Bad network traffic, clients lost network connection, you may not change anythink via LuCi - closed

I have had the problem for about 48 hours after an update that all clients gradually lose throughput after a certain time after rebooting the router until the network crashes.
If the network remains stable and I initiate a change command via the LuCi interface, all clients lose the network and a reboot does not improve the situation.
Every morning there is a reboot, which, if there is no intervention in the system, allows the work via the router to work without problems in good business quality...if you don't change anything anywhere else via LuCi.
Before the update, the system ran flawlessly.
The updates were banip, adblock and kmod 2 days before.

Any idea?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
"kernel": "5.15.150",
	"hostname": "Belkin_RT3200",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"

root@Belkin_RT3200:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0c:8014:a938::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.152.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

root@Belkin_RT3200:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'DE'
	option cell_density '2'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid ********
	option encryption 'sae-mixed'
	option key **********

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option country 'DE'
	option cell_density '2'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid **********
	option encryption 'sae-mixed'
	option key *********

root@Belkin_RT3200:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '150'
	option limit '200'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Belkin-RT3200'
	list mac **********
	option ip '192.168.152.1'
	option leasetime 'infinite'


config host
	option name 'TrueNAS'
	option ip '192.168.152.3'
	option leasetime 'infinite'

...

config domain
	option name 'FritzBox_7390'
	option ip '192.168.150.1'

config domain
	option name 'Pi-hole_WG_FritBox'
	option ip '192.168.150.2'

root@Belkin_RT3200:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Reduce cell density to 1/normal ?

This is abnormal, remove leasetimes, week is good for fixed connections, hour to day for dynamic

1 Like

What do you mean by an update?
Did you reflash to 23.5.3 from an even earlier version? If so why not 23.5.4?

Or did you "update" some packages from a later version?

2 Likes

Thats not good, total should not exceed 253

That is the router itself, it already has that IP address, better remove it

sae-mixed for wirelss security can sometimes be problematic, consider wpa2

2 Likes

Of course there were packages updates and no release update.

Thanks a lot for your feedback - I will verify your comments but however, my question is then why the above settings worked without errors before the package update and how, except for the leasetime/wpa setup, the setup is set without my intervention?

Thank you for your feedback. Should I now simply switch the IP address to "undefine"?...where does the router then take the exact IP setting 192.168.152.1 from?

You can do consistent update with auc.

152.1 is configured statically in /etc/config/network.

Then this is almost certainly your problem. You should never "update" packages unless specifically recommended for a particular package.
Instead you should always reflash by one means or another, eg manually or via auc as @brada4 said.

1 Like

Ok and thanks for the hint. My assumption was that if there is a new package release in LuCi under package update, this is NOT to be installed but to be checked via auc - what is the difference?

Kmod didnt work your way? Or you have better idea?

The full story:
https://openwrt.org/docs/guide-user/installation/attended.sysupgrade

1 Like

Short update:

I have adjusted the comments(see above) regarding my faulty configurations, I have also updated the system via auc command - the current status of my router system has not changed, sometimes isolated contacts to the WLAN, if in the WLAN, but then no traffic to the Internet. I have reset(pulled pug for 10 sec.) the router without positive effect.
I have not been able to find the root cause for the behavior of my router.
Thank you very much for your engagement and your support.

Neuro

Didn't talk about sysupgrade
talked about package updates...banip, adblock, kmod...

I specifically mentioned package updates. In general it is dangerous to update packages, particularly kmods.
The proper way to "update" OpenWrt is via sysupgrade.
You did it your own undisclosed way and broke your system.

Ah well, what else can I say?

1 Like

Hi bluewavebet

I updated packages in the past via LuCi...without problems...
Sysupates via Backup/Firmware update

I will follow now your update instructions via auc for the future update activities,

Thx
Neuro