After restarting "guest" interface, there is no Internet connection on all networks

Are there any assumptions what could be preventing the WAN from working after restarting guest network/interface (from changed channel, not turn it on and off every minute)? Or this behaviour can't be fixed?
I don't know if this might be related somehow or not, but firewall rule "Allow-DHCP-Renew" seems to be working correctly for WAN interface until guest network is restarted

Restarting only the wireless by running the command wifi does not restart all networks. It should not disrupt any wired operations.

First you should narrow down the problem beyond "there is no Internet connection." You're hinting that the wan loses its IP configuration, but I haven't seen any test run to directly confirm this (such as ip addr show and ip route show).

Running tcpdump with the -vvv option will show more details of the DHCP transaction. It looks like every request gets a reply, which is normal, but the ISP may be refusing to serve something.

23.05.0 out of the box comes with 2023-09-19-7a58b995-1.

Did you manually upgrade the netifd package?

Why not go back to the netifd version that came with 23.05.0, if you feel that the ootb version did not have the issue?

upgraded in LuCI

root@RT-AX1800U:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc mq state UP qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::abf:b8ff:fe93:65c0/64 scope link 
       valid_lft forever preferred_lft forever
3: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP qlen 1000
    link/ether [MAC ISP] brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d63d:7eff:feef:662d/64 scope link 
       valid_lft forever preferred_lft forever
4: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2a00:1210:a:83fc::1/64 scope global deprecated dynamic 
       valid_lft 7194sec preferred_lft 0sec
    inet6 fdc1:300c:e493::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::abf:b8ff:fe93:65c0/64 scope link 
       valid_lft forever preferred_lft forever
11: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
    inet6 fd00:9::1/64 scope global 
       valid_lft forever preferred_lft forever
16: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 08:bf:b8:93:65:c4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::abf:b8ff:fe93:65c4/64 scope link 
       valid_lft forever preferred_lft forever
17: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 08:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::abf:b8ff:fe93:65c0/64 scope link 
       valid_lft forever preferred_lft forever
24: phy0-ap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether 0a:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8bf:b8ff:fe93:65c0/64 scope link 
       valid_lft forever preferred_lft forever
38: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc hfsc state UP qlen 1000
    link/ether 0a:bf:b8:93:65:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fdc1:300c:e493:10::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::8bf:b8ff:fe93:65c0/64 scope link 
       valid_lft forever preferred_lft forever
39: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc hfsc state UNKNOWN qlen 32
    link/ether aa:db:93:a0:06:01 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a8db:93ff:fea0:601/64 scope link 
       valid_lft forever preferred_lft forever
40: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether ce:d3:20:69:db:40 brd ff:ff:ff:ff:ff:ff
root@RT-AX1800U:~# ip route show
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1 
192.168.9.0/24 dev vpn scope link  src 192.168.9.1 
root@RT-AX1800U:~# 

root@RT-AX1800U:~# tcpdump -vvv -i wan
tcpdump: listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:29:25.251015 IP (tos 0x0, ttl 64, id 55017, offset 0, flags [none], proto UDP (17), length 328)
    10.99.0.2.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x79395c1c, Flags [Broadcast] (0x8000)
          Client-IP [ISP].165.116.231
          Your-IP [ISP].165.116.231
          Client-Ethernet-Address 14:cc:20:2a:44:9b (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: ACK
            Lease-Time (51), length 4: 10800
            Subnet-Mask (1), length 4: 255.255.240.0
            Server-ID (54), length 4: 10.99.0.2
            Default-Gateway (3), length 4: [ISP].165.112.1
            Domain-Name-Server (6), length 8: [ISP DNS]
            END (255), length 0
            PAD (0), length 0, occurs 22
10:29:25.269972 IP (tos 0x0, ttl 240, id 3244, offset 0, flags [none], proto TCP (6), length 40)
    172.233.187.75.51768 > 79.171.123.102.7589: Flags [S], cksum 0x04c7 (correct), seq 562588271, win 1024, length 0
10:29:25.437368 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from d4:3d:7e:ef:66:2d (oui Unknown), length 300, xid 0xdc5b3946, secs 10, Flags [none] (0x0000)
          Client-Ethernet-Address [ISP MAC ADDRESS] (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8: 
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 10: "RT-AX1800U"
            Vendor-Class (60), length 12: "udhcp 1.36.1"
            END (255), length 0
            PAD (0), length 0, occurs 16
10:29:25.446847 IP (tos 0x0, ttl 64, id 56368, offset 0, flags [none], proto UDP (17), length 328)
    10.99.0.2.67 > [ISP ADDRESS].68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0xdc5b3946, Flags [none] (0x0000)
          Your-IP [ISP ADDRESS]
          Client-Ethernet-Address [ISP MAC ADDRESS] (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Lease-Time (51), length 4: 10800
            Subnet-Mask (1), length 4: 255.255.240.0
            Server-ID (54), length 4: 10.99.0.2
            Default-Gateway (3), length 4: [ISP].165.112.1
            Domain-Name-Server (6), length 8: [DNS ISP]
            END (255), length 0
            PAD (0), length 0, occurs 22
10:29:25.553276 cc:37:ab:d4:66:b9 (oui Unknown) > 00:12:cf:00:00:01 (oui Unknown) SNAP, oui Unknown (0x0012cf), pid Unknown (0x0002), length 8: 
        0x0000:  aaaa 0300 12cf 0002 0000 000b 0000 0204  ................
10:29:25.734701 IP (tos 0x0, ttl 240, id 35534, offset 0, flags [none], proto TCP (6), length 40)
    139.177.206.186.51697 > [ISP].165.59.24.1591: Flags [S], cksum 0x8e29 (correct), seq 1300608993, win 1024, length 0
10:29:27.970020 IP6 (flowlabel 0x13512, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::d63d:7eff:feef:662d > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 8
10:29:28.288206 IP (tos 0x0, ttl 241, id 54321, offset 0, flags [none], proto UDP (17), length 88)
    107.170.226.21.55790 > 79.171.123.102.161: [no cksum]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="" { GetRequest(12) R=14320  } } } 
10:29:28.290262 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::4e6d:580d:df41:3741 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 24
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          source link-address option (1), length 8 (1): 4c:6d:58:41:37:41
            0x0000:  4c6d 5841 3741
10:29:28.537351 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from [ISP MAC] (oui Unknown), length 300, xid 0xdc5b3946, secs 13, Flags [none] (0x0000)
          Client-Ethernet-Address [ISP MAC] (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8: 
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 10: "RT-AX1800U"
            Vendor-Class (60), length 12: "udhcp 1.36.1"
            END (255), length 0
            PAD (0), length 0, occurs 16
10:29:28.546668 IP (tos 0x0, ttl 64, id 12420, offset 0, flags [none], proto UDP (17), length 328)
    10.99.0.2.67 > [ISP ADDRESS]: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0xdc5b3946, Flags [none] (0x0000)
          Your-IP [ISP ADDRESS]
          Client-Ethernet-Address [ISP MAC] (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Lease-Time (51), length 4: 10800
            Subnet-Mask (1), length 4: 255.255.240.0
            Server-ID (54), length 4: 10.99.0.2
            Default-Gateway (3), length 4: [REDACTED].165.112.1
            Domain-Name-Server (6), length 8: [ISP DNS]
            END (255), length 0
            PAD (0), length 0, occurs 22
10:29:29.639671 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::4e6d:580d:df41:3741 > fe80::d63d:7eff:feef:662d: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::d63d:7eff:feef:662d
          source link-address option (1), length 8 (1): 4c:6d:58:41:37:41
            0x0000:  4c6d 5841 3741
10:30:00.639449 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::4e6d:580d:df41:3741 > ff02::1:ffef:662d: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::d63d:7eff:feef:662d
          source link-address option (1), length 8 (1): 4c:6d:58:41:37:41
            0x0000:  4c6d 5841 3741

wow :melting_face:
Now it’s clear, before upgrading "core" packages, you need to make sure whether you need to upgrade it or “Working? Don’t touch it
I'll do it today and write back.

1 Like

update: still the same.
only updated luci-base, luci-mod-network, luci-mod-status, luci-mod-system and luci-theme-bootstrap. firewall4 & netifd not updated to latest version.

base-files - 1545-r23497-6637af95aa
block-mount - 2023-02-28-bfe882d5-1
busybox - 1.36.1-1
ca-bundle - 20230311-1
cgi-io - 2022-08-10-901b0f04-21
collectd - 5.12.0-49
collectd-mod-conntrack - 5.12.0-49
collectd-mod-cpu - 5.12.0-49
collectd-mod-dns - 5.12.0-49
collectd-mod-interface - 5.12.0-49
collectd-mod-irq - 5.12.0-49
collectd-mod-iwinfo - 5.12.0-49
collectd-mod-load - 5.12.0-49
collectd-mod-memory - 5.12.0-49
collectd-mod-network - 5.12.0-49
collectd-mod-protocols - 5.12.0-49
collectd-mod-rrdtool - 5.12.0-49
collectd-mod-sensors - 5.12.0-49
curl - 8.4.0-2
dnsmasq - 2.89-4
dropbear - 2022.82-5
e2fsprogs - 1.47.0-2
firewall4 - 2023-03-23-04a06bd7-1
fstools - 2023-02-28-bfe882d5-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2022-08-13-4c7b720b-2
hostapd-common - 2023-09-08-e5ccbfc6-4
htop - 3.2.2-1
iperf3 - 3.15-1
iptables-mod-conntrack-extra - 1.8.8-1
iptables-mod-ipopt - 1.8.8-1
iptables-zz-legacy - 1.8.8-1
iw - 5.19-1
iwinfo - 2023-07-01-ca79f641-1
jansson4 - 2.14-3
jshn - 2023-05-23-75a3b870-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.15.134-1-9c242f353867f49a96054ff8c9f2c460
kmod-cfg80211 - 5.15.134+6.1.24-3
kmod-crypto-acompress - 5.15.134-1
kmod-crypto-aead - 5.15.134-1
kmod-crypto-ccm - 5.15.134-1
kmod-crypto-cmac - 5.15.134-1
kmod-crypto-crc32c - 5.15.134-1
kmod-crypto-ctr - 5.15.134-1
kmod-crypto-gcm - 5.15.134-1
kmod-crypto-gf128 - 5.15.134-1
kmod-crypto-ghash - 5.15.134-1
kmod-crypto-hash - 5.15.134-1
kmod-crypto-hmac - 5.15.134-1
kmod-crypto-kpp - 5.15.134-1
kmod-crypto-lib-chacha20 - 5.15.134-1
kmod-crypto-lib-chacha20poly1305 - 5.15.134-1
kmod-crypto-lib-curve25519 - 5.15.134-1
kmod-crypto-lib-poly1305 - 5.15.134-1
kmod-crypto-manager - 5.15.134-1
kmod-crypto-null - 5.15.134-1
kmod-crypto-rng - 5.15.134-1
kmod-crypto-seqiv - 5.15.134-1
kmod-crypto-sha512 - 5.15.134-1
kmod-fs-ext4 - 5.15.134-1
kmod-gpio-button-hotplug - 5.15.134-3
kmod-hwmon-core - 5.15.134-1
kmod-ifb - 5.15.134-1
kmod-ipt-conntrack - 5.15.134-1
kmod-ipt-conntrack-extra - 5.15.134-1
kmod-ipt-core - 5.15.134-1
kmod-ipt-ipopt - 5.15.134-1
kmod-leds-gpio - 5.15.134-1
kmod-lib-crc-ccitt - 5.15.134-1
kmod-lib-crc16 - 5.15.134-1
kmod-lib-crc32c - 5.15.134-1
kmod-lib-lzo - 5.15.134-1
kmod-mac80211 - 5.15.134+6.1.24-3
kmod-mt76-connac - 5.15.134+2023-08-14-b14c2351-1
kmod-mt76-core - 5.15.134+2023-08-14-b14c2351-1
kmod-mt7915-firmware - 5.15.134+2023-08-14-b14c2351-1
kmod-mt7915e - 5.15.134+2023-08-14-b14c2351-1
kmod-nf-conncount - 5.15.134-1
kmod-nf-conntrack - 5.15.134-1
kmod-nf-conntrack6 - 5.15.134-1
kmod-nf-flow - 5.15.134-1
kmod-nf-ipt - 5.15.134-1
kmod-nf-log - 5.15.134-1
kmod-nf-log6 - 5.15.134-1
kmod-nf-nat - 5.15.134-1
kmod-nf-reject - 5.15.134-1
kmod-nf-reject6 - 5.15.134-1
kmod-nfnetlink - 5.15.134-1
kmod-nft-bridge - 5.15.134-1
kmod-nft-core - 5.15.134-1
kmod-nft-fib - 5.15.134-1
kmod-nft-nat - 5.15.134-1
kmod-nft-netdev - 5.15.134-1
kmod-nft-offload - 5.15.134-1
kmod-nls-base - 5.15.134-1
kmod-ppp - 5.15.134-1
kmod-pppoe - 5.15.134-1
kmod-pppox - 5.15.134-1
kmod-sched-cake - 5.15.134-1
kmod-sched-connmark - 5.15.134-1
kmod-sched-core - 5.15.134-1
kmod-scsi-core - 5.15.134-1
kmod-slhc - 5.15.134-1
kmod-thermal - 5.15.134-1
kmod-udptunnel4 - 5.15.134-1
kmod-udptunnel6 - 5.15.134-1
kmod-usb-core - 5.15.134-1
kmod-usb-ehci - 5.15.134-1
kmod-usb-ledtrig-usbport - 5.15.134-1
kmod-usb-storage - 5.15.134-1
kmod-usb-xhci-hcd - 5.15.134-1
kmod-usb-xhci-mtk - 5.15.134-1
kmod-usb2 - 5.15.134-1
kmod-usb3 - 5.15.134-1
kmod-wireguard - 5.15.134-1
libblkid1 - 2.39-2
libblobmsg-json20230523 - 2023-05-23-75a3b870-1
libc - 1.2.4-4
libcomerr0 - 1.47.0-2
libcurl4 - 8.4.0-2
libext2fs2 - 1.47.0-2
libgcc1 - 12.3.0-4
libgd - 2.3.3-1
libip4tc2 - 1.8.8-1
libip6tc2 - 1.8.8-1
libiperf3 - 3.15-1
libiptext0 - 1.8.8-1
libiptext6-0 - 1.8.8-1
libiwinfo-data - 2023-07-01-ca79f641-1
libiwinfo20230701 - 2023-07-01-ca79f641-1
libjpeg-turbo - 2.1.4-2
libjson-c5 - 0.16-3
libjson-script20230523 - 2023-05-23-75a3b870-1
libltdl7 - 2.4.7-1
liblua5.1.5 - 5.1.5-10
liblucihttp-lua - 2023-03-15-9b5b683f-1
liblucihttp-ucode - 2023-03-15-9b5b683f-1
liblucihttp0 - 2023-03-15-9b5b683f-1
libmbedtls12 - 2.28.4-1
libmnl0 - 1.0.5-1
libncurses6 - 6.4-2
libnftnl11 - 1.2.6-1
libnghttp2-14 - 1.57.0-1
libnl-tiny1 - 2023-07-27-bc92a280-1
libpcap1 - 1.10.4-1
libpng - 1.6.39-1
libpthread - 1.2.4-4
libqrencode - 4.1.1-1
librrd1 - 1.0.50-5
librt - 1.2.4-4
libsensors5 - 3.6.0-1
libsqlite3-0 - 3410200-1
libss2 - 1.47.0-2
libsysfs2 - 2.1.0-4
libubox20230523 - 2023-05-23-75a3b870-1
libubus-lua - 2023-06-05-f787c97b-1
libubus20230605 - 2023-06-05-f787c97b-1
libuci20130104 - 2023-08-10-5781664d-1
libuclient20201210 - 2023-04-13-007d9454-1
libucode20220812 - 2023-06-06-c7d84aae-1
libucode20230711 - 2023-11-02-cfb24ea4-1
libustream-mbedtls20201210 - 2023-02-25-498f6e26-1
libuuid1 - 2.39-2
libwebp - 1.3.2-1
libxtables12 - 1.8.8-1
lm-sensors - 3.6.0-1
logd - 2022-08-13-4c7b720b-2
lua - 5.1.5-10
luci - git-23.051.66410-a505bb1
luci-app-firewall - git-23.306.38853-a0466cd
luci-app-nft-qos - git-23.208.55544-596088f
luci-app-opkg - git-23.009.82915-ec3aac4
luci-app-qos - git-20.108.38431-8f34e10
luci-app-sqm - git-22.360.73151-127c900
luci-app-statistics - git-23.306.39416-25a465f
luci-app-uhttpd - git-22.029.54222-e3fbfe9
luci-app-vnstat2 - git-22.034.46090-164e98c
luci-base - git-23.306.39416-c86c256
luci-compat - git-22.297.83017-673f382
luci-i18n-base-ru - git-23.306.39943-3d6a174
luci-i18n-base-uk - git-23.306.39943-3d6a174
luci-i18n-firewall-ru - git-23.306.39943-3d6a174
luci-i18n-firewall-uk - git-23.306.39943-3d6a174
luci-i18n-nft-qos-ru - git-23.301.56412-787ab17
luci-i18n-nft-qos-uk - git-23.301.56412-787ab17
luci-i18n-opkg-ru - git-23.301.56412-787ab17
luci-i18n-opkg-uk - git-23.301.56412-787ab17
luci-i18n-qos-ru - git-23.306.39943-3d6a174
luci-i18n-qos-uk - git-23.306.39943-3d6a174
luci-i18n-sqm-ru - git-23.306.39943-3d6a174
luci-i18n-sqm-uk - git-23.306.39943-3d6a174
luci-i18n-statistics-ru - git-23.306.39943-3d6a174
luci-i18n-statistics-uk - git-23.306.39943-3d6a174
luci-i18n-uhttpd-ru - git-23.306.39943-3d6a174
luci-i18n-uhttpd-uk - git-23.306.39943-3d6a174
luci-i18n-vnstat2-ru - git-23.301.56412-787ab17
luci-i18n-vnstat2-uk - git-23.301.56412-787ab17
luci-lib-base - git-22.308.54612-9118452
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-ipkg - git-18.318.71164-4bbe325
luci-lib-jsonc - git-23.298.74571-62eb535
luci-lib-nixio - git-22.222.71555-88b9088
luci-light - git-23.024.33244-34dee82
luci-lua-runtime - git-23.233.52805-dae2684
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-23.306.39537-9de37ca
luci-mod-status - git-23.306.52197-bdcd3e0
luci-mod-system - git-23.306.39416-7d3abf8
luci-proto-ipv6 - git-21.148.48881-79947af
luci-proto-ppp - git-21.158.38888-88b9d84
luci-proto-wireguard - git-23.306.39498-cbf7bbd
luci-ssl - git-23.035.26083-7550ad6
luci-theme-bootstrap - git-23.306.39416-c86c256
luci-theme-material - git-23.088.30860-f464199
mtd - 26
netifd - 2023-09-19-7a58b995-1
nft-qos - 1.0.6-4
nftables-json - 1.0.8-1
odhcp6c - 2023-05-12-bcd28363-20
odhcpd-ipv6only - 2023-06-24-52112643-1
openssh-sftp-server - 9.5p1-1
openwrt-keyring - 2022-03-25-62471e69-2
opkg - 2022-02-24-d038e5b6-2
ppp - 2.4.9.git-2021-01-04-4
ppp-mod-pppoe - 2.4.9.git-2021-01-04-4
procd - 2023-06-25-2db83655-2
procd-seccomp - 2023-06-25-2db83655-2
procd-ujail - 2023-06-25-2db83655-2
px5g-mbedtls - 9
qos-scripts - 1.3.1-33
qrencode - 4.1.1-1
rpcd - 2023-07-01-c07ab2f9-1
rpcd-mod-file - 2023-07-01-c07ab2f9-1
rpcd-mod-iwinfo - 2023-07-01-c07ab2f9-1
rpcd-mod-luci - 20230123-1
rpcd-mod-rrdns - 20170710
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
rrdtool1 - 1.0.50-5
sqm-scripts - 1.6.0-1
sysfsutils - 2.1.0-4
tc-tiny - 6.3.0-1
tcpdump - 4.99.4-1
terminfo - 6.4-2
ubi-utils - 2.1.5-1
uboot-envtools - 2023.04-1
ubox - 2022-08-13-4c7b720b-2
ubus - 2023-06-05-f787c97b-1
ubusd - 2023-06-05-f787c97b-1
uci - 2023-08-10-5781664d-1
uclient-fetch - 2023-04-13-007d9454-1
ucode - 2023-06-06-c7d84aae-1
ucode-mod-fs - 2023-06-06-c7d84aae-1
ucode-mod-html - 1
ucode-mod-lua - 1
ucode-mod-math - 2023-06-06-c7d84aae-1
ucode-mod-nl80211 - 2023-06-06-c7d84aae-1
ucode-mod-rtnl - 2023-06-06-c7d84aae-1
ucode-mod-ubus - 2023-06-06-c7d84aae-1
ucode-mod-uci - 2023-06-06-c7d84aae-1
ucode-mod-uloop - 2023-06-06-c7d84aae-1
uhttpd - 2023-06-25-34a8a74d-1
uhttpd-mod-ubus - 2023-06-25-34a8a74d-1
urandom-seed - 3
urngd - 2023-07-25-7aefb47b-1
usign - 2020-05-23-f1f65026-1
vnstat2 - 2.11-1
vnstati2 - 2.11-1
wireguard-tools - 1.0.20210914-2
wireless-regdb - 2023.09.01-1
wpad-basic-mbedtls - 2023-09-08-e5ccbfc6-4
xtables-legacy - 1.8.8-1
zlib - 1.2.13-1

This is the ISP replying with your renewed IP. Note that it is an input to port 68. It appears that the firewall dropped it, since there is no folow-on DHCP activity for 3 seconds until the router tries to start the whole process over with a Discover. (tcpdump shows packets outside the firewall)

So port 68 must be open to UDP input for DHCP client to work, that is not negotiable and you should never disable that rule.

Unlike a desktop Linux, OpenWrt is not designed to update packages individually. This is because for space reasons it doesn't want to allow multiple versions of shared libraries to be resident on the system.

When new versions of packages that require new library versions are ported into the build for an existing release, all the other packages that use those libraries are rebuilt against the new library, and the old library is removed from the build. Opkg is unaware of this, and using opkg upgrade in such a situation will break your installation. The proper way to get the revised versions of packages between releases is to flash a complete new ROM from attendedsysupgrade or Firmware Selector.

Given that you have upgraded packages, your system may be in an unknown state at this point. The easiest fix is to reset to defaults. You can take a backup before doing this, and that backup should restore without issue. Then test again. If the problem still manifests, reset and don’t restore the backup - reconfigure from scratch.

What you are describing is not normal behavior with openwrt. But I also stand by my earlier suggestion - don’t shut down the guest wifi in the first place.

2 Likes

Only LUCI packages but only for normal translation into my language (Logout can't be translated)

Reseted, restored backup - problem still exist
Reseted, reconfigured from scratch what was from the backup/last time (not restored backup ".tar.gz") - the same, not fixed.

That is, it is normal that everything related to the guest network (the slightest change) and further automatic reboot of the network itself, we need to reboot the router to fix this problem?
I was previously using OEM firmware (until ASUS RT-AX1800U) I didn’t have to reboot the router later. seems there everything is different here :thinking:

No, this is most certainly not normal.

let's take another look at the latest config.

Did the OEM firmware have the ability to configure a guest network?

And it is worth stating again... the problem is unusual and shouldn't exist. But, given that it only happens when you stop the guest network, it seems that it isn't really worth much additional effort once you consider that leaving the guest network on all the time is indeed not going to materially affect the speeds of your main network or present any security risks or other concerns.

The thing is, I don't touch the firewall most of the time. I don't disable important rules for WAN or what you say, DHCP client. After re-enabling these rules all works fine. Why then does the firewall accept normally when OpenWRT is booting, but after rebooting the guest network everything breaks?

root@RT-AX1800U:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd83:b829:d288::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option sourcefilter '0'

config device
        option name 'wan'
        option macaddr '[REMOVED]'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ip6assign '64'
        list ipaddr '192.168.3.1/24'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '[REMOVED]'
        option listen_port '[REMOVED]'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option description 'wgclient'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'

config wireguard_vpn 'wglaptop'
        option description 'wglaptop'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '192.168.9.3/32'
        list allowed_ips 'fd00:9::3/128'

config wireguard_vpn 'wgmobile'
        option description 'wgmobile'
        option private_key '[REMOVED]'
        option public_key '[REMOVED]'
        option preshared_key '[REMOVED]'
        list allowed_ips '192.168.9.4/32'
        list allowed_ips 'fd00:9::4/128'

root@RT-AX1800U:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '6'
        option band '2g'
        option htmode 'HT20'
        option country 'UA'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '[REMOVED]'
        option encryption 'sae-mixed'
        option key '[REMOVED]'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option country 'UA'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '[REMOVED]'
        option encryption 'sae-mixed'
        option key '[REMOVED]'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid '[REMOVED]'
        option encryption 'psk2'
        option key '[REMOVED]'

root@RT-AX1800U:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        option ra_default '1'

config domain
        option name 'INE-[REMOVED]'
        option ip '[REMOVED]'

config domain
        option name 'Lenovo330_[REMOVED]'
        option ip '[REMOVED]'

root@RT-AX1800U:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule 'icmp'
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'icmp6'
        option name 'Allow-ICMPv6-Input'
        option src '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'guest_dhcp6'
        option name 'Allow-DHCPv6-Guest'
        option src 'guest'
        option dest_port '547'
        option proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '[REMOVED]'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_ip '[REMOVED]'
        option dest_port '[REMOVED]'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qBittorrent ([REMOVED])'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_ip '[REMOVED]'
        option dest_port '[REMOVED]'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'guest'
        option src_dport '[REMOVED]'
        option dest_ip '1[REMOVED]'
        option dest_port '[REMOVED]'

config zone
        option name 'main'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config forwarding
        option src 'main'
        option dest 'guest'

config nat 'nat6'
        option family 'ipv6'
        option proto 'all'
        option src 'wan'
        option src_ip 'fd83:b829:d288::/48'
        option target 'MASQUERADE'

root@RT-AX1800U:~# 

Remove the following:

Here, you've put the lan network into a second firewall zone called main. This is not good because you can only assign a network to a single firewall one. In this case, your lan network is already in the lan zone (near the top of the firewall file). The firewall is probably being reloaded when you stop the guest zone.... and in this case (to make matters worse), if the lan network ends up in the main zone, it will not have internet access because you don't have a forward associated with it.

See if deleting these errant entries fixes the problem.

What you suggested deleting was mainly used to connect from the main network to a guest IP (game functions for connecting), but still the same.

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule 'icmp'
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'icmp6'
        option name 'Allow-ICMPv6-Input'
        option src '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'guest_dhcp6'
        option name 'Allow-DHCPv6-Guest'
        option src 'guest'
        option dest_port '547'
        option proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '[REMOVED]'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_ip '[REMOVED]'
        option dest_port '[REMOVED]'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qBittorrent ([REMOVED])'
        option src 'wan'
        option src_dport '[REMOVED]'
        option dest_ip '[REMOVED]'
        option dest_port '[REMOVED]'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '[REMOVED]'
        option src 'guest'
        option src_dport '[REMOVED]'
        option dest_ip '1[REMOVED]'
        option dest_port '[REMOVED]'

config nat 'nat6'
        option family 'ipv6'
        option proto 'all'
        option src 'wan'
        option src_ip 'fd83:b829:d288::/48'
        option target 'MASQUERADE'

Meanwhile:

root@RT-AX1800U:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=62 time=11.212 ms
64 bytes from 1.1.1.1: seq=1 ttl=62 time=10.005 ms # Guest Interface rebooted/reconnect
64 bytes from 1.1.1.1: seq=2 ttl=62 time=9.900 ms
64 bytes from 1.1.1.1: seq=3 ttl=62 time=9.907 ms
64 bytes from 1.1.1.1: seq=4 ttl=62 time=9.894 ms
64 bytes from 1.1.1.1: seq=5 ttl=62 time=10.367 ms # Guest Interface starting
^C
--- 1.1.1.1 ping statistics ---
14 packets transmitted, 6 packets received, 57% packet loss
round-trip min/avg/max = 9.894/10.214/11.212 ms
root@RT-AX1800U:~#

It was not valid, so it should not be in the file anyway.

I can't explain what is happening, but we could try one more thing... starting with a total default config and then adding only the guest wifi and directly related firewall rules (no other changes/additions).