VLAN traffic returning on untagged network

blair5032 · August 26, 2021, 7:31am

Hi,

I am trying to setup VLANs on 1.2 and am having issues, I cannot seem to get traffic to connect on the vlans. From my logs when it tries to get a dhcp lease it seems to be routing to the untagged lan, and returning on that interface.
It does not appear to be an issue with firewall rules as I have tried opening up all ports.

I am using a unifi switch and AP, and there is a snippit of my config below.

Any ideas on what could be causing this?

Thanks.

My interfaces:

 ethernet eth0 {
     duplex auto
     hw-id ac:1f:6b:26:ab:98
     smp-affinity auto
     speed auto
     vif 10 {
         address dhcp
         description WAN
     }
 }
 ethernet eth1 {
     address 192.168.10.1/24
     description LAN
     duplex auto
     hw-id ac:1f:6b:26:ab:99
     smp-affinity auto
     speed auto
     vif 20 {
         address 192.168.20.1/24
         description CAMERA
     }
     vif 30 {
         address 192.168.30.1/24
         description IOT
     }
     vif 40 {
         address 192.168.40.1/24
         description GUEST
     }
 }
 loopback lo {
 }

The DHCP log:

Aug 26 05:50:59 router kernel: [160011.573268] [GUEST-LOCAL-700-A] IN=eth1.40 OUT= MAC=ff:ff:ff:ff:ff:ff:36:b6:f4:86:f8:12:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=326 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=306
Aug 26 05:50:59 router dhcpd: DHCPDISCOVER from 36:b6:f4:86:f8:12 (Pixel-4a) via eth1
Aug 26 05:50:59 router dhcpd: DHCPOFFER on 192.168.10.40 to 36:b6:f4:86:f8:12 (Pixel-4a) via eth1

e.khudiyev · August 26, 2021, 8:18am

hi @blair5032 , could you please send dhcp configuration part as well? Thanks.

blair5032 · August 26, 2021, 8:24am

Hi @e.khudiyev,

My DHCP config:

 shared-network-name CAMERA {
     authoritative
     subnet 192.168.20.0/24 {
         default-router 192.168.20.1
         dns-server 192.168.20.1
         domain-name camera.home
         ntp-server 192.168.20.1
         range 0 {
             start 192.168.20.50
             stop 192.168.20.250
         }
     }
 }
 shared-network-name GUEST {
     authoritative
     subnet 192.168.40.0/24 {
         default-router 192.168.40.1
         dns-server 192.168.40.1
         domain-name guest.home
         ntp-server 192.168.40.1
         range 0 {
             start 192.168.40.50
             stop 192.168.40.200
         }
     }
 }
 shared-network-name IOT {
     authoritative
     subnet 192.168.30.0/24 {
         default-router 192.168.30.1
         dns-server 192.168.30.1
         domain-name iot.home
         ntp-server 192.168.30.1
         range 0 {
             start 192.168.30.20
             stop 192.168.30.250
         }
     }
 }
 shared-network-name LAN {
     authoritative
     subnet 192.168.10.0/24 {
         default-router 192.168.10.1
         dns-server 192.168.10.1
         domain-name home
         ntp-server 192.168.10.1
         range 0 {
             start 192.168.10.30
             stop 192.168.10.250
         }
     }
 }

e.khudiyev · August 26, 2021, 11:20am

From your DHCP logs actually seems that both discover and offer packets processed without tag which looks correct. I’ve tried the similar configuration on VyOS 1.3.0-rc6:

interfaces {
    ethernet eth0 {
        address dhcp
        hw-id 50:06:00:08:00:00
    }
    ethernet eth1 {
        address 192.168.10.1/24
        hw-id 50:06:00:08:00:01
        vif 20 {
            address 192.168.20.1/24
        }
        vif 30 {
            address 192.168.30.1/24
        }
        vif 40 {
            address 192.168.40.1/24
        }
    }
    ethernet eth2 {
        hw-id 50:06:00:08:00:02
    }
    ethernet eth3 {
        hw-id 50:06:00:08:00:03
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        shared-network-name IOT {
            authoritative
            subnet 192.168.30.0/24 {
                default-router 192.168.30.1
                dns-server 192.168.30.1
                domain-name camera.home
                ntp-server 192.168.30.1
                range 0 {
                    start 192.168.30.50
                    stop 192.168.30.250
                }
            }
        }
        shared-network-name camera {
            authoritative
            subnet 192.168.20.0/24 {
                default-router 192.168.20.1
                dns-server 192.168.20.1
                domain-name camera.home
                ntp-server 192.168.20.1
                range 0 {
                    start 192.168.20.50
                    stop 192.168.20.250
                }
            }
        }
        shared-network-name guest {
            authoritative
            subnet 192.168.40.0/24 {
                default-router 192.168.40.1
                dns-server 192.168.40.1
                domain-name camera.home
                lease 300
                ntp-server 192.168.40.1
                range 0 {
                    start 192.168.40.50
                    stop 192.168.40.250
                }
            }
        }
        shared-network-name lan {
            authoritative
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name camera.home
                ntp-server 192.168.10.1
                range 0 {
                    start 192.168.10.50
                    stop 192.168.10.250
                }
            }
        }
    }
}

Everything works as expected, non tagged packets processed on 192.168.10.0/24 subnet and vlan tag 40 packets are processed on 192.168.40.0/24 subnet:

Aug 26 11:09:22 vyos dhcpd[1639]: DHCPDISCOVER from 50:06:00:0a:00:00 via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPOFFER on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 (192.168.40.1) from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:09:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:11:53 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:11:53 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:14:41 vyos dhcpd[1639]: DHCPDISCOVER from 00:50:06:00:0b:00 via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPOFFER on 192.168.10.50 to 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPREQUEST for 192.168.10.50 (192.168.10.1) from 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:14:42 vyos dhcpd[1639]: DHCPACK on 192.168.10.50 to 00:50:06:00:0b:00 (user-virtual-machine) via eth1
Aug 26 11:16:53 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:16:53 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:19:23 vyos dhcpd[1639]: DHCPREQUEST for 192.168.40.52 from 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40
Aug 26 11:19:23 vyos dhcpd[1639]: DHCPACK on 192.168.40.52 to 50:06:00:0a:00:00 (DESKTOP-F0VGSTR) via eth1.40

n.fort · August 26, 2021, 1:11pm

Is the underlying switch configured properly? On switch, port connected to VyOS interface eth1 should have tagged VLANS 20, 30 and 40.
And also, check port switch where your device 36:b6:f4:86:f8:12 is connected to: port should be untagged on vlan 20, 30 or 40. (or if device is vlan capable, you may configure it on the device, and configure port switch with tagged vlan)

blair5032 · August 27, 2021, 6:53am

HI thanks for the responses and taking the time to help me.

I have checked the network configuration, and it seems all good.
The controller has network profiles for vlans 20, 30 and 40.
The port to the router is configured for all networks, so should be tagged for all my profiles.
My example was from a wifi client, where the wlan was set tovlan 40, but I also set a port to on the switch to vlan 40 which i connected a computer to. Both examples had the same issue.

Any further ideas?

e.khudiyev · August 27, 2021, 7:29am

@blair5032 is there native-vlan configuration on the port towards the router on the switch side? Maybe you can check if DHCP client mac-address is being learned on correct VLAN and capture traffic on router side using “monitor traffic interface eth1” to check how packets from that host are being processed (tagged or untagged)?

blair5032 · August 27, 2021, 8:57am

@e.khudiyev I ran the commands and no packets are being received from the host on the eth1 interface. I see DHCP and other requests coming in on the eth1.40 interface from the host.
configure
So it looks like the traffic is being received on the eth1.40 interface?

e.khudiyev · August 27, 2021, 9:09am

@blair5032 from your first post it looks like packets was received on eth1, not eth1.40:

Have you tried to check static IP config on host side? Does it work correctly in that case?

Please share the full dhcp log as a file and “show configuration commands | strip-private” and the port configuration on switch side towards router and AP if possible.

blair5032 · August 27, 2021, 10:11am

@e.khudiyev Setting a static IP does not allow me to ping the router

DHCP log:

cat /var/log/messages | grep DHCP
Aug 27 10:03:13 router dhcpd: DHCPREQUEST for 192.168.10.39 from 3c:06:30:24:ee:64 via eth1
Aug 27 10:03:13 router dhcpd: DHCPACK on 192.168.10.39 to 3c:06:30:24:ee:64 via eth1
Aug 27 10:03:19 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:20 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:24 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:24 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:32 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:32 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:48 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:03:48 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:17 router dhcpd: DHCPREQUEST for 192.168.10.39 from 3c:06:30:24:ee:64 via eth1
Aug 27 10:04:17 router dhcpd: DHCPACK on 192.168.10.39 to 3c:06:30:24:ee:64 via eth1
Aug 27 10:04:20 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:20 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:24 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:24 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:25 router dhcpd: DHCPREQUEST for 192.168.10.45 from ae:35:f1:f2:bb:8d via eth1
Aug 27 10:04:25 router dhcpd: DHCPACK on 192.168.10.45 to ae:35:f1:f2:bb:8d (Pixel-4a) via eth1
Aug 27 10:04:32 router dhcpd: DHCPDISCOVER from 1c:1b:0d:9a:dd:be (Jeevington) via eth1
Aug 27 10:04:32 router dhcpd: DHCPOFFER on 192.168.10.51 to 1c:1b:0d:9a:dd:be (Jeevington) via eth1

Interface log:

vyos@router:~$ monitor traffic interface eth1.40
listening on eth1.40, link-type EN10MB (Ethernet), capture size 262144 bytes
10:03:16.722763 IP6 fe80::9ca3:4b21:4ceb:b48a.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
10:03:17.113165 ARP, Request who-has 169.254.180.138 tell 169.254.180.138, length 46
10:03:17.115137 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
10:03:17.115163 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.115183 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
10:03:17.115188 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.117216 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
10:03:17.117242 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 1 group record(s)
10:03:17.193260 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.613390 IP 169.254.180.138 > igmp.mcast.net: igmp v3 report, 2 group record(s)
10:03:17.613432 IP6 fe80::9ca3:4b21:4ceb:b48a > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
10:03:17.941485 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.941545 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:17.941554 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.113244 IP6 fe80::9ca3:4b21:4ceb:b48a > ip6-allrouters: ICMP6, router solicitation, length 16
10:03:18.691628 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.691667 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:18.691676 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.394751 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:19.441588 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.441630 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.441639 IP 169.254.180.138.netbios-ns > 169.254.255.255.netbios-ns: UDP, length 68
10:03:19.559643 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 1c:1b:0d:9a:dd:be (oui Unknown), length 300
10:03:20.722827 IP6 fe80::9ca3:4b21:4ceb:b48a.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
10:03:21.457493 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:21.457532 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:21.488717 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.488756 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.519995 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:21.520032 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:21.551082 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.551119 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.582526 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119
10:03:21.582565 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 125
10:03:21.613786 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:22.113663 IP6 fe80::9ca3:4b21:4ceb:b48a > ip6-allrouters: ICMP6, router solicitation, length 16
10:03:22.396510 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 137
10:03:24.239937 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 1c:1b:0d:9a:dd:be (oui Unknown), length 300
10:03:24.613924 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 121
10:03:24.613959 IP 169.254.180.138.58537 > 239.255.255.250.1900: UDP, length 127
10:03:24.645280 IP6 fe80::9ca3:4b21:4ceb:b48a.58535 > ff02::c.1900: UDP, length 119

My config:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group HOME-ASSISTANT-IP address 'xxx.xxx.10.4'
set firewall group address-group HOME-ASSISTANT-IP description 'IP address for Home Assistant Server'
set firewall group port-group PORT-DHCP port '67'
set firewall group port-group PORT-DHCP port '68'
set firewall group port-group PORT-DNS port '53'
set firewall group port-group PORT-MQTT port '1883'
set firewall group port-group PORT-MQTT port '1884'
set firewall group port-group PORT-MQTT port '8883'
set firewall group port-group PORT-MQTT port '8884'
set firewall group port-group PORT-NTP port '123'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name GUEST-LOCAL default-action 'drop'
set firewall name GUEST-LOCAL enable-default-log
set firewall name GUEST-LOCAL rule 10 action 'accept'
set firewall name GUEST-LOCAL rule 10 state established 'enable'
set firewall name GUEST-LOCAL rule 10 state related 'enable'
set firewall name GUEST-LOCAL rule 11 action 'drop'
set firewall name GUEST-LOCAL rule 11 log 'enable'
set firewall name GUEST-LOCAL rule 11 state invalid 'enable'
set firewall name GUEST-LOCAL rule 100 action 'accept'
set firewall name GUEST-LOCAL rule 100 log 'enable'
set firewall name GUEST-LOCAL rule 100 protocol 'icmp'
set firewall name GUEST-LOCAL rule 400 action 'accept'
set firewall name GUEST-LOCAL rule 400 destination group port-group 'PORT-NTP'
set firewall name GUEST-LOCAL rule 400 log 'enable'
set firewall name GUEST-LOCAL rule 600 action 'accept'
set firewall name GUEST-LOCAL rule 600 destination group port-group 'PORT-DNS'
set firewall name GUEST-LOCAL rule 600 log 'enable'
set firewall name GUEST-LOCAL rule 700 action 'accept'
set firewall name GUEST-LOCAL rule 700 destination group port-group 'PORT-DHCP'
set firewall name GUEST-LOCAL rule 700 log 'enable'
set firewall name GUEST-WAN default-action 'accept'
set firewall name IOT-LAN default-action 'drop'
set firewall name IOT-LAN enable-default-log
set firewall name IOT-LAN rule 10 action 'accept'
set firewall name IOT-LAN rule 10 state established 'enable'
set firewall name IOT-LAN rule 10 state related 'enable'
set firewall name IOT-LAN rule 11 action 'drop'
set firewall name IOT-LAN rule 11 log 'enable'
set firewall name IOT-LAN rule 11 state invalid 'enable'
set firewall name IOT-LAN rule 100 action 'accept'
set firewall name IOT-LAN rule 100 description 'Allow IoT access to Home Assistant'
set firewall name IOT-LAN rule 100 destination group address-group 'HOME-ASSISTANT-IP'
set firewall name IOT-LAN rule 100 destination group port-group 'PORT-MQTT-TCP'
set firewall name IOT-LAN rule 100 protocol 'tcp'
set firewall name LAN--ALLOW default-action 'accept'
set firewall name LOCAL-WAN default-action 'accept'
set firewall name LOCAL--DHCP default-action 'drop'
set firewall name LOCAL--DHCP enable-default-log
set firewall name LOCAL--DHCP rule 10 action 'accept'
set firewall name LOCAL--DHCP rule 10 state established 'enable'
set firewall name LOCAL--DHCP rule 10 state related 'enable'
set firewall name LOCAL--DHCP rule 11 action 'drop'
set firewall name LOCAL--DHCP rule 11 log 'enable'
set firewall name LOCAL--DHCP rule 11 state invalid 'enable'
set firewall name LOCAL--DHCP rule 100 action 'accept'
set firewall name LOCAL--DHCP rule 100 log 'enable'
set firewall name LOCAL--DHCP rule 100 protocol 'icmp'
set firewall name LOCAL--DHCP rule 700 action 'accept'
set firewall name LOCAL--DHCP rule 700 destination group port-group 'PORT-DHCP'
set firewall name TO-LOCAL--INTERNAL default-action 'drop'
set firewall name TO-LOCAL--INTERNAL enable-default-log
set firewall name TO-LOCAL--INTERNAL rule 10 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 10 state established 'enable'
set firewall name TO-LOCAL--INTERNAL rule 10 state related 'enable'
set firewall name TO-LOCAL--INTERNAL rule 11 action 'drop'
set firewall name TO-LOCAL--INTERNAL rule 11 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 11 state invalid 'enable'
set firewall name TO-LOCAL--INTERNAL rule 100 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 100 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 100 protocol 'icmp'
set firewall name TO-LOCAL--INTERNAL rule 400 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 400 destination group port-group 'PORT-NTP'
set firewall name TO-LOCAL--INTERNAL rule 400 log 'enable'
set firewall name TO-LOCAL--INTERNAL rule 700 action 'accept'
set firewall name TO-LOCAL--INTERNAL rule 700 destination group port-group 'PORT-DHCP'
set firewall name TO-LOCAL--INTERNAL rule 700 log 'enable'
set firewall name WAN-GUEST default-action 'drop'
set firewall name WAN-GUEST enable-default-log
set firewall name WAN-GUEST rule 10 action 'accept'
set firewall name WAN-GUEST rule 10 state established 'enable'
set firewall name WAN-GUEST rule 10 state related 'enable'
set firewall name WAN-GUEST rule 11 action 'drop'
set firewall name WAN-GUEST rule 11 log 'enable'
set firewall name WAN-GUEST rule 11 state invalid 'enable'
set firewall name WAN-LAN default-action 'drop'
set firewall name WAN-LAN enable-default-log
set firewall name WAN-LAN rule 10 action 'accept'
set firewall name WAN-LAN rule 10 state established 'enable'
set firewall name WAN-LAN rule 10 state related 'enable'
set firewall name WAN-LAN rule 11 action 'drop'
set firewall name WAN-LAN rule 11 log 'enable'
set firewall name WAN-LAN rule 11 state invalid 'enable'
set firewall name WAN-LOCAL default-action 'drop'
set firewall name WAN-LOCAL enable-default-log
set firewall name WAN-LOCAL rule 10 action 'accept'
set firewall name WAN-LOCAL rule 10 state established 'enable'
set firewall name WAN-LOCAL rule 10 state related 'enable'
set firewall name WAN-LOCAL rule 11 action 'drop'
set firewall name WAN-LOCAL rule 11 log 'enable'
set firewall name WAN-LOCAL rule 11 state invalid 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:98'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 10 address 'dhcp'
set interfaces ethernet eth0 vif 10 description 'WAN'
set interfaces ethernet eth1 address 'xxx.xxx.10.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:99'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth1 vif 20 address 'xxx.xxx.20.1/24'
set interfaces ethernet eth1 vif 20 description 'CAMERA'
set interfaces ethernet eth1 vif 30 address 'xxx.xxx.30.1/24'
set interfaces ethernet eth1 vif 30 description 'IOT'
set interfaces ethernet eth1 vif 40 address 'xxx.xxx.40.1/24'
set interfaces ethernet eth1 vif 40 description 'GUEST'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0.10'
set nat source rule 100 source address 'xxx.xxx.10.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 400 outbound-interface 'eth0.10'
set nat source rule 400 source address 'xxx.xxx.40.0/24'
set nat source rule 400 translation address 'masquerade'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 dns-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 ntp-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 start 'xxx.xxx.20.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 stop 'xxx.xxx.20.250'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 default-router 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 dns-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 ntp-server 'xxx.xxx.40.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range 0 start 'xxx.xxx.40.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.40.0/24 range 0 stop 'xxx.xxx.40.200'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 default-router 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 dns-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 ntp-server 'xxx.xxx.30.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range 0 start 'xxx.xxx.30.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.30.0/24 range 0 stop 'xxx.xxx.30.250'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 default-router 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 dns-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 ntp-server 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range 0 start 'xxx.xxx.10.30'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range 0 stop 'xxx.xxx.10.250'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.20'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:9f'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:15'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.15'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:f0'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:40'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.10.11'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:43'
set service dns forwarding allow-from 'xxx.xxx.0.0/0'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.10.1'
set service dns forwarding listen-address 'xxx.xxx.40.1'
set service dns forwarding system
set service ssh listen-address 'xxx.xxx.10.1'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack expect-table-size '2048'
set system conntrack hash-size '32768'
set system conntrack table-size '262144'
set system console device ttyS0 speed '9600'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx level 'admin'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.0.1'
set system ntp listen-address 'xxx.xxx.10.1'
set system ntp listen-address 'xxx.xxx.20.1'
set system ntp listen-address 'xxx.xxx.30.1'
set system ntp listen-address 'xxx.xxx.40.1'
set system ntp server xxxxx.tld prefer
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set zone-policy zone CAMERA default-action 'drop'
set zone-policy zone CAMERA from LAN firewall name 'LAN--ALLOW'
set zone-policy zone CAMERA from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone CAMERA interface 'eth1.20'
set zone-policy zone GUEST default-action 'drop'
set zone-policy zone GUEST from LAN firewall name 'LAN--ALLOW'
set zone-policy zone GUEST from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone GUEST from WAN firewall name 'WAN-GUEST'
set zone-policy zone GUEST interface 'eth1.40'
set zone-policy zone IOT default-action 'drop'
set zone-policy zone IOT from LAN firewall name 'LAN--ALLOW'
set zone-policy zone IOT from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone IOT interface 'eth1.30'
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN from IOT firewall name 'IOT-LAN'
set zone-policy zone LAN from LOCAL firewall name 'LOCAL--DHCP'
set zone-policy zone LAN from WAN firewall name 'WAN-LAN'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LOCAL default-action 'drop'
set zone-policy zone LOCAL from CAMERA firewall name 'TO-LOCAL--INTERNAL'
set zone-policy zone LOCAL from GUEST firewall name 'GUEST-LOCAL'
set zone-policy zone LOCAL from IOT firewall name 'TO-LOCAL--INTERNAL'
set zone-policy zone LOCAL from LAN firewall name 'LAN--ALLOW'
set zone-policy zone LOCAL from WAN firewall name 'WAN-LOCAL'
set zone-policy zone LOCAL local-zone
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN from GUEST firewall name 'GUEST-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN--ALLOW'
set zone-policy zone WAN from LOCAL firewall name 'LOCAL-WAN'
set zone-policy zone WAN interface 'eth0.10'

My switch profiles, ‘Jeevington’ is on a port set to network ‘Guest’:

Name	Purpose		Network Port	Subnet			IPV6 subnet	VLAN
Camera	Corporate	LAN				192.168.20.0/24	None		20		
Guest	Corporate	LAN				192.168.40.0/24	None		40		
IoT		Corporate	LAN				192.168.30.0/24	None		30		
LAN		Corporate	LAN				192.168.1.0/24	None

e.khudiyev · August 27, 2021, 11:59am

@blair5032 from the configuration part on the router everything seems to be fine.

Based on your results with static IP config on host side and DHCP logs, packets that should be forwarded with VLAN 40 tag from switch towards the router are not processed correctly and are being forwarded as untagged. In my opinion it’s not a DHCP server issue but some misconfiguration with vlans. Try to re-check on the switch side and find out the VLAN where those hosts mac-addresses learned, I think that might help to solve the issue.

blair5032 · August 27, 2021, 12:35pm

@e.khudiyev Ok I will have a look into that. Thanks very much for looking at this.

n.fort · August 27, 2021, 1:10pm

@blair5032
It definitely looks like a VLAN configuration.
Let say that port 10 of switch is connected to eth1 port of VyOS router, and eth11 is connected to unifi controler.

port 10 of switch: untagged VLAN 1, tagged all other VLANS (20,30,40)
Port 11 of switchs: untagged VLAN 1 (assuming the controller is on same native vlan as router), and tagged al other VLANs (20,30,40)
Wireless networks configuration in Unifi should be configured using VLANs

If port 10 (in this example connected to eth1 of VyOS router) is properly configured as explained, you could also configure another port of the switch, lets say port 15, to be untagged on some of the VLANS. Then connect a device on each port, and it should get IP from the corresponding VLAN. I would try this first, in order to make sure that the connection between router and switch is OK. Then I would proceed to identify the communication issue with Unifi Controller

16again · August 27, 2021, 3:27pm

fwiw, on eve-ng , vyos1.2.8 , this works right away. Do you have a physical box, with NICs capable of doing VLANs? I also wasted some time on that

Aug 27 15:21:17 vyos dhcpd: DHCPDISCOVER from 50:00:00:02:00:00 via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPOFFER on 192.168.178.100 to 50:00:00:02:00:00 (vyos) via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPREQUEST for 192.168.178.100 (192.168.178.1) from 50:00:00:02:00:00 (vyos) via eth0.100
Aug 27 15:21:18 vyos dhcpd: DHCPACK on 192.168.178.100 to 50:00:00:02:00:00 (vyos) via eth0.100

interfaces {
    ethernet eth0 {
        hw-id 50:00:00:01:00:00
        vif 100 {
            address 192.168.178.1/24
        }
    }

service {
    dhcp-server {
        shared-network-name INTERN {
            authoritative
            subnet 192.168.178.0/24 {
                default-router 192.168.178.1
                dns-server 8.8.8.8
                lease 86400
                range 0 {
                    start 192.168.178.100
                    stop 192.168.178.199
                }
            }
        }
    }
}

blair5032 · August 27, 2021, 11:41pm

@16again @n.fort I will track down a device that I can plug in directly and see how it goes. Thanks

blair5032 · August 30, 2021, 9:41am

I hooked a computer directly into the router configured for vlan 40, it had the same issue.
I had had enough, so I wiped the device and did a fresh install, 1.3 this time. Loaded in my old config and it all works fine.

So no clue what was going wrong, but thanks to everyone for their help.

guyl6308 · February 3, 2022, 2:43pm

Hello all!
If I may, I would like to revive this thread because I am experiencing something similar…

The DHCPDISCOVER and DHCPREQUEST from hosts in any of my VLANS (20 or 60 or 80) reach the “parent interface”, i.e., for VLAN20 hosts, in addition to getting transmitted to eth2.20, it gets to eth2 also.

I have checked my switch configuration and it seems ok. Even though the link between the switch and the router (trunk) carries VLAN1 (my default VLAN) untagged, VLAN20, VLAN60 and VLAN80 tagged and a PVID set to 1, I do not understand HOW the hosts on say VLAN80 can reach eth2 in addition to eth2.80 …

By the way, the port where this particular host is connected is configured to Untagged: 80, Tagged: none, PVID 80.

I am using Vyos 1.2.7.

I understand that DHCP uses broadcast traffic, and that broadcast traffic is untagged, but how could this happen ?

Thanks in advance

Guy

Additionnal info

This morning, my roomate (on VLAN20) turned his PC on and I see this

Feb 3 09:24:46 vyos dhcpd: DHCPREQUEST for 192.168.20.51 from 00:d8:61:f9:28:ba via eth2.20 │
│Feb 3 09:24:46 vyos dhcpd: DHCPACK on 192.168.20.51 to 00:d8:61:f9:28:ba via eth2.20 │
│Feb 3 09:24:46 vyos dhcpd: DHCPREQUEST for 192.168.20.51 from 00:d8:61:f9:28:ba via eth2: wrong network. │
│Feb 3 09:24:46 vyos dhcpd: DHCPNAK on 192.168.20.51 to 00:d8:61:f9:28:ba via eth2

of course the authoritative config makes the DHCP server sent a DHCPNAK following the use of the wrong interface, but …

Here is the config of this eth2 (LAN) interface

ethernet eth2 {
    address 192.168.0.1/24
    description TO-LAN
    duplex auto
    firewall {
        local {
            name LAN_LOCAL
        }
    }
    hw-id 38:f7:cd:c0:c9:53
    policy {
        route vpn-route
    }
    smp-affinity auto
    speed auto
    vif 20 {
        address 192.168.20.1/24
        description Jocelyn
        firewall {
            in {
                name VLAN20_IN
            }
            local {
                name VLAN20_LOCAL
            }
        }
        policy {
            route vpn-route
        }
    }
    vif 60 {
        address 192.168.60.1/24
        description Salon
        firewall {
            in {
                name VLAN60_IN
            }
            local {
                name VLAN60_LOCAL
            }
        }
        policy {
            route vpn-route
        }
    }
    vif 80 {
        address 192.168.80.1/24
        description VoIP
        firewall {
            in {
                name VLAN80_IN
            }
            local {
                name VLAN80_LOCAL
            }
        }
    }
}

and the DHCP config

service {
dhcp-server {
hostfile-update
shared-network-name LAN {
authoritative
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
lease 86400
range 1 {
start 192.168.0.100
stop 192.168.0.157
}
range 2 {
start 192.168.0.169
stop 192.168.0.199
}

        }
    }
    shared-network-name LAN20 {
     
        subnet 192.168.20.0/24 {
            default-router 192.168.20.1
            dns-server 192.168.20.1
            lease 86400
          
            range 0 {
                start 192.168.20.128
                stop 192.168.20.254
            }
           
        }
    }
    shared-network-name LAN60 {
        subnet 192.168.60.0/24 {
            default-router 192.168.60.1
            dns-server 192.168.60.1
            lease 86400
            range 0 {
                start 192.168.60.100
                stop 192.168.60.254
            }
           
        }
    }
    shared-network-name LAN80 {
        subnet 192.168.80.0/24 {
            default-router 192.168.80.1
            dns-server 192.168.80.1
            lease 86400
            range 0 {
                start 192.168.80.100
                stop 192.168.80.254
            }
           
            }
        }
    }
}

Nikolay · February 5, 2022, 1:51am

Hello @guyl6308,
It looks like one request is coming to 2 different subinterfaces at once (time and MAC addresses are the same). If this is the case then the problem is not in VyOS but in the switched network

guyl6308 · February 5, 2022, 3:17pm

Thank you so much Nikolai for your prompt response!! Yes I tripled checked my configuration on the switch and could not find anything wrong with that… I was baffled… Then I discovered that it is a bug in the dhcp server that VyOS 1.2.7 is using. Please look at this:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643564

Summary: this bug is present and documented in the dhcp version that 1.2.7 is using, which is 4.3.1
vyos@vyos:~$ dhcpd --version
isc-dhcpd-4.3.1
vyos@vyos:~$

But has been fixed in 4.3.2 according to this

4.3.2-1
Superseded in stretch-release on 2015-09-13
Superseded in sid-release on 2015-09-06
isc-dhcp (4.3.2-1) unstable; urgency=medium

New upstream stable release.
- Many fixes to incorrect checksumming (closes: #353161, #652739).
- VLAN packets now only seen on VLAN interfaces (closes: #643564).
Remove references to old dhcp3 packages (closes: #773476).
Replace signing key with new upstream version.
Fix typo in debug script (closes: #781768).
Drop bind from the upstream tarball.
Drop transitional debug packages.
Drop dhcp3 conffile handling.
Update debian/copyright.

– Michael Gilbert Sun, 10 May 2015 22:44:17 +0000

from the changelog at Change log : isc-dhcp package : Debian

My question to you Nikolay, how can I backport/apply changes and recompile a fixed version of dhcp to my 1.2.7 installation ? I cannot update now, this is a production system and I admit with a bit of shame that I have installed a lot of packages to make my life easier and created a lot of vbash scripts and other things, being careful of course not to get nowhere near the workings of VyOS…

OR: could I safely ignore the issue and consider it a simple annoyance ?

Thanks a lot to you and all the maintainers at VyOS !

Guy L.
Laval, Canada.

Details:
Here is the interesting part:

From: Simon Richter sjr@debian.org
To: Debian Bug Tracking System submit@bugs.debian.org
Subject: isc-dhcp-server: responds to vlan tagged packets on untagged interface
Date: Tue, 27 Sep 2011 17:07:34 +0200
Package: isc-dhcp-server
Version: 4.1.1-P1-15+squeeze3
Severity: normal

Hi,

I have a setup where the server is connected to a switch via a trunking port –
however the switch management is untagged, so I have to run the DHCP server on
both the regular interface and the vlan interfaces.

When a request comes in with a tagged packet, it is seen twice, and responded to
with two different configurations, i.e. I see

← DISCOVER via eth1.2
→ OFFER via eth1.2
← DISCOVER via eth1
→ OFFER via eth1
← REQUEST via eth1.2
→ ACK via eth1.2
← REQUEST via eth1
→ NAK via eth1

I’m not sure if this is more than an annoyance, but I doubt it should happen.

Simon

Interestingly, in 2014, somebody from Brocade wrote:

From: Judy Hao Judy.Hao@brocade.com
To: “643564@bugs.debian.org” 643564@bugs.debian.org
Subject: Any plan to resolove this bug
Date: Fri, 28 Mar 2014 10:54:19 -0700
[Message part 1 (text/plain, inline)]
Hi,

We are also experiencing the same issue. Any plan to get this bug resolved?

Thanks,

Judy Hao
Brocade/Vyatta
jhao@brocade.com

And finally:

From: Lorin Weilenmann lorin.weilenmann@gmail.com
To: 643564@bugs.debian.org
Subject: Fixed in upstream
Date: Thu, 7 May 2015 09:49:47 +0200
[Message part 1 (text/plain, inline)]
Hi,

Just wanted to mention that according to the changelog, this has been fixed
in upstream (since isc-dhcp 4.3.2b1, 4.3.2 has been released some days ago).
See ftp://ftp.isc.org/isc/dhcp/4.3.2/dhcp-4.3.2-RELNOTES

Modified linux packet handling such that packets received via VLAN are now
seen only by the VLAN interface. Prior to this, such packets were seen by
both the VLAN interface and its parent (physical) interface, causing the
server to respond to both. Note this remains an issue for non-Linux OSs.
Thanks to Jiri Popelka at Red Hat for the patch.
[ISC-Bugs #37415]
[ISC-Bugs #37133]
[ISC-Bugs #36668]
[ISC-Bugs #36652]

So all we’d need is a new package with the source from upstream.

Cheers,

Lorin