Abnormally high latency of wifi with VLANs

leprechaun · August 30, 2023, 2:38pm

Hey y'all, long time user, first time poster ...

I'm being quite verbose, but hey, I know you'd be asking to see the configs ... and I tried to quantify the issue as well.

The Problem

I recently set-up segregated networks at home. I followed the MarcOneFifty videos, and a couple different blogs posts. It eventually worked, but I did struggle a fair bit if I'm being honest.

I noticed ping/latency is abnormally high in some circumstances.

Pinging a WiFi device from one of the routers (or from a wired device going through the router) ... latency is in the hundreds of milliseconds.

Pinging a router (or wired device going through the router) from a wifi device, response time is a normal handful of milliseconds.

The asymmetry between the two is the weirdest part, IMHO.

What makes a difference

Wifi power savings modes
- Disabled power savings on the linux box
- keeping the macbook plugged in / screen active

Fix attempts

I tried reducing the MTU as described here, to no avail

Future fix attempts

The Setup

I crunched some numbers. Unless noted, all numbers are for the same VLAN/Network

main aka gateway-main
Main router, shares internet, serves DHCP. in the living room
connects to gateway-office on port 1, VLANs all tagged.
office aka gateway-office
"dumb AP" in the office, bridges wifi
connects to gateway-main on the WAN port, VLANs all tagged.
lappy, laptop on WIFI 5g
connected to gateway-office, on BASE-ac network/default VLAN
pixie, android phone on wifi
pixieoffice was in the office for test, pixiemain was in the living room for test
mbp, macbook on WIFI
connected to gateway-office AP, on BASE-wasteland network / non-default VLAN

5Ghz or 2.4Ghz apparently makes no difference.

The Data

Median and 90th percentiles of PING latency from source to destination. Numbers are in seconds.

                    median     90th %   stdev
source destination                    

# low ping from wifi device pinging the closest AP/router
lappy  main         0.001630  0.002340  0.019351
lappy  office       0.002840  0.003071  0.012343
mbp    main         0.006730  0.008353  0.005245

# high ping from router to wifi
main   lappy        0.195661  0.288046  0.090850
main   pixieoffice  0.269358  0.486387  0.139119 # mobile phone in office
main   pixiemain    0.320505  0.503115  0.143422 # mobile phone in living-room
main   mbp          0.499502  0.831642  0.241500 # The worst: cross-vlan (100 to 103)

office lappy        0.178548  0.283351  0.078241
office pixie        0.309794  0.498318  0.133470
office mbp          0.515910  0.852934  0.243132 # The worst: cross-vlan (100 to 103)

# low ping between wired devices
main   desky        0.000539  0.001804  0.000734
main   office       0.000369  0.000384  0.000013
office desky        0.000554  0.001850  0.000734

This network runs off of two WRT1900ACS, running 22.03.2.

Current configuration

gateway-main

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd83:d1c7:b026::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.99.0.1'
	option delegate '0'
	option device 'br-lan.100'

config device
	option name 'wan'
	option macaddr 'REMOVED'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'REMOVED'
	option password 'REMOVED'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config route
	option target '10.99.1.0/24'
	option gateway '10.99.0.3'
	option metric '0'
	option interface 'lan'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'REMOVED!'
	option listen_port '55000'
	list addresses '10.99.2.1/32'
	list addresses '10.99.2.0/24'

config wireguard_wg0
	option description 'external-node'
	option public_key 'REMOVED!'
	list allowed_ips '10.99.2.5/32'
	list allowed_ips '10.99.1.0/24'
	list allowed_ips '10.99.2.0/24'

config wireguard_wg0
	option description 'pixie'
	option public_key 'REMOVED!'
	list allowed_ips '10.99.2.2/32'
	list allowed_ips '10.99.2.0/24'
	list allowed_ips '10.99.100.0/24'
	list allowed_ips '10.99.101.0/24'
	list allowed_ips '10.99.102.0/24'
	list allowed_ips '10.99.103.0/24'
	list allowed_ips '10.99.0.0/24'
	list allowed_ips '10.99.1.0/24'

config wireguard_wg0
	option description 'lappy'
	option public_key 'REMOVED!'
	list allowed_ips '10.99.2.6/32'
	list allowed_ips '10.99.0.0/24'
	list allowed_ips '10.99.1.0/24'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '100'
	option name 'br-lan.100'
        option mtu '1496'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '101'
	option name 'br-lan.101'
        option mtu '1496'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '102'
	option name 'br-lan.102'
        option mtu '1496'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan1:t'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.101'
	option netmask '255.255.255.0'
	option ipaddr '10.99.101.1'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.102'
	option ipaddr '10.99.102.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '103'
	option name 'br-lan.103'
        option mtu '1496'

config interface 'wasteland'
	option proto 'static'
	option device 'br-lan.103'
	option ipaddr '10.99.103.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '103'
	list ports 'lan1:t'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option channel '161'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'CN'
	option legacy_rates '1'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-ac'
	option network 'lan'
	option key 'REMOVED!'
	option encryption 'psk2'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'BASE'
	option encryption 'psk2'
	option key 'REMOVED!'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-Guest'
	option encryption 'psk2'
	option key 'REMOVED!'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-IOT'
	option encryption 'psk2'
	option key 'REMOVED!'
	option network 'iot'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-Wasteland'
	option encryption 'psk2'
	option network 'wasteland'
	option key 'REMOVED!'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/REMOVED/'
	option domain 'REMOVED'
	list server '/REMOVED/10.99.1.1'
	list address '/REMOVED/10.99.1.11'
	option nonegcache '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'REMOVED'
	option ip 'REMOVED'

config host
	option name 'REMOVED'
	option mac 'REMOVED'
	option ip '10.99.0.3'

config host
	option name 'desky'
	option dns '1'
	option mac 'REMOVED'
	option ip '10.99.0.101'

config host
	option name 'gateway-office'
	option dns '1'
	option mac 'REMOVED'
	option ip '10.99.0.2'


config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wasteland'
	option interface 'wasteland'
	option start '100'
	option limit '150'
	option leasetime '12h'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'WG'
	option dest 'lan'

config forwarding
	option src 'WG'
	option dest 'wan'

config rule
	option name 'Allow-Wireguard'
	option src 'wan'
	option dest_port '55000'
	option target 'ACCEPT'
	list proto 'udp'

config forwarding
	option src 'lan'
	option dest 'WG'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'guest'
	option forward 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allog-Guest-DNS'
	list proto 'udp'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config zone
	option name 'wasteland'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wasteland'

config forwarding
	option src 'wasteland'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'wasteland'

config forwarding
	option src 'WG'
	option dest 'guest'

config forwarding
	option src 'WG'
	option dest 'iot'

config forwarding
	option src 'WG'
	option dest 'wasteland'

gateway-office

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:1b21:c16a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option proto 'static'
	option ipaddr '10.99.0.2'
	option netmask '255.255.255.0'
	option device 'br-lan.100'

config device
	option name 'wan'
	option macaddr 'REMOVED'

config interface 'fallback'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'
	option device 'br-lan'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '100'
	option name 'br-lan.100'
        option mtu '1496'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '101'
	option name 'br-lan.101'
        option mtu '1496'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '102'
	option name 'br-lan.102'
        option mtu '1496'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '103'
	option name 'br-lan.103'
        option mtu '1496'

config interface 'guest'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '10.99.101.2'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.102'
	option proto 'static'
	option ipaddr '10.99.102.2'
	option netmask '255.255.255.0'

config interface 'wasteland'
	option device 'br-lan.103'
	option proto 'static'
	option ipaddr '10.99.103.2'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'wan:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '103'
	list ports 'wan:t'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'
	option channel '161'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'US'
	option channel 'auto'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option key 'REMOVED'
	option network 'lan'
	option ssid 'BASE-ac'
	option encryption 'psk2'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk-mixed'
	option key 'REMOVED'
	option network 'lan'
	option ssid 'BASE'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-Guest'
	option encryption 'psk2'
	option key 'REMOVED'
	option network 'guest'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-IOT'
	option encryption 'psk2'
	option key 'REMOVED'
	option network 'iot'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BASE-Wasteland'
	option encryption 'psk2'
	option network 'wasteland'
	option key 'REMOVED'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

/etc/config/dhcp

The config exists, but it's disabled on all interfaces, and the service is disabled at boot.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list notinterface 'br-lan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'fallback'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'ssh'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'luci'
	list proto 'tcp'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'wasteland'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wasteland'

Pico · August 30, 2023, 10:38pm

Could be that you hit bugs and limits

the following are likely issues that should be investigated

1.You are mentioning Wifi issues and Linksys WRT 1900.
Linksys WRT Wifi driver unfortunately is super bad quality, and I am not sure, if it is well behaved at all, when creating multiple logical Wifis. Though Luci allows to create multiple logical Wifis, some wifi drivers only properly run 1 or 2 logical Wifis on the same radio.

2.Also note that Linksys WRT and v22.02 has a severe bug with VLANs. Maybe that has some effect here as well

3.And wasn't the Linksys WRT platform changed to DSA on v22? (No more "switch" menu). I see lots of VLAN definitions in you config. On DSA-enabled devices, you would need to use VLAN IDs only, when talking to another VLAN-enabled HW device, but no longer to create local switch partitions.

I would retry with v23.05
and retry with minimal zones and minimal Wifis and then gradually add more zone config and retest in each step.
do you need VLANs to talk to other devices?

leprechaun · August 31, 2023, 4:48am

Learning a few things here, none of which super encouraging.

The latency being asymmetric does give me a bit of hope, as if things were completely screwed, I'd expect high latency in all directions.

1.You are mentioning Wifi issues and Linksys WRT 1900.
Linksys WRT Wifi driver unfortunately is super bad quality, and I am not sure, if it is well behaved at all, when creating multiple logical Wifis. Though Luci allows to create multiple logical Wifis, some wifi drivers only properly run 1 or 2 logical Wifis on the same radio.

And I'm throwing more than 2 at it. I'll cut down and see what happens.

2.Also note that Linksys WRT and v22.02 has a severe bug with VLANs. Maybe that has some effect here as well

I was unaware of the VLAN issues, and wish I had been. Where does one find out about these things? The device page is pretty optimistic, save for the mwlwifi chipset issues.

3.And wasn't the Linksys WRT platform changed to DSA on v22? (No more "switch" menu). I see lots of VLAN definitions in you config. On DSA-enabled devices, you would need to use VLAN IDs only, when talking to another VLAN-enabled HW device, but no longer to create local switch partitions.

You're correct, it's DSA, and the switch menu does not exist. I've made all changes through LUCI, though.

Could this be because I manually created each the VLAN devices on top of br-lan first, instead of letting the Bridge VLAN Filtering menu create them for me? Eg, using the menu below

Manually created, and then configured for VLAN filtering on br-lan.

I would retry with v23.05 and retry with minimal zones and minimal Wifis and then gradually add more zone config and retest in each step.

I didn't even think of trying one of the new 23.X builds, TBH. With that bug in mind, I might just try that later.

I guess I was a bit overzealous with the wifi networks and VLANs. I could get away with two networks, I've survived with just one for a few years already.

do you need VLANs to talk to other devices?

And by that you mean, having a device on the "lan" network talk to something on the "iot" or "wasteland" network? Ideally, yes, some of the IOT stuff does MQTT to a local broker, so one side will need to talk to the other regardless of where I put it.

That being said, the segregation could also be purely based on wifi networks (if this could be done effectively). I trust all wired devices, but not all on wifi.

zekica · August 31, 2023, 5:16am

Are you sure it isn't just normal wifi power saving? Can you try disabling it on the device and test again? Does the same happen with only one virtual AP configured?

psherman · August 31, 2023, 5:43am

I was going to comment about the power savings -- a phone/tablet/laptop or other low power IoT type device (i.e. typically battery powered) that is not actively using the network will tend to put the radios to sleep to conserve power. They wake them up for short bursts frequently enough as to appear to be 'always-on' at human time scales and to maintain the connection to the AP, but in reality, they're off most of the time.

Anotther thing -- your WG interface and peers are incorrectly configured. It is doubtful but possible that this is related to your initial problem... regardless, it should be fixed.

Back to wifi -- you have legacy rates enabled on your main router's 2.4G radio... this should only be enabled if you actually need to use 802.11b (that's b as in the first popular wifi standard at 11Mbps max)... anything faster than that, legacy rates should be off.

You have overlapping channels on the 5G radios, and the potential for that to happen on 2.4G because of the office device using auto channel assignment. Channels should be non-overlapping on neighboring APs,.
Finally, 802.11r can actually cause problems in some situations.

leprechaun · August 31, 2023, 10:24am

This thread is a bit humbling, given how prepared I came.

You're onto something!

I had assumed this would have been like "the screen is on", "it's not suspended" type of "power savings". Quick google shows it's like a sub-second type of deal.

New numbers, "*quick" is with ping -i 0.005 ..., so the devices won't go to sleep.

mbp responds quick when plugged in, even at 1 second intervals
lappy which runs debian 11, is affected by power-savings while plugged in.

I hope it can be turned off when a device is plugged into power. I SSH into lappy regularly, and the latency is quite jarring.

                      median       p90       p95       p99     stdev  samples
source destination                                                           
desky  lappy        0.175500  0.285100  0.299050  0.310040  0.099573      300
       lappyquick   0.001650  0.016000  0.060700  0.117200  0.022060     2081
       mbp          0.142500  0.544500  0.762700  1.107830  0.256124       52
       mbpquick     0.002520  0.070200  0.104000  0.142000  0.033967     3221
       mpbpower     0.128500  0.196300  0.206000  0.266570  0.079893      268
       pixiequick   0.002990  0.004540  0.004868  0.006360  0.011347     2025

I won't call it solved just yet, but this may very well have been it.

WG is also new for me. This config works, and I didn't question it. I'm guessing it has to do w/ having to put the same allowed_ip ranges for every peer? Feel free to throw me a bone while I google some more

I'll disable that and see if any IOT stuff goes offline. Thanks for noticing!

Another assumption on my part, should be the same channel. Going to correct.

Lets see after I fix ALL THE THINGS!

Thanks for pointing out all of this stuff, really appreciated!

krazeh · August 31, 2023, 10:31am

That would be my guess. The allowed_ips are essentially used by WG to determine what is allowed into or out of the tunnel. So, for traffic entering the tunnel the destination has to match one of the allowed_ips and for traffic leaving the tunnel the source has to match.

What this means is that the allowed_ips in a peer config should reflect the addresses of devices that are at the remote end of the tunnel, not addresses at the local end.

leprechaun · August 31, 2023, 10:34am

Right, ok. I thought it was devices at either end of the tunnel. I guess it makes sense that a peer should only have to protect itself from others, and let others peers reject the traffic they don't want.

krazeh · August 31, 2023, 10:36am

WG also uses it a 'psuedo' routing table to determine which peer to send traffic to. So if you have multiple peers with the same allowed_ips then either it'll refuse to bring up the peers or (if it does allow the peers to come up) won't route traffic properly.

leprechaun · August 31, 2023, 10:47am

I locked myself out of the router one because of this, I think. There was an extra route to a local IP range over WG0 ... I think it's when I had enabled "create local routes".

zekica · August 31, 2023, 12:05pm

You can temporarily turn off power saving by manually typing: iw wlpXsX set power_save off where wlpXsX is the name of the interface.

You can permanently turn off power saving by creating a file: /etc/NetworkManager/conf.d/wifi-powersave-off.conf with the following contents:

[connection]
# Values are 0 (use default), 1 (ignore/don't touch), 2 (disable) or 3 (enable).
wifi.powersave = 2

I haven't found a way to turn it on on battery and off on AC, but in my case, it doesn't make a perceivable difference to the battery drain, so I keep it off.

leprechaun · August 31, 2023, 1:53pm

Confirmed. It's off, and ping is the usual 1-5ms. Lovely!

system · September 10, 2023, 2:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.