Apple Devices connect to WiFi but cannot reach Internet

Bug

Freshly setup Linksys EA8300 to latest stable release. WiFi Issue with my two (older) apple devices on the 2.4 GhZ WiFi. Devices are Mac circa 2013 and Iphone circa 2019. All Windows/Linux devices have no issues on the WiFi. The apple devices can see the WiFi, connect to it, but cannot actually see anything on the internet while connected. They don't ever disconnect/drop from the WiFi and are visible as devices on Luci. I’m not an Apple person so the test for internet connection is simply trying to reach websites via the browser.

OpenWrt version

24.10.5

Setup

First time setup on EA8300 via Luci. Setup requires V23.05.00 first, then update to router config via SSH, then installed latest stable release. Process here if needed https://openwrt.org/toh/linksys/ea8300
Here’s all I did on my device:

Login (all work below via LUCI)
changed LAN IP from default
Set administrator password

installed software: advanced reboot, adguard lite, sysupgrade, and irqbalance

(Note adguard lite was disabled from boot, stopped, and router rebooted to confirm it wasn’t causing this issue. I even switched to another partition that never had adguard lite installed, didn’t help.)

Setup 2.4 GHTz and 5 GHTz radios onto new guest interface. Guest interface intended to be ‘Guest Network’ IE clients only have access to Internet and neither each other, nor the local network. Guest network allows traffic on port 53 for IPv4 and IPv6 and on port 67 for IPV4 and IPV6 via UDP.

Wireless-→Network then edit for the 2.4 GHz radio set to whatever settings desired for security etc.

Did the same for one of the 2 5 GHz radios but they're not relevant to the issue.

What I've Tried

Trying to keep this short, a version of this issue appears to be common see links below for related ones I’ve been reading. Based on said links, below is all the configuration changes I’ve tried. Between setting changes I shut the devices wi-fi off and turned it back on. I occasionally would forget the network and re-add it but I didn’t do that every time, only on the settings I thought most likely to work. The thing that confuses me the most is that, neither device could connect to the internet even when I set the channel to unencrypted. Some configurations they could no longer connect to the WiFi but usually they could still connect to WiFi but not the internet. Both devices work as I can go back to my original router (on OEM firmware, different hardware) and they can get to the internet just fine.

All of the these settings are found in Network→Wireless then edit for the 2.4 GHz radio I’m using.

Operating Frequency:
I’ve tried mode N and legacy
With N I’ve tried most configurations with width always at 20MHZ

I’ve enabled/disabled “Allow Legacy 802.11b rates”

WMM Mode I’ve tried on and off, typically leave it on now.

Encryption: I’ve tried every encryption combination on here I can including unencrypted. The links have consensus around WPA2 alone (NOT mixed) being the desired choice so it’s my usual choice. (Note the oldest MAC says it uses “WPA2-Personal” if that helps anyone)

802.11w Management Frame Protection- supposedly must be set to “Optional” (defaults is disabled)

Disable Inactive Pulling is disabled- One source insisted this was required, no one else said anything about it.

Isolate Clients is enabled, this is not for the bug but intended ‘guest’ network function.

Disassociate On Low Acknowledgement is disabled

802.11r Fast Transition “Roaming” was disabled by default and I didn’t touch it, lot of people said this was a huge issue if enabled but doesn't apply?

I'm out of ideas, does anyone have any thoughts?

list of somewhat similar cases:

https://www.reddit.com/r/openwrt/comments/1ka8kl0/openwrt_vs_apple/

https://www.reddit.com/r/openwrt/comments/169wx3h/iphone_se_unable_to_connect_openwrt_ap/

let's start by looking at your complete config.

Also, please confirm that other devices are able to connect via wireless and that they can use the internet.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes, two android phones are currently on the same 2.4Ghz WiFi and are currently on the internet.

I think I've redacted this properly but I'm not sure. [REDACTED] was placed where the original info was in case I made a mistake, let me know.

BusyBox v1.36.1 (2025-12-17 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.5, r29087-d9c5716d1d
 -----------------------------------------------------
 ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA8300 (Dallas)",
        "board_name": "linksys,ea8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}
 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '[REDACTED]'
        option netmask '[REDACTED]'

config globals 'globals'
        option ula_prefix '[REDACTED]'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '[REDACTED]'

config device
        option name 'lan2'
        option macaddr '[REDACTED]'

config device
        option name 'lan3'
        option macaddr '[REDACTED]'

config device
        option name 'lan4'
        option macaddr '[REDACTED]'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-Guest-Int'
        option bridge_empty '1'

config interface 'Guest_Interface'
        option proto 'static'
        option device 'br-Guest-Int'
        option ipaddr '192.168.2.0'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'Local_Only'
        option proto 'static'
        option ipaddr '10.40.1.0'
        option netmask '255.255.255.0'

 cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '100'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid '[REDACTED]'
        option encryption 'sae-mixed'
        option key '[REDACTED]'
        option ocv '0'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option band '2g'
        option channel 'auto'
        option cell_density '0'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'Guest_Interface'
        option mode 'ap'
        option ssid '[REDACTED]'
        option encryption 'psk2+ccmp'
        option key '[REDACTED]'
        option isolate '1'
        option ieee80211w '1'
        option ocv '0'
        option disassoc_low_ack '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'Guest_Interface'
        option mode 'ap'
        option ssid '[REDACTED]'
        option encryption 'sae'
        option key '[REDACTED]'
        option ocv '0'
        option isolate '1'

 cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        list addnmount '/bin/busybox'
        list addnmount '/var/run/adblock-lean/abl-blocklist.gz'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'Guest_Interface'
        option interface 'Guest_Interface'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'Local_Only'
        option interface 'Local_Only'
        option start '100'
        option limit '150'
        option leasetime '12h'

 cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest_Zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest_Interface'

config forwarding
        option src 'Guest_Zone'
        option dest 'wan'

config rule
        option src 'Guest_Zone'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'Guest_Zone'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

 cat /etc/config/wireless

These are wrong:

• The guest interface gateway should be removed.
• Both ip addresses are invalid -- the 0 address on a /24 network refers to the network, but is not a valid host address. Use the .1 address instead.
• The Local_Only network doesn't seem to connect to anything (i.e. no physical or virtual interfaces). What is that for?

In the wireles file...

Obvioulsy this radio is currently disabled. That said, it's best to avoid DFS channels if you can.

This is also disabled, but don't use sae-mixed. Choose either WPA2 (psk2) or WPA3 (sae). Mixed mode can cause problems.

Remove the 802.11w line.

DDR is broken with apple and openwrt, adguard home etc. to my knowledge. Make sure you don't use it.

Probably remove option type 'bridge'

Furthermore set correct country codes on all radio's

That might not be sufficient. To be really sure, that iOS starts with a well known fresh blank network config, especially when you have migrated access point hardware oder access point config, while keeping older SSID and passphrase, you need to reset the network settings on the iOS client.

You don’t have to do this everytime you make access point changes. But I would try it once, if you face WiFi problems.

Hey all! I got it working! Details below but if that's all you wanted thanks for the help!

I implemented almost all of the above suggestions, but I'm guessing it was the fact I hadn't set a country code for the radios. It's either that or the network interface changes psherman suggested. Those were the only changes made I hadn't done before. I can't figure out how to imbed quotes in this reply from each of you so I'll respond to each by itself I guess...

I removed the gateway like you said and changed the IP's to end in .1, This may also have been the solution...it's either that or the radio country code I think. I did also Remove the 802.11w line like you requested but I'd turned that off and on numerous times yesterday. In Luci that setting is 'disabled' vs 'Optional' and many had insisted it be set to 'Optional' over 'Disabled'

Local_Only Interface is for future work, doesn't do anything right now and I also explicitly disabled it.

What did you mean about radio 0, specifically "That said, it's best to avoid DFS channels if you can." What does that mean?

The WAN interface configuration was default, I didn't touch it, what would removing Option type bridge do?

Good catch on the country codes, I'm wondering if that was it!

A bridge usually belongs to a device and not to an interface.
A bridge is used to connect more interfaces like your br-lan.
As there is only one wan port a bridge is no applicable here.

Are you sure that that is the default?

Make a backup of your settings before removing just in case

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.