5Ghz wifi is working but 2.4Ghz is not

It is not that 2.4Ghz dows not work.
It works sometimes only.
What could be the problem?

# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '40'
	option band '5g'
	option htmode 'VHT80'
	option country 'IT'
	option cell_density '0'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXX3'
	option encryption 'psk2'
	option macaddr '60:38:e0:10:a7:01'
	option key '******'
	option macfilter 'allow'
	list maclist '00:00:00:00:00:00'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '9'
	option band '2g'
	option country 'IT'
	option cell_density '0'
	option legacy_rates '1'
	option disabled '0'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXX2'
	option encryption 'psk2'
	option macaddr '60:38:e0:10:a7:00'
	option key '*************'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	option disabled '0'
	list maclist '00:00:00:00:00:00'

Is there a reason that you have enabled legacy rates and mac filtering?

For what concerns MAC filtering it is security level I want to keep.
legacy_rates there is no reason.

Is MAC filtering causing issues?

Sure... you can do that, but be advised that it's not really a very robust security mechanism.

Possibly. At least in the near term, remove the MAC filtering until things are proven to work properly. Then you can add it and hopefully things continue to work (if not, you'll know the cause).

Then remove that entirely.

And what is the best security mechanism to protect my home network?

A strong password that is only provided to trusted devices. Ideally WPA3 encryption type if your devices all support it, but WPA2 is usually sufficient (unless you are a high value target).

You can also create additional networks for IoT and/or guest users (and/or other untrusted devices) that have restrictions to prevent them from accessing your trusted/sensitive devices.

What about this?

WEP and WPA1 are trivially easy to crack. WPA2 can be cracked, but it requires a more determined and knowledgable attacker. The attacker also needs to be within range of your wifi, so you won't have someone from half way around the world specifically hacking at your wifi encryption.

MAC address based allow/deny lists do not add much security as it is easy to spoof a MAC address.

1 Like

Your MAC restrictions will not prevent Mr Palma from deauthenticating your only client and hack together massive dump of handshakes to crack.

It is also trivial to obtain all the MAC addresses on your Wi-FI to spoof.

Once you get air dump with handshakes to crack - magic - they have MAC addresses inside.

So what about keeping wifi devices on a different subnet and make a VPN connection to the one where the other devices are?

Sure, some people do this. But it does introduce some inconveniences with respect to sharing/streaming/casting and the like.

Why would you make a VPN connection when the devices are on the same router? They have direct routes available. Where would the VPN connection terminate on each side?

What is the meaning of having direct routes? Then it is like having all devices in the same network.

No, but the router can route between subnets. That's what the routing engine does, while the firewall sets up the rules for what is allowed/denied.

But I don't think the router has security mechanisms...

What do you mean by that? OpenWrt is quite secure.

I mean if setup two networks and I make a routing between the two I do not keep separated the wifi devices from my sensitive devices...

That is the role of the firewall. You have to setup the firewall according to your goals.