Hoping someone with much more experience than I have could point out where I'm going wrong here...
Flint2 MT6000 is the main router; BerylAX MT3000 in the far end of the house as an AP (connected via Cat6a).
3 VLANs... 1=untagged (main lan), 9=tagged (guest), 30=tagged (iot)
On main router, all three subnets are working perfectly, and any device that connects (wired or wifi) are assigned an IP from the appropriate pool.
On the AP, devices that connect to the untagged subnet (wired or wifi) work perfectly and are assigned an IP from the main router. Devices that connect to the tagged VLANs via the AP have DHCP requests ignored (though they are received on the main router):
root@EXT-2:~# tcpdump -i vlan-sw-2.9
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vlan-sw-2.9, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:29:45.175177 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ee:02 (oui Unknown), length 300
14:29:45.208679 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 94:83:c4:46:08:ad (oui Unknown), length 300
14:29:46.259740 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ef:04 (oui Unknown), length 300
14:29:48.298568 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 94:83:c4:46:08:ad (oui Unknown), length 300
14:29:48.315263 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ee:02 (oui Unknown), length 300
14:29:49.359862 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ef:04 (oui Unknown), length 300
root@SKYNET-1:~# tcpdump -i vlan-switch.9
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vlan-switch.9, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:08:23.240391 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ee:02 (oui Unknown), length 300
14:08:23.275013 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ef:04 (oui Unknown), length 300
14:08:23.283014 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 94:83:c4:46:08:ad (oui Unknown), length 300
14:08:26.320359 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ee:02 (oui Unknown), length 300
14:08:26.362939 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 94:83:c4:46:08:ad (oui Unknown), length 300
14:08:26.364979 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ef:04 (oui Unknown), length 300
14:08:29.410378 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ee:02 (oui Unknown), length 300
14:08:29.442957 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 94:83:c4:46:08:ad (oui Unknown), length 300
14:08:29.464958 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:7e:12:ef:04 (oui Unknown), length 300
On Main Router, interfaces are:
"lan" - Static IP + DHCP Server, vlan1 [u] (local and vlan connected devices get IP)
"guest" - Static IP + DHCP Server, vlan9 [t] (all locally connected devices get IP)
"iot" - Static IP + DHCP Server, vlan30 [t] (all locally connected devices get IP)
On AP, interfaces are:
"lan" - DHCP Client, vlan1 [u] (this interface gets an IP from the main router no problem)
"guest" - DHCP Client, vlan9 [t] (this interface is not assigned an IP)
"iot" - DHCP Client, vlan30 [t] (this interface is not assigned an IP)
I've double checked the trunk configurations -- everything is fine there, and the physical "link" is up on all devices.
I've checked and tweaked firewall rules, and that doesn't seem to be the issue, but I could be missing something. Is this a situation where it's simplest to setup a DHCP relay? (I'd need some help there, as I'm unfamiliar what the correct configuration would look like).