AX3600 DumbAP sysupgrade to 24.10: luci/ssh not accessible anymore

sajty · February 9, 2025, 6:48am

I have a Xiaomi AX3600: https://openwrt.org/toh/xiaomi/ax3600
I'm using pfSense as a firewall and multiWan load balancer, while using openwrt router as a dumbAP.

pfSense: 192.168.0.1 (DHCP server for range 192.168.0.100-200)
AX3600 with OpenWrt: 192.168.0.2 (static ip)

Everything worked on 23.05.5, but after sysupgrade to 24.10.0, luci/ssh to the router became unavailable. The mac address of the router doesnt show up in the ARP table on the pfsense firewall and no device is using 192.168.0.2 IP.

Wifi works and wifi devices are getting an IP assigned by pfSense's DHCP server.

How should I recover from this situation (if possible without loosing network settings on the router)?

psherman · February 9, 2025, 6:51am

Try failsafe mode to either evaluate the config files or reset the device to defaults. From there, you can either fix any possible errors in the config or configure it again from scratch.

https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

If you want us to review your configs to see if we can spot the issue, don't perform the factory reset, but rather use failsafe to grab the files:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

sajty · February 9, 2025, 4:30pm

Thanks, I managed to save configurations and reset settings in failsafe mode!
However, when using same settings as before, it still works.
My theory is that I disabled many services including firewall on the dumbAP and the sysupgrade reenabled the services?

The firewall config looked suspicious, so reenabling the firewall during sysupgrade may have caused problems:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

psherman · February 9, 2025, 4:34pm

Yes. The firewall should usually be left alone - there is no reason to edit the firewall file on an AP. Nor is there a reason to disable the firewall. These are common mistakes that do cause people to get locked out.

That said, the input rule is the problem. Set it to accept and you won’t have the issue again.

Likewise, dnsmasq (service) doesn’t need to be disabled, but the dhcp server on the lan interface should be explicitly set to ignore.

system · February 19, 2025, 4:34pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.