I have my OpenWrt (Archer C6 v3) in AP mode behind a OPNSense box. Everything was fine until recently, when I changed ISP. The speed is fine on ethernet, but wifi is about 10% of the total bandwidth, even on 5G. The previous ISP worked with a modem in bridge mode and PPPoE. The curent one is a ONT with static IP.
Anything I can do to get a better bandwith?
Thanks in advance.
So the PC in that picture gets full speeds?
And the wifi devices are getting much much slower speeds?
Does the ISP ONT have built-in router + wifi capabilities? If so, have you turned those feature off?
Did you make any changes to your network aside from swapping out the internet connection at the top?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Yes, the PC gets full speeds:
Wifi devices get less than half the speeds:
The ISP ONT is just a small box with fiber in and RJ-45 out. However, they did lend me a TP-Link wifi router, but I'm not using it because I can't flash OpenWrt on it.
I haven't change the configuration of the OpenWrt router, but I had to change a setting on the OPNSense box to get Internet working, specifically to the WAN interface to be static IP instead of PPPoE.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "TP-Link Archer C6 v3",
"board_name": "tplink,archer-c6-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc4:bae2:b84f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '10.9.6.100'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '10.9.6.1'
list dns '10.9.6.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan1:t'
config interface 'guests'
option proto 'none'
option device 'br-lan.7'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '11'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'EC'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '161'
option band '5g'
option htmode 'VHT80'
option txpower '18'
option cell_density '0'
option country 'EC'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'PERSONAL'
option encryption 'sae'
option key 'xxx'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'GUESTS'
option encryption 'sae-mixed'
option isolate '1'
option key 'xxx'
option network 'guests'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'PERSONAL'
option encryption 'sae-mixed'
option key 'xxx'
option network 'lan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
This is the speed you're paying for, but you're getting 1.5x the download speed and 3x the upload speed??
This sounds reasonable for many phones. What were your measured wifi speeds (using the same devices in the same locations within your home) with the previous ISP? When did you change ISPs and when did you do the last test with the old ISP?
A change of ISPs shouldn't affect things downstream of your router, so I'm not entirely certain that this is caused by the change. Further, since you're running a pfsense box in front of your OpenWrt dumb AP, there's really nothing that could have been affected by the new ISP installation on OpenWrt (since you said you haven't made any changes).
Yes, they told me that the speeds are "getting balanced", whatever that means. I'm taking advantage of the bug 
I was paying for 150 Mbps, and I was getting around 110 Mbps, same devices, same locations (I live in a small apartment), but the last test I did was probably a month ago? Can't say for sure... The new ISP came on Thursday, so just 3 days with them.
What about the upload speeds? It's like 10% of the total bandwith, right? Also normal?
Sounds like you're getting the same wifi speeds as you did before. That means that the wifi is working the same as it was before, and contrary to your title, the AP speeds haven't dropped.
Well, 110Mbps is 44% of your rated 250Mbps ISP download speed. Yes, if you look at the 788Mbps upload speed you are apparently getting and then compare against the 75Mbps on wifi, that is indeed 10%, but the thing to look at is that 110/75 is in-line with what is expected from many phones which is your test device.
I would expect to see you get 250Mbps or higher from a high quality and recent laptop with a better radio system and higher power CPU.
Yes, you are right, my bad! I was expecting to get the same speeds of my PC, but apparently that won't be possible on my smartphone devices?
I forgot to say that my PC has also a wifi card, so I run a test:
So, I guess there's really nothing wrong with my OpenWrt router? Except that I can't connect to the 5G network with WPA3 only security.
I see that the settings for your PERSONAL network are inconsistent on 2.4 GHz and 5 GHz bands. What could have happened is that a device remembered this AP as a WPA2 AP and now refuses to connect to the 5 GHz band.
You can use the Network > Wireless tab to disprove this - it shows to which radio each device is connected.
Please create a separate SSID on the 5 GHz card with WPA3-only security without replicating it in the 2.4 GHz band. On the phone, forget the old network and try to connect to the new one.
Some devices don't play well with WPA3... which devices are not connecting? is this true of some or all of your devices?
I can connect to the WPA3-only SSID on my smartphones and my Linux PC, but not on my Windows 11 PC.
What are those inconsistencies? Should I correct the configuration?
Windows 11, at a software level, should certainly support WPA3. But it is possible that there is an issue with your wifi hardware in that device. I don't really know. Try WPA2 and see if that works. You may also need to see if Windows can "forget" the SSID and password so that you can re-enter it. If the problem persists, it's probably worth a new thread to figure out the problem with your WPA3 connection.
Meanwhile... on this specific topic (wifi speed), I think we agree that there wasn't really an issue:
And with that in mind...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
I'll try to find more info on the WPA3 matter.
Thanks a lot for your time P!
I had trouble with wpa3 and windows and figured out that it was because I had switched "802.11w Management Frame Protection" to required. My Lenovo smart screen (Android) and my Windows 10 laptops would not connect. I checked the drivers for windows and the version I had said it was compatible with wpa3, but when I switched 802.11w back to optional Windows was happy again.
I think the Lenovo device still wouldn't connect with 802.11w off/optional, so it seems it didn't like wpa3 at all. I switched to wpa3/wpa3 mixed mode with 802.11w as optional and the windows laptops connect using wpa3 (and many other devices) while the Lenovo smart screen connects using wpa2.
My Android 13 Motorola phone was happy with any of the above settings.
Yes, having sae-mixed on 2.4 GHz and sae on 5 GHz is bad and needs to be made the same.
Sorry to revive this thread, but I was recalling that the ISP people tested the speed on their smartphone and it was 300 Mbps (with their router). So how can my smartphone not be able to reach those speeds? It's not the most up-to-date, but not an ancient one eiher...
Some smartphones (e.g., Poco X4 Pro) have two WiFi antennas, while the majority have only one. That's why the speed difference.
Two screenshots of the Associated Stations section of Network > Wireless would help debug the issue. One screenshot should be takem with the phone in its usual location and another in perfect conditions (1.5m from the AP).
The design and number of antennas can be important, of course, but so is the entire system design... so that includes the generation of the wifi chip and the bandwidth that it can deliver as well as the SoC and its processing performance for network bandwidth when sourcing and/or sinking packets.
The higher bandwidth wifi chipsets are more expensive than the lower bandwidth ones... that's why a Pi4 (with a super low end wifi chip but enough processor to handle the packets) will always be far slower than any decent laptop from the same time frame. Conversely, a high quality consumer wifi router may be able to route packets at line rate, but may be greatly limited when it comes to on-device bandwidth tests due to weak general purpose CPUs (consider the ER-X or the USG from Ubiquiti -- they can both route at 1Gbps, but on-device speed tests are limited to about 250Mbps for processor intensive tasks).
I've enabled the 5GHz band only. So I guess my phone was the bottleneck. I didn't measure the speeds on my wife's phone before, that way I could've noticed. Sorry for the inexperience guys 
So you are using the 40 MHz bandwidth. That gives you half the throughput of what is available. The standard bandwidth is 80 MHz in the 5 GHz band, with some devices supporting 160 MHz, but this is unreliable due to DFS and implementation deficiencies.
Note that the channel number has to be correctly rounded in order to use 80 or 160 MHz. If in doubt and not living near an airport, set the country code correctly and, if it is permitted, try channel 100. Note that it is a DFS channel, so the AP will be inaccessible for a minute due to checking for radars.
