Amazon Echo devices keeps losing Network connection

Hi All,

I have three Amazon echo devices (Echo dot 2nd Gen, Echo dot 3rd Gen and Echo Show 5 1st Gen). Since I have configured OpenWrt on my router these devices keeps losing wifi connection randomly and then picks them back up again after few hours. I have tried to change the DTIM interval value to (1, 2 ,3) on the IOT wifi interface but that doesn't seem to impact the connection dropouts.

I have three VLAN's configured on my Belkin RT3200:

LAN - Phones/Tablets/Laptops
IOT - For smart devices
Guest - Wireguard VPN

Here us the network config

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf5:d78d:0440::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.99'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	list dns '2620:119:35::35'
	list dns '2620:119:53::53'
	option peerdns '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:u*'
	list ports 'lan2:t'

config interface 'IOT'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config rule
	option in 'lan'
	option lookup '100'

config rule
	option in 'IOT'
	option lookup '100'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '200'
	option table '100'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'IEvLBV8S5tuHJGVCXXXXXXwyh7GAuwdctDFiNdPW5Fc='
	list addresses '10.14.0.2/8'
	option mtu '1350'
	option dns '1.0.0.1 1.1.1.1'

config wireguard_wg0
	option public_key 'o07k/2dsaQkLLSR0dCI/FXXXXLik/F/HBBcOGUkNQGo='
	option route_allowed_ips '1'
	list allowed_ips '172.16.0.36/32'
	option persistent_keepalive '25'
	option description 'WG_1'
	option endpoint_host 'wgs.prod.surfshark.com'
	option endpoint_port '51820'

config wireguard_wg0
	option public_key '+dmGrWPM9NI3vQkZ9E7hXXXXJKYzd3YMXGq10sjbN0A='
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option description 'WG_2'
	option route_allowed_ips '1'
	option endpoint_host 'in-del.prod.surfshark.com'
	option endpoint_port '51820'

It seems to be a DHCP issue from the logs, I have assigned static IP address from Openwrt interface but that didn't help, here are the recent system logs:

Mon Feb 20 09:26:29 2023 daemon.info hostapd: wlan1-2: STA 88:57:1d:11:f8:0f WPA: group key handshake completed (RSN)
Mon Feb 20 09:26:55 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:27:24 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:29:10 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:29:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:30:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:30:24 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:30:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:31:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:31:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:32:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:33:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:33:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:34:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 74:d6:37:a8:0b:2c WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 08:84:9d:0b:37:cc WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 00:03:7f:33:3b:5a WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:96:65:39 WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:96:4e:70 WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 34:3e:a4:02:aa:8c WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA b0:4a:39:2e:26:1b WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 28:6d:97:a4:8b:2d WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 54:e0:19:88:7e:c8 WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:c7:27:b4 WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:74:f6:cc WPA: group key handshake completed (RSN)
Mon Feb 20 09:34:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:35:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:36:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:36:24 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:36:29 2023 daemon.info hostapd: wlan1-2: STA 44:65:0d:51:40:af WPA: group key handshake completed (RSN)
Mon Feb 20 09:36:29 2023 daemon.info hostapd: wlan1-2: STA 88:57:1d:11:f8:0f WPA: group key handshake completed (RSN)
Mon Feb 20 09:37:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:37:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:38:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:38:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:39:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:39:49 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.234 18:b4:30:c7:27:b4
Mon Feb 20 09:39:49 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.234 18:b4:30:c7:27:b4 09AA01AC24170QKQ
Mon Feb 20 09:40:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:40:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:43:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 08:84:9d:0b:37:cc WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 00:03:7f:33:3b:5a WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 74:d6:37:a8:0b:2c WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:96:65:39 WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:96:4e:70 WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA b0:4a:39:2e:26:1b WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 28:6d:97:a4:8b:2d WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 34:3e:a4:02:aa:8c WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 54:e0:19:88:7e:c8 WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:74:f6:cc WPA: group key handshake completed (RSN)
Mon Feb 20 09:44:50 2023 daemon.info hostapd: wlan0-1: STA 18:b4:30:c7:27:b4 WPA: group key handshake completed (RSN)
Mon Feb 20 09:45:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:46:29 2023 daemon.info hostapd: wlan1-2: STA 88:57:1d:11:f8:0f WPA: group key handshake completed (RSN)
Mon Feb 20 09:46:30 2023 daemon.info hostapd: wlan1-2: STA 44:65:0d:51:40:af WPA: group key handshake completed (RSN)
Mon Feb 20 09:47:24 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:48:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:48:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:49:09 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:49:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:50:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:51:24 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:51:54 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:52:24 2023 user.info : luci: accepted login on / for root from 192.168.1.171
Mon Feb 20 09:52:39 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Mon Feb 20 09:52:45 2023 authpriv.info dropbear[29853]: Child connection from 192.168.1.171:64896

Is anyone facing a similar issue or can assist me to solve this issue ?

Thanks

I had an echo which just moved to the wrong SSID itself , seems echos can store multiple wifi passwords even though the alexa app makea it look like one ssid can be actively used. It moved to the SSID/PSK it had before I moved it to the IOT wifi . And I verified double-ckecked that it got there really. Happened after IOT Ssid was short time unavailable.

Maybe fully reset the echo?

Hi @Catfriend1,

That was the case earlier all three were going to old SSID. So I did a factory reset on all of them and added them back one by one (This was done a week ago) on IOT SSID. But they still keep losing network connection.

What is your wireless config?

i think is good to test if that happen even if you have one Essid.
is that problem on mt7622 or mt7915?

Amazon stores wifi passwords so if you’ve previously had them on a different SSID at one point, call Amazon Alexa support and have them wipe the wifi record clean (I had to do this before and you have to call them, it’s the only way).

Amazon devices are also very fickle with fast transition and boot from low ack, so if you are using FT, turn it off and also disable the disassociate from low ack option in the wireless settings.

@Catfriend1 Here is my router wireless config:

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option cell_density '0'
	option country 'GB'
	option htmode 'HT20'
	option channel '1'
	option legacy_rates '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option country 'GB'
	option htmode 'HE80'
	option channel '112'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option ssid 'Guest'
	option network 'Guest'
	option key 'CreationXXXXX'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option network 'Guest'
	option key 'CreationXXXXX'
	option ssid 'Guest'
	option wmm '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Seamless-5G'
	option encryption 'psk2'
	option network 'lan'
	option key 'CreationXXXXX'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option key 'CreationXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option max_inactivity '36000'
	option encryption 'psk2+tkip+ccmp'
	option wmm '0'
	option dtim_period '3'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option key 'CreationXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option max_inactivity '36000'
	option encryption 'psk2+tkip+ccmp'
	option dtim_period '3'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Seamless-2G'
	option encryption 'psk2'
	option key 'CreationXXXXX'
	option network 'lan'

@mmstano All the stored passwords were wiped when I did factory reset on the echo devices.

I will try to disable the Disassociate On Low Acknowledgement setting.

Thanks

Amazon doesn’t store them per device, they store them per account, so resetting the device doesn’t help. You have to call Amazon and have them remove the old wifi info from the entire account.

You might want to use a smaller bandwidth (say VHT40) and select a channel that is not in the DFS range.

other things... max_inactivity could be causing a problem, as could the encryption. Best to use WPA2 PSK, since that is the best supported for these types of devices.

FYI - this can be easily done from one's account.

See "How do I delete my Wi-Fi passwords from Amazon?" at this site: https://www.amazon.com/gp/help/customer/display.html?nodeId=201730860

Thanks @Catfriend1 @psherman , I have updated the Wireless config today, will monitor it for next 24 hours.
Disabling Disassociate On Low Acknowledgement and updating the encryption to psk2 didn't resolve the issue. So I have updated the bandwidth and channel. Here is the updated Wireless config:

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option cell_density '0'
	option country 'GB'
	option htmode 'HT20'
	option channel '6'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option country 'GB'
	option channel '48'
	option htmode 'HE40'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option ssid 'Guest'
	option network 'Guest'
	option key 'XXXXXX'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option network 'Guest'
	option key 'XXXXXX'
	option ssid 'Guest'
	option wmm '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Seamless-5G'
	option encryption 'psk2'
	option network 'lan'
	option key 'XXXXXX'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option key 'XXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option max_inactivity '36000'
	option wmm '0'
	option dtim_period '3'
	option encryption 'psk2'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option key 'XXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option max_inactivity '36000'
	option dtim_period '3'
	option encryption 'psk2'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Seamless-2G'
	option encryption 'psk2'
	option key 'XXXXXX'
	option network 'lan'

do not use sae mixed, try if that happen if you have one ESSID for radio, it's how you start to resolve problems.

That must be a newer feature. Then again, it’s been a couple years since I had to do it. Thx

@anon4457646 The Echo devices are connecting to IOT which does not uses sae-mixed. I still have to try using one ESSID with one radio

i know that, still the same

The Echo devices are still losing network connection. I have now increased the max_inactivity to 360000

This is the syslog and wireless config as the Echo devices are still going offline:

Wed Feb 22 18:35:56 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.249 08:84:9d:0b:37:cc
Wed Feb 22 18:35:56 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.249 08:84:9d:0b:37:cc Amazon-EchoDot
Wed Feb 22 18:36:37 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.103 54:e0:19:88:7e:c8
Wed Feb 22 18:36:37 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.103 54:e0:19:88:7e:c8
Wed Feb 22 18:59:22 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.118 00:03:7f:33:3b:5a
Wed Feb 22 18:59:22 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.118 00:03:7f:33:3b:5a Blink-Sync-Module
Wed Feb 22 18:59:23 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.134 b0:4a:39:2e:26:1b
Wed Feb 22 18:59:23 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.134 b0:4a:39:2e:26:1b Roborock-S7-vacuum
Wed Feb 22 18:59:24 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.186 18:b4:30:74:f6:cc
Wed Feb 22 18:59:24 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.186 18:b4:30:74:f6:cc 09AA01AC031602C8
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.232 18:b4:30:96:4e:70
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.232 18:b4:30:96:4e:70 NestIQ-Garden
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.104 18:b4:30:96:65:39
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.104 18:b4:30:96:65:39 NestIQ-Driveway
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.156 28:6d:97:a4:8b:2d
Wed Feb 22 18:59:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.156 28:6d:97:a4:8b:2d Smartthings-hubv3
Wed Feb 22 18:59:32 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.202 64:07:f6:2e:65:4c
Wed Feb 22 18:59:32 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.202 64:07:f6:2e:65:4c Samsung
Wed Feb 22 18:59:34 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.196 34:3e:a4:02:aa:8c
Wed Feb 22 18:59:34 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.196 34:3e:a4:02:aa:8c Ring-ChimePro
Wed Feb 22 18:59:43 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.218 74:d6:37:a8:0b:2c
Wed Feb 22 18:59:43 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.218 74:d6:37:a8:0b:2c Amazon-EchoShow
Wed Feb 22 18:59:58 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.3) 192.168.3.234 18:b4:30:c7:27:b4
Wed Feb 22 18:59:58 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.3) 192.168.3.234 18:b4:30:c7:27:b4 09AA01AC24170QKQ
Wed Feb 22 19:10:04 2023 daemon.notice netifd: wan (24063): udhcpc: sending renew to server 93.113.26.8
Wed Feb 22 19:10:04 2023 daemon.notice netifd: wan (24063): udhcpc: lease of 149.86.40.117 obtained from 93.113.26.8, lease time 86400
Wed Feb 22 19:20:45 2023 daemon.info hostapd: wlan0-2: STA 18:b4:30:b6:06:3b IEEE 802.11: authenticated
Wed Feb 22 19:20:45 2023 daemon.info hostapd: wlan0-2: STA 18:b4:30:b6:06:3b IEEE 802.11: associated (aid 1)
Wed Feb 22 19:20:45 2023 daemon.notice hostapd: wlan0-2: AP-STA-CONNECTED 18:b4:30:b6:06:3b
Wed Feb 22 19:20:45 2023 daemon.info hostapd: wlan0-2: STA 18:b4:30:b6:06:3b WPA: pairwise key handshake completed (RSN)
Wed Feb 22 19:20:45 2023 daemon.notice hostapd: wlan0-2: EAPOL-4WAY-HS-COMPLETED 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.99) 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.99) 192.168.1.161 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.99) 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.99) 192.168.1.161 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.161 18:b4:30:b6:06:3b
Wed Feb 22 19:20:48 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.161 18:b4:30:b6:06:3b
Wed Feb 22 19:21:17 2023 daemon.notice hostapd: wlan0-2: AP-STA-DISCONNECTED 18:b4:30:b6:06:3b
Wed Feb 22 19:21:17 2023 daemon.info hostapd: wlan0-2: STA 18:b4:30:b6:06:3b IEEE 802.11: disassociated
Wed Feb 22 19:21:18 2023 daemon.info hostapd: wlan0-2: STA 18:b4:30:b6:06:3b IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 22 20:26:56 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: gocd-dataengineering.gamesys.co.uk
Wed Feb 22 20:27:00 2023 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: gocd-dataengineering.gamesys.co.uk
Wed Feb 22 20:27:40 2023 daemon.notice hostapd: wlan1-1: AP-STA-DISCONNECTED a4:83:e7:ce:32:41
Wed Feb 22 20:27:40 2023 daemon.info hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: disassociated
Wed Feb 22 20:27:41 2023 daemon.info hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 22 20:29:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.220 44:e4:ee:b8:3f:d7
Wed Feb 22 20:29:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.220 44:e4:ee:b8:3f:d7
Wed Feb 22 21:35:53 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:53 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:53 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:53 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:53 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:56 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:57 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:57 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:35:57 2023 daemon.notice hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: did not acknowledge authentication response
Wed Feb 22 21:36:09 2023 daemon.info hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: authenticated
Wed Feb 22 21:36:09 2023 daemon.info hostapd: wlan1-1: STA a4:83:e7:ce:32:41 IEEE 802.11: associated (aid 1)
Wed Feb 22 21:36:09 2023 daemon.notice hostapd: wlan1-1: AP-STA-CONNECTED a4:83:e7:ce:32:41
Wed Feb 22 21:36:09 2023 daemon.info hostapd: wlan1-1: STA a4:83:e7:ce:32:41 WPA: pairwise key handshake completed (RSN)
Wed Feb 22 21:36:09 2023 daemon.notice hostapd: wlan1-1: EAPOL-4WAY-HS-COMPLETED a4:83:e7:ce:32:41
Wed Feb 22 21:36:11 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.171 a4:83:e7:ce:32:41
Wed Feb 22 21:36:11 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.171 a4:83:e7:ce:32:41 MacBook-Pro
Wed Feb 22 21:46:21 2023 user.info : luci: accepted login on / for root from 192.168.1.171

Wireless Config:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option cell_density '0'
	option country 'GB'
	option htmode 'HT20'
	option channel '6'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option country 'GB'
	option channel '48'
	option htmode 'HE40'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option ssid 'Guest'
	option network 'Guest'
	option key 'XXXXXX'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option network 'Guest'
	option key 'XXXXXX'
	option ssid 'Guest'
	option wmm '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Seamless-5G'
	option encryption 'psk2'
	option network 'lan'
	option key 'XXXXXX'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option key 'XXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option wmm '0'
	option dtim_period '3'
	option encryption 'psk2'
	option disassoc_low_ack '0'
	option max_inactivity '360000'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option key 'XXXXXX'
	option network 'IOT'
	option ssid 'IOT'
	option dtim_period '3'
	option encryption 'psk2'
	option disassoc_low_ack '0'
	option wmm '0'
	option max_inactivity '360000'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Seamless-2G'
	option encryption 'psk2'
	option key 'XXXXXX'
	option network 'lan'

I will try to use single ESSID tomorrow to see if that makes any difference.

Thanks @anon4457646 @mmstano, I do not see any disconnections on the Echo devices when using a single ESSID. I will add one VLAN and as opposed to two and see if the issue comes back.

Thanks

The issue only happens when the WireGuard interface is enabled. Here is the setup:

VLAN ID 8 - Home Network
VLAN ID 9 - IOT Network
VLAN ID 99 - VPN Network (WireGuard)

The echo devices works perfectly until the WireGuard interface is enabled.

Network Config

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8a:7f87:5713::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr 'XX:83:c4:XX:04:XX'

config device
        option name 'lan2'
        option macaddr 'XX:83:c4:XX:04:XX'

config device
        option name 'lan3'
        option macaddr 'XX:83:c4:XX:04:XX'

config device
        option name 'lan4'
        option macaddr 'XX:83:c4:XX:04:XX'

config device
        option name 'lan5'
        option macaddr 'XX:83:c4:XX:04:XX'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'lan3'
        list ports 'lan4'
                                               
config bridge-vlan                             
        option device 'br-lan'                 
        option vlan '99'                       
        list ports 'lan5'                      
                                               
config interface 'lan'                         
        option device 'br-lan.8'               
        option proto 'static'                  
        option ipaddr '192.168.8.1'       
        option netmask '255.255.255.0'    
        option ip6assign '60'             
        option isolate '1'                
        list dns '8.8.8.8'                
        list dns '8.8.4.4'                
                                          
config interface 'IOT'                    
        option device 'br-lan.9'          
        option proto 'static'             
        option ipaddr '192.168.9.1'       
        option netmask '255.255.255.0'    
        option ip6assign '60'             
        option isolate '1'                
        option type 'bridge'              
        list dns '8.8.8.8'                
        list dns '8.8.4.4'                
                                          
config interface 'Guest'                  
        option device 'br-lan.99'         
        option proto 'static'             
        option ipaddr '192.168.99.1'      
        option netmask '255.255.255.0'    
        option ip6assign '60'             
        option isolate '1'                
                                          
config device                             
        option name 'eth1'                
        option macaddr 'XX:83:c4:XX:04:XX'
                                          
config interface 'wan'                    
        option device 'eth1'              
        option proto 'dhcp'               
        option force_link '0'             
        option ipv6 '0'                   
        option metric '10'                
                                          
config interface 'wan6'                   
        option proto 'dhcpv6'             
        option disabled '1'               
        option device '@wan'
                                               
config interface 'tethering6'                  
        option proto 'dhcpv6'                  
        option disabled '1'                    
        option device '@tethering'             
                                               
config interface 'wwan6'                       
        option proto 'dhcpv6'                  
        option disabled '1'                    
        option device '@wwan'             
                                          
config interface 'wwan'                   
        option proto 'dhcp'               
        option metric '20'                
                                          
config interface 'secondwan'              
        option ipv6 '0'                   
        option proto 'dhcp'               
        option metric '15'                
        option force_link '0'             
                                          
config interface 'secondwan6'             
        option proto 'dhcpv6'             
        option disabled '1'               
        option metric '15'                
        option device '@secondwan'        
                                          
config interface 'modem_1_1_2_6'          
        option proto 'dhcpv6'             
        option disabled '1'               
        option device '@modem_1_1_2'      
                                          
config rule                               
        option dest '0.0.0.0/0'           
        option priority '1'               
        option lookup '1'                 
        option in 'IOT'                   
                                          
config rule                               
        option dest '0.0.0.0/0'           
        option priority '2'               
        option lookup '2'                 
        option in 'lan'                   
                                          
config rule                               
        option dest '0.0.0.0/0'           
        option priority '3'               
        option lookup '3'                 
        option in 'Guest'

config rule                                    
        option priority '1100'                 
        option lookup 'main'                   
                                               
config rule 'policy_default_rt_vpn'            
        option mark '0x8000/0xc000'            
        option lookup '8000'                   
        option priority '1101'                 
        option invert '1'                 
                                          
config rule6 'policy_direct_rt6'          
        option lookup 'main'              
        option suppress_prefixlength '0'  
        option priority '1100'            
                                          
config rule6 'policy_default_rt_vpn6'     
        option mark '0x8000/0xc000'       
        option lookup '8000'              
        option priority '1101'            
        option invert '1'                 
                                          
config interface 'wg0'                    
        option proto 'wireguard'          
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.14.0.2/16'                                    
        list dns '162.252.172.57'                                        
        list dns '149.154.159.92'                                        
                                                                         
config wireguard_wg0                                                     
        option description 'Peer'                                   
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 
        list allowed_ips '0.0.0.0/0'                                     
        option route_allowed_ips '1'                                     
        option endpoint_host 'US-AZ.prod.surfshark.com'                 
        option endpoint_port '51820'                                     
        option persistent_keepalive '25'                                 
                                                                         
config route                                                             
        option target '0.0.0.0'                                          
        option netmask '0.0.0.0'                                         
        option table '1'                                                 
        option interface 'wan'                                           
                                                                         
config route                                                             
        option target '0.0.0.0'                                          
        option netmask '0.0.0.0'                                         
        option table '2'                                                 
        option interface 'wan'

config route                                                             
        option target '0.0.0.0'                                          
        option netmask '0.0.0.0'                                         
        option table '3'                                                 
        option interface 'wg0'                                           
                                                                         
config rule 'policy_direct_rt'                                           
        option lookup 'main'                                             
        option suppress_prefixlength '0'                                 
        option priority '1100'                                           
                                                                         
config route6                                                            
        option interface 'wan6'                                          
        option target '::/0'                                             
        option table '1'                                                 
                                                                         
config route6                                                            
        option interface 'wan6'                                          
        option target '::/0'                                             
        option table '2'                                                 
                                                                         
config route6                                                            
        option interface 'wg0'                                           
        option target '::/0'                                             
        option table '3'                                                 
                                                                         
config rule6                                                             
        option priority '1'                                              
        option in 'IOT'                                                  
        option lookup '1'                                                
                                                                         
config rule6                                                             
        option priority '2'                                              
        option in 'lan'                                                  
        option lookup '2'                                                
                                                                         
config rule6                                                             
        option priority '3'                                              
        option in 'Guest'                                                
        option lookup '3'

Firewall Config

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'        
        list icmp_type '143/0'        
        option family 'ipv6'          
        option target 'ACCEPT'        
                                      
config rule                           
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config include 'nat6'                           
        option path '/etc/firewall.nat6'        
        option reload '1'                       
                                                
config rule 'block_dns'                         
        option name 'block_dns'                 
        option src '*'                          
        option device 'br-*'                    
        option dest_port '53'                   
        option target 'REJECT'                  
        option enabled '0'                      
                                                
config zone                                     
        option name 'IOT'                       
        option forward 'ACCEPT'                 
        option output 'ACCEPT'                  
        option input 'ACCEPT'                   
        list network 'IOT'                      
                                                
config zone                                     
        option name 'Guest'                     
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        list network 'Guest'                    
                                                
config zone                                     
        option name 'wan'                       
        list network 'wan'                      
        list network 'wan6'                     
        list network 'wwan'                     
        list network 'secondwan'                
        option input 'DROP'                     
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        option masq '1'                         
        option mtu_fix '1'                      
                                                
config forwarding                               
        option src 'IOT'                        
        option dest 'wan'                       
                                                
config rule                                     
        option name 'Allow-DHCP' 
        option src 'IOT'                        
        option target 'ACCEPT'                  
        option proto 'udp'                      
        option dest_port '67-68'                
                                                
config rule                                     
        option name 'Allow-DNS'                 
        option src 'IOT'                        
        option target 'ACCEPT'                  
        option proto 'tcp udp'                  
        option dest_port '53'                   
                                                
config include 'vpn_server_policy'              
        option type 'script'                    
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'                               
        option enabled '1'                              
                                                        
config rule 'sambasharewan'                             
        option src 'wan'                                
        option dest_port '137 138 139 445'              
        option dest_proto 'tcpudp'                      
        option target 'DROP'                            
                                                        
config rule 'sambasharelan'                             
        option src 'lan'                                
        option dest_port '137 138 139 445'              
        option dest_proto 'tcpudp'                      
        option target 'ACCEPT'                          
                                                        
config rule 'glnas_ser'                                 
        option src 'wan'                                
        option dest_port '6000-6002'                    
        option dest_proto 'tcp'                         
        option target 'DROP'                            
                                                        
config rule 'webdav_wan'                                
        option src 'wan'                                
        option dest_port '6008'                         
        option dest_proto 'tcp'                         
        option target 'DROP'                            
                                                        
config include 'gls2s'                                  
        option type 'script'                            
        option path '/var/etc/gls2s.include'            
        option reload '1'                               
                                                        
config include 'glblock'     
        option type 'script'                            
        option path '/usr/bin/gl_block.sh'              
        option reload '1'                               
                                                        
config zone                                             
        option name 'vpnfirewall'                       
        option input 'DROP'                             
        option output 'ACCEPT'                          
        option forward 'REJECT'                         
        list network 'wg0'                              
        option masq '1'                                 
                                                        
config forwarding                                       
        option src 'Guest'                              
        option dest 'vpnfirewall'