Adding OpenWrt support for Xiaomi AX3600

Hi!

I installed the latest firmware (8cddba9) from robimarko (to whom many thanks for his efforts!), and encountered a strange problem, it seems, with ARP or smth like this. I haven't tried the previous versions btw.

I have 2 access points on the same LAN, in a common l2-domain. The second is the AX3600, which I testing.
When I switching wifi-clients (laptop or phone) from main AP to AX3600 with robimarko's owrt, there some time period, during which I can't access any resources in LAN behind AP. I can ping/access only AP itself, but no any other IP in my LAN. So the client even can't obtain DHCP settings, because my DHCP server is not on AX3600.
After few minutes connectivity returns by itself, and everything starts working.

If I reconnect client to the AX3600 again (just turn off and on Wi-Fi on laptop or phone), everything works immediately.
If I reconnect from AX3600 to another AP, everything works immediately.
But if I reconnect from another AP to AX3600, there is temporary problem with connectivity again.

I tried to replace AX3600 with another AP (the third device is at my disposal), everything works fine everytime, so somehow the problem is related with AX3600.

Any idea what the reason might be?

Hi,

Just a dumb question: is current OpenWRT port stable enough for AX3600 to be used as a dumb AP in 5GHz .ax only? So no routing/NAT/firewall or anything, just a bridge between LAN/WLAN?

Thank goodness someone else has this problem - I thought it was a very special one just for me.

My description of the problem can be found here.

The same with me: 5 GHz WLAN and 2.4 GHZ WLAN are present. With my PC (near of the AX 3600) the connection is stable und speed is good. With my IPhone I can connect with the wlan, but the internet connection is not stable.

I use the AX 3600 as stupid AP, LAN with static IP und deactivated DHCP, die Clients get their IP Configuration from the DHCP of the mainrouter (FritzBox)

These issues are all discussed before: link

The short version: use the dedicated WAN port as uplink even if you are using the AX3600 as a dumb AP.

I thought so too when I read this and of course tried it out immediately.
I have set the lan interface to eth0 (no bridge - directly the port).

Unfortunately, the result remains the same.

It sounds like the roaming issue described at Roaming Issues Xiaomi AX3600 which has a software workaround shown here Adding OpenWrt support for Xiaomi AX3600 - #3930 by avalentin

An alternative is to enable the nss-bridge-mgr module (kmod-qca-nss-drv-bridge-mgr) which fixes this, but at present you'd need to build your own image with that enabled.

3 Likes

Thank you for the advice.
But how do I make a build with this module?
In the menuconfig I can't find a correspondingly named module (robimarkos repo at branch AX3600-5.10-restart).

You need "IPQ807x-5.10-backports" branch.

1 Like

It's under Kernel modules -> Network Devices

kmod-qca-nss-drv-bridge-mgr

Both in AX3600-5.10-restart and what I believe is the more up-to-date IPQ807x-5.10-backports branch.

2 Likes

Awesome news! This issue was a showstopper for me many months ago, even more than the memory leak. Maybe now I can finally ditch the QSDK build :slight_smile:

Thanks @ psi & dchard.
I made a build with these options but still no luck - the clients still get no network connection.

Just to be sure i explain what i did (because i'm not very experienced with building my own images yet):

  • made a complete new clone of the repo
  • checkout to branch IPQ807x-5.10-backports
  • update and install the feeds
  • in menuconfig choose Qualcomm IPQ807x and Xiaomi AX3600
  • under kernel modules i enabled kmod-qca-nss-drv-bridge-mgr
  • exit the menuconfig
  • build the image with make -j 4

how can i check if the module is correctly built in? lsmod | grep nss gave me only these:

qca_nss_dp             45056  0
qca_ssdk             1667072  1 qca_nss_dp

Have you tried just connecting to the WAN port instead of one of the LAN ones?

I have the same issue with one Poco F3 phone, that just has internet when it connects to the IOT wifi, internet i through DHCP on the wan port

Setup like that aren't the devices connected to the ax3600 effectively going to be on another subnet?

I mean just for testing, nothing else

1 Like

Yes as soon as I first read about it here (am a frequent reader of the thread).
This is my current, fairly minimal /etc/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:4c20:7299::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0'
	option ipaddr '192.168.0.11'
	option gateway '192.168.0.2'
	option broadcast '192.168.0.255'
	list dns '192.168.0.2'
	option ip6ifaceid '::B'

But I mean, leave it under WAN interface in network config as well

wan interface for a dumb ap?
you mean i should do some kind of routing - the wifi clients in the lan interface and the network with main gateway on the wan side?
Sure - i could try

On stock firmware running it as a dumb AP (relay extender mode as Xiaomi calls it) you have to connect your wired Internet uplink to the WAN port.

Here are the config output for network and firewall, I have only changed the LAN IP, the rest is default setup by Xiaomi.

Stock network config dumb AP:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option multicast_querier '0'
        option igmp_snooping '0'
        option macaddr '9c:9d:7e:75:26:da'
        option ieee1905managed '1'
        option ipaddr '192.168.1.4'
        option gateway '192.168.1.1'
        option mtu '1500'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option ifname 'eth1 eth2 eth3 eth4'

config interface 'eth1'
        option ifname 'eth1'
        option keepup '1'

config interface 'eth2'
        option ifname 'eth2'

config interface 'eth3'
        option ifname 'eth3'

config interface 'eth4'
        option ifname 'eth4'

config interface 'miot'
        option ifname 'wl13'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.32.1'
        option netmask '255.255.255.0'

config interface 'ifb'
        option ifname 'ifb0'

Stock firewall dumb AP:

config defaults
        option syn_flood '0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest 'lan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'Forbidden_Wan_RA'
        option name 'Forbidden_Wan_RA'
        option dest 'wan'
        option proto 'icmp'
        option family 'ipv6'
        option target 'REJECT'
        list icmp_type 'router-advertisement'

config include 'webinitrdr'
        option path '/lib/firewall.sysapi.loader webinitrdr'
        option reload '1'
        option enabled '1'

config include 'dnsmiwifi'
        option path '/lib/firewall.sysapi.loader dnsmiwifi'
        option reload '1'
        option enabled '1'

config include 'macfilter'
        option path '/lib/firewall.sysapi.loader macfilter'
        option reload '1'
        option enabled '1'

config include 'ipv6_masq'
        option path '/lib/firewall.sysapi.loader ipv6_masq'
        option reload '1'

config include 'set_tcpmss'
        option path '/lib/firewall.sysapi.loader set_tcpmss'
        option reload '1'

config include 'miot'
        option path '/lib/firewall.sysapi.loader miot'
        option reload '1'

config rule 'guest_8999'
        option name 'Hello wifi 8999'
        option src 'guest'
        option proto 'tcp'
        option dest_port '8999'
        option target 'ACCEPT'

config rule 'guest_8300'
        option name 'Hello wifi 8300'
        option src 'guest'
        option proto 'tcp'
        option dest_port '8300'
        option target 'ACCEPT'

config rule 'guest_7080'
        option name 'Hello wifi 7080'
        option src 'guest'
        option proto 'tcp'
        option dest_port '7080'
        option target 'ACCEPT'

config zone 'ready_zone'
        option name 'ready'
        option input 'DROP'
        option forward 'DROP'
        option output 'DROP'
        list network 'ready'

config rule 'ready_dhcp'
        option name 'DHCP for ready'
        option src 'ready'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'ready_dhcp_out'
        option name 'DHCP for ready'
        option dest 'ready'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'ready_minet_in'
        option name 'minet ready'
        option src 'ready'
        option dest_port '786'
        option proto 'tcp'
        option target 'ACCEPT'

config rule 'ready_minet_out'
        option name 'minet ready'
        option src 'ready'
        option src_port '786'
        option proto 'tcp'
        option target 'ACCEPT'

config include 'parentalctl'
        option path '/lib/firewall.sysapi.loader parentalctl'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'IPv4'
        option reload '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'