ASUS RT-AC68U 21.2 to 22.3 upgrade fail. DSA?

Greetings,

Last I decide to take care of my upgrade backlog. So I flash 22.3. Didn't come out quite right:

  • My guest network is gone.
  • The Switch page is gone. And all the ports were bridged together...
    I start fiddling around. There are some device pages that a reminiscent of the switch page. I ended up making the router inaccessible. Reset, back to 21.2, restored settings - all good.

Now I understand there's this new (to me) DSA thing going around. And my router was migrated to it. So my guess is something with the DSA went sideways. I have another router (Acer Archer C7), and that one went through the upgrades without a problem.
(1) Should I expect the upgrade to seamlessly migrate to DSA?
(2) Should I do some prep work before upgrading to 22.3? My /etc/config/network is posted below. I really never looked at it before - did all through the UI. Is there something sub-optimal that could mess up the DSA conversion? Like why there's a br-lan device with a single port, and it's not referenced anywhere?

Thank you!
tjk :slight_smile:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd86:d36b:74e1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'
	option device 'eth0.1'

config device
	option name 'eth0.2'
	option ipv6 '0'
	option macaddr 'A4:2B:B0:AA:F8:1F'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option hostname '***********'
	list dns '192.168.222.12'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t 1t 2'
	option description 'Private'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t 0'
	option description 'ISP'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '5t 1t 3 4'
	option description 'Guest'

config interface 'glan'
	option proto 'static'
	option device 'eth0.3'
	option ipaddr '192.168.222.1'
	option netmask '255.255.255.0'

No. The migration from swconfig to DSA requires a reset-to-defaults as part of the process (i.e. do not keep settings, it will reset to defaults when it does the flash)

You must configure from scratch after this has been completed -- restoring a backup will soft-brick your device. Some (limited) things may be able to be manually copied into place, depending on the specifics (tell us what you want to preserve and we can advise accordingly).

The prep-work is really about making a backup of your previous configuration and understanding what your end-goal is for the functional aspects of your config (since you'll need to recreate the config).

Also, read up on DSA if you are implementing VLANs (or ask here in the forums for guidance).

Understood. Although I haven't come across a document that says reset-to-defaults is required. I am sure I've missed it. I did read that I can't upgrade from version 21 to 23 - have to go through 22 first. This also implies that the OpenWRT on my Archer (which I upgraded with settings through 19 -> 21 -> 22 -> 23) could very well be messed up somehow. Although it works as expected.

I do have VLAN and firewall setup. Fairly straightforward - should be easy to re-apply on a default install.

Cheers!
tjk :slight_smile:

Regarding keeping your config between upgrades...

In the case of n-1 > n upgrades, it is usually compatible unless there has been a major backend change cuch as swconfig > DSA (or ar71xx > ath79 that happened several years ago for that specific set of target devices).

Every recent release has stated that n-2 > n upgrades (as a single step) are not supported. This doesn't necessarily mean that it won't work, but it isn't tested and there isn't logic in the code to migrate config items where syntax may have changed, potentially leading to a soft-brick situation. Upgrading from n-3 and further back is increasingly more likely to cause major problems.

If you went through each n-1 > n upgrade along the way working up to the pressent version and didn't need to reset, you should probably be okay, espeically if everything is working as expected. If you run into issues, though, the syntax changes may be relevant and need verification.

If a device has transitioned to DSA, there will be a big warning when you attempt to run the upgrade saying that you cannot keep settings and that it is required to allow the upgrade process to reset to defaults.

If you've actually run the upgrades and haven't seen the warning, it means your device has not gone through the swconfig > dsa transition. (I didn't check to see if your device is on DSA or swconfig as of the latest).

@psherman,
Thank you for the pointers. I flashed the ASUS without restoring setting. Recovered my configs easily. Works. Mostly. I really was hoping I wouldn't need to bother you (or anyone)... The AC68U is the main router+firewall. It is also connected to an Archer C7 AP only. Ethernet port 1 on both is setup to be a vlan "trunk". Both vlan 1 and 3 should go over that cable. The C7 was already running v23. But now that trunk doesn't work. Nothing connected on the C7 can reach the AC68U. I am troubleshooting with wired connections - forget the wifi. I am fairly certain something on the AC68U isn't right. Used to work fine on v21 via switch based vlans, that were setup the same way.

The config doesn't look that complicated to me. Can you spot the error. Config follows (without the wan parts)

tjk :confused:

# Asus RT-AC68U

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8d:7074:7a33::/48'
	option packet_steering '1'

# Bridge over the four ethernet ports
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

# With couple of VLANs.
# lan1 is "trunk", tagged 1 and 3,
# connected to another OpenWRT AP Archer C7

# private vlan
config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2'

# guest glan
config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan3'
	list ports 'lan4'

# The interfaces
config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'

config interface 'glan'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.222.1'
	option netmask '255.255.255.0'

# Wan stuff follows

Edit these to specify the untagged ports explicitly like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

Then try again. If it doesn't work, we'll dig deeper.

1 Like

Wow! Thanks for the prompt reply.

Made the change. Same situation.

However - something I didn't test before. I am able to reach the Archer C7 from a device (laptop) on the AC68U guest interface (vlan 3). But still can't "get out" of the Archer C7.

(I also went and check to made sure that "lan1" does indeed corresponds to its label on the ethernet jack.)

tjk :slight_smile:

Let's review the complete configuration of your main router (the AC68U):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here you go. I don't have config/wireless. No wifi support on AC68U.

# RT-AC68U /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8d:7074:7a33::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option macaddr '*************'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.222.12'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config interface 'glan'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.222.1'
	option netmask '255.255.25
# RT-AC68U /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/kolev.home/'
	option domain 'kolev.home'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.222.12'
	list rebind_domain 'plex.direct'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.222.12'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'glan'
	option interface 'glan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.222.12'

config domain
	option name 'modem'
	option ip '192.168.100.1'

config domain
	option name 'router'
	option ip '192.168.111.1'

config domain
	option name 'archerC7'
	option ip '192.168.111.21'

config domain
	option name 'archerC7g'
	option ip '192.168.222.21'

# A bunch of config domain and host follow
# RT-AC68U /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'glan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option dest 'wan'
	option target 'ACCEPT'
	option src '*'
	option name 'devicepass'
	list src_mac '*******:BA'
	list src_mac '*******:07'
	list src_mac '*******:3D'
	list src_mac '*******:BD'

config rule
	option name 'External DNS Block'
	option src '*'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'

config rule
	option src '*'
	list dest_ip '8.8.8.8'
	list dest_ip '8.8.4.4'
	list dest_ip '1.1.1.1'
	list dest_ip '1.0.0.1'
	list dest_ip '1.1.1.2'
	list dest_ip '1.0.0.2'
	option target 'REJECT'
	option name 'External DNS Servers Block'
	option dest 'wan'

tjk :expressionless:

Is there a copy/paste error, or is the netmask really truncated? It should look like this:

	option netmask '255.255.255.0'

What is this for?

Please try connecting a computer to port 2 to make sure it gets a DHCP lease in the main lan (192.168.111.0/24). Then test connectivity by testing pings to:

Then repeat the process on port 3, verifying that the computer gets a lease on the 192.168.222.0/24 network and has connectivity.

Sorry, copy/paste error. That was the last line, and I obviously didn't "grab" part of it. That won't work at all - missing closing tick. Here's the ending of config/network:

config interface 'glan'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.222.1'
	option netmask '255.255.255.0'

"devicepass" is a rule for some devices, that I let go out to the internet. Mostly because they had some issues with my local DNS (192.168.222.12 - AdBlocker), and didn't bother to investigate.

Here's the test info. Works as expected:

Testing laptop connected to AC68U with solid wires

lan2:
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.111.222  netmask 255.255.255.0  broadcast 192.168.111.255

~$ ping 139.59.210.197
PING 139.59.210.197 (139.59.210.197) 56(84) bytes of data.
64 bytes from 139.59.210.197: icmp_seq=1 ttl=49 time=121 ms
64 bytes from 139.59.210.197: icmp_seq=2 ttl=49 time=118 ms
64 bytes from 139.59.210.197: icmp_seq=3 ttl=49 time=121 ms

lan3:
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.222.222  netmask 255.255.255.0  broadcast 192.168.222.255

~$ ping 139.59.210.197
PING 139.59.210.197 (139.59.210.197) 56(84) bytes of data.
64 bytes from 139.59.210.197: icmp_seq=1 ttl=49 time=120 ms
64 bytes from 139.59.210.197: icmp_seq=2 ttl=49 time=119 ms
64 bytes from 139.59.210.197: icmp_seq=3 ttl=49 time=120 ms

tjk :slight_smile:

I guess I forgot to ping on the domain name. That worked fine as well connected to either port.

~$ ping forum.openwrt.org
PING forum.openwrt.org (139.59.210.197) 56(84) bytes of data.
64 bytes from forum-01.infra.openwrt.org (139.59.210.197): icmp_seq=1 ttl=49 time=124 ms
64 bytes from forum-01.infra.openwrt.org (139.59.210.197): icmp_seq=2 ttl=49 time=121 ms
64 bytes from forum-01.infra.openwrt.org (139.59.210.197): icmp_seq=3 ttl=49 time=130 ms

~$ nslookup forum.openwrt.org
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	forum.openwrt.org
Address: 139.59.210.197
Name:	forum.openwrt.org
Address: 2a03:b0c0:3:d0::168b:9001

tjk :slight_smile:

Ok. So everything appears to be working on the main router. Let’s look at the config from the ap.

All right. I have the following service disabled:

  • dnsmasq
  • firewall
  • odhcpd
# Archer C7 /etc/config/network
config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd6a:7987:ae87::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.111.21'
	option netmask '255.255.255.0'
	option gateway '192.168.111.1'
	option device 'br-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2t 3'
	option description 'private'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '3'
	option ports '6t 2t 4 5'
	option description 'guest'

config interface 'glan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.222.21'
	option gateway '192.168.222.1'
	option device 'br-glan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config device
	option name 'br-glan'
	option type 'bridge'
	list ports 'eth0.3'

# Archer C7 /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option country 'US'
	option htmode 'VHT40'
	option channel 'auto'
	option txpower '23'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option ssid '*******s'
	option key '*************'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option country 'US'
	option channel '9'
	option txpower '25'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option ssid '********t'
	option isolate '1'
	option key '*****************'
	option network 'glan'

# Acer C7 /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# Acer C7 /et/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'glan'
	option output 'ACCEPT'
	list network 'glan'

config forwarding
	option dest 'glan'
	option src 'lan'

The Archer C7 ended up having both a switch page/setup and device/dsa one as well. I expected either one or the other. But this was the device that I've been upgrading from before v18 keeping settings along the way, and this is where it ended. And it was working fine with v21 on the AC68U.

tjk :slight_smile:

Generally, it’s best to only have one address on the dumb ap - that is usually the address of either the trusted lan or a management network. Which one would that be in your situation?

We want to repeat the test with the wired computer. Logical port 2 is your trunk. We would expect that when connecting a computer to logical port 3, your computer will get an address in the 111 network.

Likewise, logical ports 4 and 5 should result in an address in the 222 network.

Please test these.

No connectivity on either port to any network. Can't get an IP from the AC68U.
Here's how the sockets on the router match with the numbers in the config:

Archer C7 ports
CPU/eth1  CPU/eth0   lan1  lan2  lan3  lan4   wan
    0        6         2     3     4     5     1

One address on the AP? I don't have a management network, so then it would be the trusted lan. But I have two interfaces. So I make the guest lan without IP? Is that the idea?

The strange thing is that I can reach the Archer on either 111.21 or 222.21 when connected through the AC68U - either cable or wifi. Funny stuff.

At some point I also tried to do away with the br-lan an br-glan devices, and use eth0.3 and eth1.1 on the interfaces. Didn't work.

tjk :slight_smile:

hmmm... odd.

Yup. This protects the AP against users on the guest network.

Let's try this:
Reset your C7 to defaults and then post the network config from the default state. Be sure to unplug this from your main network and connect a computer directly to one of the lan ports to login to the router (192.168.1.1 is the default address).

# Archer C7 /etc/config/network after reset to defaults
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1f:d83b:ab7c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

tjk :slight_smile:

Ok... let's edit as follows;

For the swconfig, edit vlan1:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2t 3'

Add vlan3

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 2t 4 5'

create a glan bridge:

config device
	option name 'br-glan'
	option type 'bridge'
	list ports 'eth1.3'

Edit lan interface:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.111.21'
	option netmask '255.255.255.0'

create an unmanaged guest interface:

config interface 'glan'
	option device 'br-glan'
	option proto 'none'

Disable the DHCP server explicitly on the lan by adding the ignore line:

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

Restart and connect the AP to the upstream router. Then try the wired tests as we did before.

Same situation. I can't even ping the RT-AC68U (192.168.111.1), when connected on the C7. I still can reach the C7 when connected to the AC68U.

Peter,
I am very thankful you are helping me real time. But I feel I am starting to abuse your time. It's Sunday evening. I'll happily try any ideas you might have, but I suggest we... you(!) take a break. Nothing about the AP is urgent. I can downgrade it to v19 (no DSA), see if it works, and then check at what version it breaks. But I can do that on my own.

Have a great rest of the day - whatever is left of it for you.

Cheers!
tjk :slight_smile: