DHCPOFFER not sent in some zones with TOS 6.0

Hi,
I’m a bit lost.
I have a Mox with several Mox E.
I have 4 different zones configured office, lan, guest and mgt.
All of them are in different subnets.
With TOS 5 everything was working fine.
But with TOS 6.0.4 (same with 6.0.1) on some zones I don’t get an IPv4 address via DHCP.

If I connect a PC to the office zone I see in the Mox Log

Dec 19 20:02:36 turris dnsmasq-dhcp[18323]: DHCPDISCOVER(br-office) 00:be:43:...
Dec 19 20:02:36 turris dnsmasq-dhcp[18323]: DHCPOFFER(br-office) 192.168.100.43 00:be:43:...
Dec 19 20:02:38 turris dnsmasq-dhcp[18323]: DHCPDISCOVER(br-office) 00:be:43:...
Dec 19 20:02:38 turris dnsmasq-dhcp[18323]: DHCPOFFER(br-office) 192.168.100.43 00:be:43:...
Dec 19 20:02:41 turris dnsmasq-dhcp[18323]: DHCPDISCOVER(br-office) 00:be:43:...
Dec 19 20:02:41 turris dnsmasq-dhcp[18323]: DHCPOFFER(br-office) 192.168.100.43 00:be:43:...

but running wireshark on the PC itself I see only DHCP Discovery but no DHCPOFFER.
If I reconfigure the devices so that the corresponding LAN port (LAN11) is in the lan or the guest zone, everything works as expected.
I also created another zone called printer, in which it also didn’t work.

Any idea where to look at?

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd88:698e:1cb8::/48'

config interface 'wan'
	option proto 'dhcp'
	option hostname 'Mox'
	option ipv6 '0'
	option device 'eth0'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option _turris_mode 'managed'
	option ipv6 '0'
	option bridge_empty '1'
	option device 'br-lan'

config interface 'mgt'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option _turris_mode 'managed'
	option ipv6 '0'
	option bridge_empty '1'
	option device 'br-mgt'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.70.1'
	option netmask '255.255.255.0'
	option _turris_mode 'managed'
	option ipv6 '0'
	option bridge_empty '1'
	option device 'br-guest'

config interface 'office'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option _turris_mode 'managed'
	option ipv6 '0'
	option bridge_empty '1'
	option device 'br-office'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan1.10'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan2.10'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan9'

config device
	list ports 'lan2.1'
	option type 'bridge'
	option name 'br-mgt'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan1.70'
	list ports 'lan2.70'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'

config device
	option type 'bridge'
	option name 'br-office'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option port '0'
	option serversfile '/tmp/adb_list.overall'
	option localservice '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'
	option leasetime '3h'
	option start '32'
	option limit '100'
	list dhcp_option '6,192.168.10.1'

config dhcp 'mgt'
	option interface 'mgt'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'
	option leasetime '3h'
	option start '32'
	option limit '100'
	list dhcp_option '6,192.168.20.1'

config dhcp 'guest'
	option interface 'guest'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'
	option leasetime '3h'
	option start '32'
	option limit '100'
	list dhcp_option '6,192.168.70.1'

config dhcp 'office'
	option interface 'office'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'
	option leasetime '3h'
	option start '32'
	option limit '100'
	list dhcp_option '6,192.168.100.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest_turris'
	option interface 'guest_turris'
	option ignore '0'
	option start '100'
	option limit '150'
	option leasetime '3600'
	list dhcp_option '6,10.111.222.1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wan_ssh_turris_rule'
	option name 'wan_ssh_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '22'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_http_turris_rule'
	option name 'wan_http_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '80'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_https_turris_rule'
	option name 'wan_https_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '443'
	option proto 'tcp'
	option src 'wan'

config defaults
	option forward 'REJECT'
	option input 'REJECT'
	option output 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'mgt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgt'

config zone
	option name 'office'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'office'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'office'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'mgt'

config forwarding
	option src 'mgt'
	option dest 'lan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

Since I seem to be the only one with this problem I wonder whether I misconfigured something already on TOS 5, which broke now.

I think I played with dhcp servers at the very beginning of my Turris adventures.
I see the following dhcp related processes. Could please someone with a working TOS 6.0 system can confirm that he has the same entries?

root@turris:~# ps faux | grep -E "dhcp|dns"
root     31919  0.0  0.0   1344   572 ?        S    Dec19   0:00  \_ udhcpc -p /var/run/udhcpc-eth0.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth0 -x hostname:Mox -C -R -O 212 -O 121
root      2244  0.0  0.0   1496   752 ?        S    Dec18   0:18 /usr/sbin/odhcpd
root     20190  0.0  0.0   1344   572 pts/0    S+   18:01   0:00          \_ grep -E dhcp|dns
root      4560  0.0  0.0   1556   744 ?        S    Dec18   0:33 /usr/sbin/umdns
dnsmasq  18323  0.0  0.1   3020  1628 ?        S    Dec18   0:02 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
root     18339  0.0  0.0   2988   772 ?        S    Dec18   0:00  \_ /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
root@turris:~# 

I think its the problem is with your firewall. I’ve set a few extra firewall zones and for each I had to allow DHCP and DNS for it to work. For example I have this rule for ‘servers’ zone

config rule
        option dest_port '67-68'
        option src 'servers'
        option target 'ACCEPT'
        option src_port '67-68'
        option name 'Allow DHCP for SERVERS'

And

config rule
        option dest_port '53'
        option src 'servers'
        option target 'ACCEPT'
        option name 'Allow DNS for SERVERS'

Try to add that rule for your firewall zone. Reload firewall and try again to get IP and connect internet from that zone if its allowed.

@AreYouLoco , thanks for the tip, but these entries didn’t change anything.

Well, to be honest, your network configuration is a mess. You should have update your configuration prior the VLAN tagging; see How to make VLAN work again after update from TOS 5 to 6? - #3 by hagrid for the inspiration.

@hagrid , better like this?

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fddd:2668:6c5a::/48'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '1'
	option device 'eth0'
	option hostname 'mox2'

config interface 'lan'
	option proto 'static'
	option _turris_mode 'managed'
	option ip6assign '60'
	list ipaddr '192.168.10.1/24'
	option device 'br-lan.10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'

config device 'br_lan'
	option name 'br-lan'
	option bridge_empty '1'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option ipv6 '0'

config device 'dev_wan'
	option name 'eth0'

config interface 'Printer'
	option device 'lan4'
	option proto 'static'
	option ipaddr '192.168.90.1'
	option netmask '255.255.255.0'

config device
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	option type 'bridge'
	option name 'br-office'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'office'
	option device 'br-office'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:t*'

config bridge-vlan
	option device 'br-lan'
	list ports 'lan3:t'
	option vlan '70'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan3:t'

config interface 'guest'
	option device 'br-lan.70'
	option proto 'static'
	option ipaddr '192.168.70.1'
	option netmask '255.255.255.0'

BTW: I bought another Mox so that I have a second system which gave me time to go to TOS 6.1 and reconfigure the system from the ground up. This now seems to work.