DHCP ACKs and OFFERs not received on bridged APD

I reflashed a WRT3200ACM that had been running OpenWRT 17 or 18 with OpenWrt 23.05.0, r23497-6637af95aa. I followed the OpenWRT Wiki on a "dumb APD". That seemed to work.

I want my main server to provide DNS, DHCP, etc to clients all over my network, including a WiFi connected laptop. Unfortunately, that laptop takes a very long time, upwards of a minute, to acquire an IPv4 address via DHCP.

I've tried both ISC dhcpd and ISC kea-dhcp4 on the server, with the same results.

I've run tcpdump on the server's ethernet interface to the WRT3200ACM, and on the laptop's WiFi interface.

What laptop tcpdump sees:

20:54:15.948277 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:20.616558 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:20.970884 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:25.870750 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:34.607112 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:50.977532 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:55:23.559207 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:55:24.260413 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:55:24.260880 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:55:24.924406 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:55:24.924912 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 28
20:55:26.018362 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 28
20:55:27.814473 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 28
20:55:29.818136 ARP, Request who-has 172.24.0.6 tell 172.24.0.6, length 28
20:55:31.820408 ARP, Request who-has 172.24.0.6 tell 172.24.0.6, length 28

1 minute, 8 seconds until some kind of DHCP response shows up.

Here's what tcpdump on the server sees. This should be what goes between server and OpenWRT on an ethernet cable:

20:54:16.269412 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:16.270587 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:54:21.130225 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:21.130277 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:21.131097 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:54:21.131369 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:54:26.380841 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:26.381790 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:54:35.113377 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:35.114344 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:54:51.488104 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:54:51.489158 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:55:08.673440 IP 172.24.0.14.33565 > 162.159.200.1.123: NTPv4, Client, length 48
20:55:08.679939 IP 162.159.200.1.123 > 172.24.0.14.33565: NTPv4, Server, length 48
20:55:10.682217 IP 172.24.0.14.43714 > 216.218.254.202.123: NTPv4, Client, length 48
20:55:10.682234 IP 172.24.0.14.36376 > 45.83.234.123.123: NTPv4, Client, length 48
20:55:10.712630 IP 216.218.254.202.123 > 172.24.0.14.43714: NTPv4, Server, length 48
20:55:10.813247 IP 45.83.234.123.123 > 172.24.0.14.36376: NTPv4, Server, length 48
20:55:13.713368 ARP, Request who-has 172.24.0.1 tell 172.24.0.14, length 46
20:55:13.713396 ARP, Reply 172.24.0.1 is-at 20:7c:14:f3:83:02, length 28
20:55:13.848885 ARP, Request who-has 172.24.0.14 tell 172.24.0.1, length 28
20:55:13.849040 ARP, Reply 172.24.0.14 is-at 30:23:03:dc:86:48, length 46
20:55:22.823430 IP 172.24.0.14.56063 > 162.159.200.123.123: NTPv4, Client, length 48
20:55:22.830530 IP 162.159.200.123.123 > 172.24.0.14.56063: NTPv4, Server, length 48
20:55:24.060214 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:55:24.061029 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:55:24.761420 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:37:45:50:60:0a, length 300
20:55:24.762510 IP 172.24.0.1.67 > 172.24.0.6.68: BOOTP/DHCP, Reply, length 334
20:55:25.425864 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 46
20:55:26.518921 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 46
20:55:28.321633 ARP, Request who-has 172.24.0.6 tell 0.0.0.0, length 46
20:55:30.362328 ARP, Request who-has 172.24.0.6 tell 172.24.0.6, length 46
20:55:32.344519 ARP, Request who-has 172.24.0.6 tell 172.24.0.6, length 46

One or more replies to every request.

The kea-dhcp4 log file from the server shows it receives DHCP requests, like the server tcpdump says.

The dhcpcd log file shows it does not get any ACKs or OFFERs just like tcpdump on the laptop says.

I cannot figure out why DHCP OFFERs or ACKs don't make it through the bridged "dumb APD". There are similar topics, but they don't seem to match some specifics. I don't remember having this problem with the previous OpenWRT version, so I think it's something new.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here's all the config files requested by the bot.
I've turned off dnsmasq, firewall, odhcpcd:

root@OpenWrt:~# /etc/init.d/dnsmasq status
inactive
root@OpenWrt:~# /etc/init.d/firewall status
inactive
root@OpenWrt:~# /etc/init.d/odhcpd status
inactive

Config info:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd45:4811:b0a5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        #option ipaddr '10.0.0.145'
        #option netmask '255.255.255.0'
        #option ip6assign '60'

#config device
#       option name 'wan'
#       option macaddr '32:23:03:dc:86:48'

#config interface 'wan'
#       option device 'wan'
#       option proto 'dhcp'

#config interface 'wan6'
#       option device 'wan'
#       option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2'
        option macaddr '30:23:03:dc:86:4a'
        option key 'REDACTED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2'
        option macaddr '30:23:03:dc:86:49'
        option key 'REDACTED'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option channel '34'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Start by upgrading to 23.05.3. Allow the device to reset to defaults (uncheck the "keep settings" box) during the upgrade.

I'd recommend not commenting out code... delete what is not needed.

it should either be proto static with the address and netmask specified, or proto dhcp with them removed.

There is no need to comment any of these out. Leave them as they are from the default state.

Do not disable dnsmasq and firewall services. Leave them running normally.
Instead, disable the lan DHCP server explicitly by ignoring the interface and removing the IPv6 related items. It'll look like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Then make sure your WRT3200ACM is connected via the lan port to the lan of your upstream router.

That's all that needs to be done.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.