OpenWRT 23.05.0 (r23497-6637af95aa, stable) and RT-AX1800U (AX53U).
Everything works fine until you restart (or enable) the guest network/interface. If guest network enabled and necessary to restart "radio0" - that's it, Internet refuses to work. Rebooting WAN interface - and now it doesn't want to receive IPv4/IPv6 at all. Nothing can't be pinged (100% packet loss), and then after "Network is unreachable/No route to host", devices start to complain about the lack of internet.
And so all this chaos happens until the router is rebooted. Interesting thing - appeared after the "netifd 2023-10-20-5590a80e-1" update. Before that everything seemed to be fine.
we'll need to see your configuration to be able to help... chances are it's a simple issue, but let's review:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
Ubus call system board:
{
"kernel": "5.15.134",
"hostname": "RT-AX1800U",
"system": "MediaTek MT7621 ver:1 eco:4",
"model": "ASUS RT-AX53U",
"board_name": "asus,rt-ax53u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
[config] network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'wan'
option macaddr '**:**:**:**:**:**'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.2.1/24'
option ip6assign '60'
config device
option type 'bridge'
option name 'br-guest'
[CONFIG] Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '4'
option band '2g'
option htmode 'HT40'
option country 'UA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '[REMOVED]'
option encryption 'psk2'
option key '[REMOVED]'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option country 'UA'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '[REMOVED]_5G'
option encryption 'sae-mixed'
option key '[REMOVED]'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Guest[REMOVED]'
option encryption 'sae-mixed'
option key '[REMOVED]'
option network 'guest'
[CONFIG] dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
option ra 'server'
option dhcpv6 'server'
option force '1'
[CONFIG] Firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name '[REMOVED]'
option src 'wan'
option src_dport '[REMOVED]'
option dest_port '[REMOVED]'
option dest_ip '[LOCAL IP]'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'qBittorrent ([REMOVED])'
option src 'wan'
option src_dport '[REMOVED]'
option dest_port '[REMOVED]'
option dest_ip '[LOCAL IP]'
config rule
option name 'Allow-DHCPv6-Guest'
option family 'ipv6'
list proto 'udp'
option src 'guest'
option target 'ACCEPT'
option dest_port '547'
config redirect
option target 'DNAT'
option name '[REMOVED] (guest)'
option src 'guest'
option src_dport '[REMOVED]'
option dest_ip '[LOCAL IP]'
option dest_port '[REMOVED]'
I think that underscores (_) are not supported in config files.
Interesting 
But in the other topics where showing their configs, there's a underscore (_) too
It is accepeted in some cases and not in some cases, I think it is better just not to use it.
I see.
Question for those who currently have the latest version of the "netifd" package, experiencing such problems with the Internet after reconnecting "guest" interface? (everything was fine before the update)
It seems to me that the update has broken something, maybe config?
netifd does not support restarting just one interface. Use wifi to restart all wifi or service network restart to restart all networks including wifi.
Adding option norelease 1 to your DHCP WAN configuration may help improve network continuity across restarts by having the ISP re-issue the same IP instead of a new one.
not working, after re-enabling guest Network - internet dead until reboot
Out of curiosity, what are the circumstances that have you restarting the guest interface in general and separately from a complete reboot or network service restart of your router?
Not exactly a restart, I disable the guest network if there are no guests, but after a few days have to turn it back on (because guests come back)
Separately.
I think this problem can also occur when analyzing channels with the guest network enabled, since the devices are disconnected from the network in this case
I know that this doesn't solve the root cause of your issue (and I'm not saying this sarcastically)
Why turn off the guest network? Properly secured with firewall rules and a strong passphrase, it's unlikely that leaving the guest network enabled would present any risk to your network. And broadcasting the additional SSID has an negligible impact on the wireless performance (small enough to be considered entirely irrelevant).
When analyzing the channels, this is a function of the radio at a hardware level, not the individual SSIDs. It would be expected that clients would be disconnected during the scan as the SSIDs would be disabled during that time. They should theoretically come back up and devices back online when the scan is complete. And this should not be any different when using a single SSID vs multiple.
1 Like
Also, how are you doing this? Are you disabling the SSID (in the wireless config) or the network interface (in the network config)? And what method(s) are you using to disable?
Doesn't disabling the SSID when not needed help with reducing AP overhead (For example: beacons?)
Yes, in theory, it does reduce the overhead. In practice, though, the overhead is so small as to be unnoticable.
Not in any way you're ever likely to measure/notice in a home environment.
And while we're talking about overhead... reducing the overhead on your time/effort/energy to turn the SSID on and off is much probably more significant than any bandwidth benefit that you might experience by disabling the SSID when it's not needed.
I disable Guest SSID in "Wireless" via LuCI
I don't disable Guest Interface, because disabling guest SSID do the same thing
Actually they are quite different. But nevertheless, I would recommend that you leave the guest ssid on all the time.
upd. If needed to change channels on the main network (2.4Ghz), the guest network also reconnects to the channel which on main network, but after the WAN also stops working.
Firewall Configuration:
root@RT-AX1800U:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name '[REMOVED]'
option src 'wan'
option src_dport '[REMOVED]'
option dest_port '[REMOVED]'
option dest_ip '[REMOVED]'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'qBittorrent ([REMOVED])'
option src 'wan'
option src_dport '[REMOVED]'
option dest_port '[REMOVED]'
option dest_ip '[REMOVED]'
config rule
option name 'Allow-DHCPv6-Guest'
option family 'ipv6'
list proto 'udp'
option src 'guest'
option target 'ACCEPT'
option dest_port '547'
config redirect
option target 'DNAT'
option name '[REMOVED]'
option src 'guest'
option src_dport '[REMOVED]'
option dest_ip '[REMOVED]'
option dest_port '[REMOVED]'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '[REMOVED]'
option proto 'udp'
option target 'ACCEPT'
config nat 'nat6'
option family 'ipv6'
option src 'wan'
option src_ip 'fdc1:300c:e493::/48'
option target 'MASQUERADE'
option name 'Guest'
list proto 'all'
config rule
config rule
option name 'ICMP6'
list proto 'icmpv6'
option target 'ACCEPT'
option src '*'
config rule
option name 'ICMP'
list proto 'icmp'
option target 'ACCEPT'
option src '*'
Meanwhile, what's happening on the WAN interface:
09:22:59.536787 IP6 fe80::d63d:7eff:feef:[REMOVED]d > ip6-allrouters: ICMP6, router solicitation, length 8
09:22:59.618131 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ip6-allnodes: ICMP6, router advertisement, length 24
09:23:03.115804 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:03.124826 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:05.558658 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:09.295801 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:09.313477 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:09.400218 IP 10.99.0.2.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
09:23:12.373649 cc:37:ab:d4:66:b9 (oui Unknown) > 00:12:cf:00:00:01 (oui Unknown) SNAP, oui Unknown (0x0012cf), pid Unknown (0x0002), length 8:
0x0000: aaaa 0300 12cf 0002 0000 000b 0000 0204 ................
09:23:12.385823 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:12.550061 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:13.558945 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:15.475826 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:15.485353 IP IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:17.139026 IP [REMOVED].58954 > undef-salt-kh.[ISP].ua.21098: Flags [S], seq 3980901680, win 1024, options [mss 1460], length 0
09:23:17.446130 IP6 fe80::d63d:7eff:feef:662d.546 > ff02::1:2.547: dhcp6 solicit
09:23:17.549177 IP 10.99.0.2.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
09:23:18.555920 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:18.558157 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:18.566730 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:19.142455 ARP, Request who-has undefined.maxnet.ua tell undefined.maxnet.ua, length 46
09:23:19.557823 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:20.558683 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:21.050706 IP [REMOVED].59613 > [REMOVED]-kh.[ISP].ua.9042: Flags [S], seq 3152129080, win 1024, options [mss 1460], length 0
09:23:22.427318 cc:37:ab:d4:66:b9 (oui Unknown) > 00:12:cf:00:00:01 (oui Unknown) SNAP, oui Unknown (0x0012cf), pid Unknown (0x0002), length 8:
0x0000: aaaa 0300 12cf 0002 0000 000b 0000 0204 ................
09:23:24.815867 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:24.824646 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:26.558455 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:27.915825 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:27.925297 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:31.055869 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:31.064942 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
09:23:31.558311 IP6 fe80::4e6d:580d:[REMOVED]:3741 > ff02::1:ffef:[REMOVED]d: ICMP6, neighbor solicitation, who has fe80::d63d:7eff:feef:[REMOVED]d, length 32
09:23:32.373341 cc:37:ab:d4:66:b9 (oui Unknown) > 00:12:cf:00:00:01 (oui Unknown) SNAP, oui Unknown (0x0012cf), pid Unknown (0x0002), length 8:
0x0000: aaaa 0300 12cf 0002 0000 000b 0000 0204 ................
09:23:34.155818 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from [MAC ADDRESS OF ISP] (oui Unknown), length 300
09:23:34.166443 IP 10.99.0.2.67 > [ISP Address]-kh.[ISP].ua.68: BOOTP/DHCP, Reply, length 300
Here, regardless of whether you touched the guest network or not, you just change the channel on the main network and the WAN also crashes. But, with the guest network disabled, everything works fine, the main network reconnects to a certain channel that is set in the configuration and WAN works fine.
Strange, but after disabling and enabling the firewall rule "Allow-DHCP-Renew" and WAN working again + Internet comes back. So, every time when you changed some settings or reboot radio0 (where guest network also) and change the channel, you need to go to the firewall and click the checkbox here and there to make WAN work after these actions? It's a very-very strange and temporary fix for me.
4 days ago I thought "Alright, I won't disable the guest network so I don't get this" and checked "Solved" but today when changing the channel on the main network - changes also on the guest network, these networks reboot (and source of problems - guest network) and no Internet after that, interesting