No IP from DHCP using VLANs and promisc interface

[bradmin]

Hey guys!

Hope someone can see what’s wrong and point me to the right direction.
Well.

My setup looks like this:

1 physical interface, in promiscuous mode
- eth0

3 VLANs
- eth0.1 [vlan1]: 192.168.0.0/24
- eth0.10 [vlan10]: 192.168.10.0/24
- eth0.1000 [vlan1000]: 10.0.1.0/24

1 ISC DHCP server providing dhcp service on all VLANs

1 physical switch (TL-SG3210)
- port which connects the server is in TRUNC mode and member of all VLANs
- the other ports are in ACCESS mode and members of single VLANs

server OS: Ubuntu 14.04
firewall with iptables

SoftEther uses a local bridge to the physical interface in promise mode


When I connect a machine to the physical switch, I get an IP of the desired pool. Works like a charm.

A client, with Security Policy - VLAN set to one of 1, 10 or 1000, can connect to SoftEther server but does not get an IP from DHCP server.
tcpdump on the physical interface shows me that frames are received from the client and tagged correctly by the server.

If I use a local bridge on one of the VLAN interfaces (instead the physical one) and turn off security policy i get an IP of the corresponding pool and of course can access this subnet.
Unfortunately that’s not what I need. I need the tagged one … damn ;)

So … What do I not see? What do I not understand?

Please help me!
Cheers !

Edit:
* I already tried with ACCEPT policies and no rules in iptables
* also tried to add vlan interfaces with local bridges (all the same time) ... that was a bad idea ;)

Edit:
It seems the packets flow out of SoftEther Server, through the promisc interface to the hardware switch and there they die.
Is it possible that i need an additional switch inside my server where i plug all my vlan interfaces and the SoftEther server via a tap interface to make that work??
If so, can anyone suggest one?
I tend to try Open vSwitch.
Any opinions?
Re-Edit: I guess that's not the right way either because all VLAN interfaces and the promisc interface have the same HW-address, and that will not work with switching, or will it?

Edit:
BTW the VLAN tagging for the client in my schema is done by the SoftEther Server's Security Policy

Edit:
Oh... look at that... if SoftEther's Security Policy's VLAN Tagging is disabled the client's packets are assigned to the default VLAN of the switch's port.
Hm... can someone explain me the correct usage of this function? As far as I understood the manual my application should have worked, or shouldn't it ?

[bradmin]

Really ? No opinions to this topic ??

[thisjun]

Please show me your VPN server configuration.
Which NIC do you created the localbridge to?