEST rule 10 state related 'enable'
set firewall name WAN-GUEST rule 11 action 'drop'
set firewall name WAN-GUEST rule 11 log 'enable'
set firewall name WAN-GUEST rule 11 state invalid 'enable'
set firewall name WAN-LAN default-action 'drop'
set firewall name WAN-LAN enable-default-log
set firewall name WAN-LAN rule 10 action 'accept'
set firewall name WAN-LAN rule 10 state established 'enable'
set firewall name WAN-LAN rule 10 state related 'enable'
set firewall name WAN-LAN rule 11 action 'drop'
set firewall name WAN-LAN rule 11 log 'enable'
set firewall name WAN-LAN rule 11 state invalid 'enable'
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 10 action 'accept'
set firewall name WAN-LOCAL rule 10 state established 'enable'
set firewall name WAN-LOCAL rule 10 state related 'enable'
set firewall name WAN-LOCAL rule 11 action 'drop'
set firewall name WAN-LOCAL rule 11 log 'enable'
set firewall name WAN-LOCAL rule 11 state invalid 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:98'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 10 address 'dhcp'
set interfaces ethernet eth0 vif 10 description 'WAN'
set interfaces ethernet eth1 address 'xxx.xxx.10.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:99'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth1 vif 20 address 'xxx.xxx.20.1/24'
set interfaces ethernet eth1 vif 20 description 'CAMERA'
set interfaces ethernet eth1 vif 30 address 'xxx.xxx.30.1/24'
set interfaces ethernet eth1 vif 30 description 'IOT'
set interfaces ethernet eth1 vif 40 address 'xxx.xxx.40.1/24'
set interfaces ethernet eth1 vif 40 description 'GUEST'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0.10'
set nat source rule 100 source address 'xxx.xxx.10.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 400 outbound-interface 'eth0.10'
set nat source rule 400 source address 'xxx.xxx.40.0/24'
set nat source rule 400 translation address 'masquerade'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 dns-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 ntp-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 start 'xxx.xxx.20.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 stop 'xxx.xxx.20.250'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 default-router 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 dns-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 ntp-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range 0 start 'xxx.xxx.40.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range 0 stop 'xxx.xxx.40.200'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 default-router 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 dns-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 ntp-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range 0 start 'xxx.xxx.30.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range 0 stop 'xxx.xxx.30.250'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 default-router 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 dns-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 ntp-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range 0 start 'xxx.xxx.10.30'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range 0 stop 'xxx.xxx.10.250'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:9f'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:15'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.15'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:f0'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:40'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.11'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:43'
set service dns forwarding allow-from 'xxx.xxx.0.0/0'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.10.1'
set service dns forwarding listen-address 'xxx.xxx.40.1'
set service dns forwarding system
set service ssh listen-address 'xxx.xxx.10.1'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack expect-table-size '2048'
set system conntrack hash-size '32768'
set system conntrack table-size '262144'
set system console device ttyS0 speed '9600'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx level 'admin'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.0.1'
set system ntp listen-address 'xxx.xxx.10.1'
set system ntp listen-address 'xxx.xxx.20.1'
set system ntp listen-address 'xxx.xxx.30.1'
set system ntp listen-address 'xxx.xxx.40.1'
set system ntp server xxxxx.tld prefer
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set zone-policy zone CAMERA default-action 'drop'
set zone-policy zone CAMERA from LAN firewall name 'LAN--ALLOW'
set zone-policy zone CAMERA from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone CAMERA interface 'eth1.20'
set zone-policy zone GUEST default-action 'drop'
set zone-policy zone GUEST from LAN firewall name 'LAN--ALLOW'
set zone-policy zone GUEST from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone GUEST from WAN firewall name 'WAN-GUEST'
set zone-policy zone GUEST interface 'eth1.40'
set zone-policy zone IOT default-action 'drop'
set zone-policy zone IOT from LAN firewall name 'LAN--ALLOW'
set zone-policy zone IOT from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone IOT interface 'eth1.30'
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN from IOT firewall name 'IOT-LAN'
set zone-policy zone LAN from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone LAN from WAN firewall name 'WAN-LAN'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LOCAL default-action 'drop'
set zone-policy zone LOCAL from CAMERA firewall name 'TO-LOCAL--INTERNAL'
set zone-policy zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
set zone-policy zone LOCAL from IOT firewall name 'TO-LOCAL--INTERNAL'
set zone-policy zone LOCAL from LAN firewall name 'LAN--ALLOW'
set zone-policy zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone-policy zone LOCAL local-zone
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN from GUEST firewall name 'GUEST-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN--ALLOW'
set zone-policy zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone-policy zone WAN interface 'eth0.10'

My switch profiles, ‘Jeevington’ is on a port set to network ‘Guest’:

Name	Purpose		Network Port	Subnet			IPV6 subnet	VLAN
Camera	Corporate	LAN				192.168.20.0/24	None		20		
Guest	Corporate	LAN				192.168.40.0/24	None		40		
IoT		Corporate	LAN				192.168.30.0/24	None		30		
LAN		Corporate	LAN				192.168.1.0/24	None	

@blair5032 from the configuration part on the router everything seems to be fine.

Based on your results with static IP config on host side and DHCP logs, packets that should be forwarded with VLAN 40 tag from switch towards the router are not processed correctly and are being forwarded as untagged. In my opinion it’s not a DHCP server issue but some misconfiguration with vlans. Try to re-check on the switch side and find out the VLAN where those hosts mac-addresses learned, I think that might help to solve the issue.

@e.khudiyev Ok I will have a look into that. Thanks very much for looking at this.

@blair5032
It definitely looks like a VLAN configuration.
Let say that port 10 of switch is connected to eth1 port of VyOS router, and eth11 is connected to unifi controler.

  • port 10 of switch: untagged VLAN 1, tagged all other VLANS (20,30,40)

  • Port 11 of switchs: untagged VLAN 1 (assuming the controller is on same native vlan as router), and tagged al other VLANs (20,30,40)

  • Wireless networks configuration in Unifi should be configured using VLANs

If port 10 (in this example connected to eth1 of VyOS router) is properly configured as explained, you could also configure another port of the switch, lets say port 15, to be untagged on some of the VLANS. Then connect a device on each port, and it should get IP from the corresponding VLAN. I would try this first, in order to make sure that the connection between router and switch is OK. Then I would proceed to identify the communication issue with Unifi Controller

fwiw, on eve-ng , vyos1.2.8 , this works right away. Do you have a physical box, with NICs capable of doing VLANs? I also wasted some time on that

Aug 27 15:21:17 vyos dhcpd: DHCPDISCOVER from 50:00:00:02:00:00 via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPOFFER on 192.168.178.100 to 50:00:00:02:00:00 (vyos) via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPREQUEST for 192.168.178.100 (192.168.178.1) from 50:00:00:02:00:00 (vyos) via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPACK on 192.168.178.100 to 50:00:00:02:00:00 (vyos) via eth0.100

interfaces {
    ethernet eth0 {
        hw-id 50:00:00:01:00:00
        vif 100 {
            address 192.168.178.1/24
        }
    }

service {
    dhcp-server {
        shared-network-name INTERN {
            authoritative
            subnet 192.168.178.0/24 {
                default-router 192.168.178.1
                dns-server 8.8.8.8
                lease 86400
                range 0 {
                    start 192.168.178.100
                    stop 192.168.178.199
                }
            }
        }
    }
}

@16again @n.fort I will track down a device that I can plug in directly and see how it goes. Thanks

I hooked a computer directly into the router configured for vlan 40, it had the same issue.
I had had enough, so I wiped the device and did a fresh install, 1.3 this time. Loaded in my old config and it all works fine.

So no clue what was going wrong, but thanks to everyone for their help.