AP not forwarding DHCPOFFER?

felichas · May 5, 2026, 6:18pm

Old modem-router here running as a Dumb AP.

It is running latest openwrt version: 25.12.2.
It was configured diferently, but a few days ago I reset its configuration,
and I followed the dumb AP documentation

The network is simple:
internet <--- gateway (wan+lan+wifi+DHCPd) <---> AP (lan+wifi) <---> laptop

Gateway is a GL-iNet device running GL-iNet firmware.
AP is Comtrend AR-5387un (target: bmips/bcm6328) running OpenWrt 25.12.2
Laptop is linux.
I also have a DNS server in another host, but I don't think it is relevant here.

My problem: connect to AP's wifi after being connected to GW's wifi.
Connection is ok, but AP's bridge does not work as expected:

From inside the AP (ssh): I can ping lan and wan hosts.
Laptop connected to the AP via eth: I get IP, I can ping lan and wan hosts.
Laptop connected to the AP via wifi: I do NOT get IP.
Laptop connected to the AP via wifi, using static IP: I can ping the AP, but nothing else.

Also:

Laptop connected to the GW via wifi always works: I get IP, I can ping lan and wan hosts.

Test 1:

Laptop disconnected for a couple minutes
Connect to GW: all ok
Conect to AP: NOT ok (as described above)

Test 2:

Laptop disconnected for a couple minutes
Conect to AP: all ok
Connect to GW: all ok
Conect to AP: NOT ok (as described above)

The problem shows up when I connect to the AP after being connected to the GW.
If I wait disconnected long enough, it works.

frollic · May 5, 2026, 6:23pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

felichas · May 5, 2026, 7:50pm

ubus call system board:

	"kernel": "6.12.74",
	"hostname": "jazztel-comtrend",
	"system": "Generic BMIPS kernel",
	"model": "Comtrend AR-5387un",
	"board_name": "comtrend,ar-5387un",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "bmips/bcm6328",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"

Relevant config files:

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004d409432ffa6746e39e7bb80e022e2e09'
	option ula_prefix 'xxxxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'
	list dns '192.168.1.3'
	option multipath 'off'
	list ipaddr '192.168.1.2/24'



# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0/bcma0:1'
	option band '2g'
	option channel '1'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'myssid'
	option encryption 'sae-mixed'
	option key 'mypwd'
	option ocv '0'



# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'disabled'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'



# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		DROP
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

psherman · May 5, 2026, 7:55pm

Which port is used to connect to the upstream network?

felichas · May 5, 2026, 8:16pm

lan4 is used to connect upstream.

By default, the router has 4 lan interfaces only. No wan interfaces (wan was vdsl, I guess).

In the past I have segregated one of them as wan, creating a vlan for it, but not for this dumb ap installation.

I noticed the wan area exists in the firewall configuration, but when you reset the router’s configuration, wan/wan6 interface don’t get created. And I have not added them.

psherman · May 5, 2026, 8:23pm

Just to make sure everything upstream is working properly, unplug the cable from port lan4 and connect it to a computer instead. Does that device get an IP address via DHCP?

If that works, plug the cable back into port lan4 and then connect your computer to one of the other lan ports (lan1-lan3) and check to see if it gets an IP.

If ethernet works all around, that means the issue is related to the wifi config, and we can dig deeper into that.

felichas · May 5, 2026, 8:37pm

Yes it does.

Yes, it gets an IP and works fine.
Laptop connected to the AP via eth: I get IP, I can ping lan and wan hosts.

On top of that, I have tested changing the uplink cable to another ethernet socket and I can reproduce the problem.

psherman · May 5, 2026, 8:56pm

It shouldn't matter, but have you tried changing this to either sae (WPA3) or psk2 (WPA2)? Mixed mode operation is not recommended.

felichas · May 5, 2026, 9:04pm

No, I haven't, but I don't think it will make a difference, because I don't have a problem connecting. The 4-way handshake completes fine:

Troubleshooting when NOT ok:

In the AP, I can see the association laptop<>AP succeed:

Tue May  5 17:35:27 2026 daemon.info hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 IEEE 802.11: associated (aid 1)
Tue May  5 17:35:27 2026 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 98:59:7a:e6:33:34 auth_alg=sae
Tue May  5 17:35:27 2026 daemon.info hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 WPA: pairwise key handshake completed (RSN)
Tue May  5 17:35:27 2026 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED 98:59:7a:e6:33:34

And right after that, in the GW, I see DHCPDISCOVER requests arriving, and the gateway responding with DHCPOFFER.

Tue May  5 17:35:27 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 98:59:7a:e6:33:34
Tue May  5 17:35:27 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 17:35:30 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 98:59:7a:e6:33:34
Tue May  5 17:35:30 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 17:35:34 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 98:59:7a:e6:33:34
Tue May  5 17:35:34 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34

Tue May  5 19:53:09 2026 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:09 2026 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.131 98:59:7a:e6:33:34 mylaptop
Tue May  5 19:53:11 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:11 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:14 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:14 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:18 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:18 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:27 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:27 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:43 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Tue May  5 19:53:43 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34

And finally, when I disconnect from the AP, I can see the disconection too in the logs.

Tue May 5 17:35:35 2026 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED 98:59:7a:e6:33:34

felichas · May 6, 2026, 11:30am

I downgraded to WPA2

wireless.default_radio0.encryption='psk2'

But the results haven't changed:
AP logs:

Wed May  6 13:19:03 2026 daemon.notice hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 IEEE 802.11: did not acknowledge authentication response
Wed May  6 13:19:03 2026 daemon.info hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 IEEE 802.11: authenticated
Wed May  6 13:19:03 2026 daemon.info hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 IEEE 802.11: associated (aid 2)
Wed May  6 13:19:03 2026 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 98:59:7a:e6:33:34 auth_alg=open
Wed May  6 13:19:03 2026 daemon.info hostapd: phy0-ap0: STA 98:59:7a:e6:33:34 WPA: pairwise key handshake completed (RSN)
Wed May  6 13:19:03 2026 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED 98:59:7a:e6:33:34
Wed May  6 13:19:48 2026 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED 98:59:7a:e6:33:34

GW logs:

Wed May  6 13:19:03 2026 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 98:59:7a:e6:33:34
Wed May  6 13:19:03 2026 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:03 2026 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.131 98:59:7a:e6:33:34 mylaptop
Wed May  6 13:19:05 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:05 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:08 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:08 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:12 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:12 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:20 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:20 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:37 2026 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 192.168.1.131 98:59:7a:e6:33:34
Wed May  6 13:19:37 2026 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.131 98:59:7a:e6:33:34

My cronological explanation:

AP-STA-DISCONNECTED we see on GW (laptop was connected to GW when we asked it to change and connect to AP.
All the 13:19:03 logs seen on AP (laptop stablishing wireless connection)
The rest of the logs from GW (GW receiving DHCP requests from laptop and servicing them with DHCPOFFER
the AP-STA-DISCONNECTED in AP logs (Laptop disconnects after 5 DHCP registration attempts without a response).

felichas · May 6, 2026, 4:23pm

I think I have narrowed the problem a bit.
Thank you maelkoth72 for your PM that made me put order in my thoughs.

In one of my tests I set a static IP to the laptop and connect to AP. I can ping AP, but nothing past it. This combined with the GW logs that show DHCPREQUEST arriving and DHCPOFFER being sent out, leads me to believe this is a layer 2 problem. Mac address cache or proxy arp?

So I timed how long the laptop needs to be disconnected from GW's wifi before it can connect successfully to AP's wifi.

I thought it was in the couple minutes range... but it happens to be 1minute.
Not sure if they are related, but linux (and openwrt) have a default aging time of 60 seconds before an ARP entry is considered stale by the kernel and will have to be revalidated before using it.

# cat /proc/sys/net/ipv4/neigh/default/gc_stale_time
60

But I still cannot roam freely and expect the devices would behave correctly.

psherman · May 6, 2026, 5:39pm

There's nothing in your config that would be likely to cause these problems, so I can't quite explain what is happening.

That said, from time to time we have seen cases where something unknown is causing an issue like this... the fastest and easiest way to fix it is often to re-flash the router -- resetting to defaults during that process - and then setup as a bridged AP again.

Grab the standard/default sysupgrade image and install it. Uncheck the "keep settings" box (or use the -n argument on the CLI) so that the system resets to default.

Then follow the bridged AP guide:

And test again.

egc · May 6, 2026, 5:46pm

The router used seems to be a very old Broadcom device:

There is a disclaimer on that page regarding the used Broadcom wifi chipset, maybe related?

felichas · May 6, 2026, 6:22pm

It wouldn't surprise me, tbh.

I have nothing to loose and 25.12.3 is almost out.
But I don't have a lot of faith on it, because that's how Installed it only a week ago.
I'll cross fingers while flashing it, LOL.

pavelgl · May 6, 2026, 7:31pm

When you move from the GW to the AP via wireless, the laptop's (wireless card) MAC address moves to another (wired, not wireless) interface member of the GL-iNet bridge, so you need to wait for the GL-iNet bridge aging time to expire.

The laptop's ethernet port has a different MAC address than the wireless interface, so it always works.

Run on the GL-iNet brctl setageing <bridge_name> 0 to see if it makes a difference.

_bernd · May 6, 2026, 8:18pm

Have you set any of these two?

felichas · May 6, 2026, 9:28pm

Not specifically, no.
The device has a default 25.12.2 configuration + official openwrt documentation for bridgedap applied manually + a little script that I use to do some basic "system" configuration (hostname, https, theme, etc.).

felichas · May 6, 2026, 9:41pm

# cat /sys/class/net/br-lan/bridge/ageing_time
30000
# brctl setageing br-lan 0
# cat /sys/class/net/br-lan/bridge/ageing_time
0

But the behaviour does not change.

As both GW and AP run openwrt, I have done the change in both, but the behaviour didn't change.