DHCP, repetitive Discovery and Offer cycles

Short Version:
Long bouts of dhcp DISCOVERY / OFFER sequences, ultimately result in ACK, but then resume after 2 sec instead 12hrs. Only occurs on wifi AC ssids (2), and only on laptops with static MAC's. Vacuumrobots - on the N network and static leases- and smartphones on same AC ssid's but dynamic mac's, renew their lease with single request and ack messages. But linux and windows clients with static mac's suffer disconnects on wifi, by lack of an IP address. Resumption takes longer than one is willing to wait, I don't understand why the problem sometimes disappears for a while.

Long Version:

  • vlan config on my switches has been working fine for years, in concert with 3 Mikrotik CAP's 6.49, broadcasting 3 ssids, as well as a single R2S owrt router as their dhcp server, then and now. All run the lastest owrt now. Paramount in all of this is that I haven't touched the R2S/dhcpd config, other than upgrading FW to latest.

  • what I HAVE touched is .. those same 3 ipq4019 devices are now running owrt in dumb ap mode. First I had to wait for proper DSA support before crossing the rubicon, now I hit new layer 2 issues. Prolly'll have to shark it, but first I'd like an opinion.

Note the redacted x:x:x:x:d3:a3 mac of my vanilla Bookworm laptop below, named yoga. Two seconds after the ACK is received it restarts Discovering.

Ignore the DDNS issue (its just double NAT) , I just left that in for sequence:

Mon Aug 19 07:13:51 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:13:51 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3 yoga
Mon Aug 19 07:14:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:10 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:10 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:15 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:15 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:23 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:23 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:36 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: roadrunner.acme.com
Mon Aug 19 07:14:36 2024 user.warn ddns-scripts[30059]: DDNS_dynu: NO valid IP found
Mon Aug 19 07:14:36 2024 user.warn ddns-scripts[30059]: DDNS_dynu: Get registered/public IP for 'roadrunner.acme.com' failed - retry 5/0 in 60 seconds
Mon Aug 19 07:14:40 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:40 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:55 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:55 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3 yoga
Mon Aug 19 07:14:57 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:57 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 07:14:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3

this is my xiaomi vacuum robot "Claudette", renewing her static lease well behavedly :

Mon Aug 19 08:48:30 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.25) 192.168.250.101 zz:zz:zz:zz:6a:5a
Mon Aug 19 08:48:30 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.25) 192.168.250.101 zz:zz:zz:zz:6a:5a Claudette

this is a smartphone, exemplary going through the standard 4 step dhcp cycle :

Mon Aug 19 10:09:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.15) yy:yy:yy:yy:98:94
Mon Aug 19 10:09:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.15) 192.168.248.186 yy:yy:yy:yy:98:94
Mon Aug 19 10:09:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.15) 192.168.248.186 yy:yy:yy:yy:98:94
Mon Aug 19 10:09:08 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.15) 192.168.248.186 yy:yy:yy:yy:98:94 POCOPHONEF1-POCOPHON

another excerpt, now with a NAK, for my Bookworm laptop:

Mon Aug 19 08:40:02 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:02 2024 daemon.info dnsmasq-dhcp[1]: DHCPNAK(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3 wrong address
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3
Mon Aug 19 08:40:06 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.20) 192.168.247.234 x:x:x:x:d3:a3 yoga 

Thanks for any ideas !

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

thank you !

root@R2S:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "R2S",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R2S",
        "board_name": "friendlyarm,nanopi-r2s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}


root@R2S:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'r:e:d:a:c:t:e:d'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'r:e:d:a:c:t:e:d'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.5'
        option ipaddr '192.168.249.1'
        list dns '192.168.247.3'
        list dns '192.168.247.18'

config device
        option name 'eth0'
        option macaddr 'r:e:d:a:c:t:e:d'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.0.10'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option disabled '1'

config interface 'VLAN15'
        option proto 'static'
        option device 'br-lan.15'
        option ipaddr '192.168.248.1'
        option netmask '255.255.255.0'
        list dns '192.168.248.18'
        list dns '192.168.248.3'

config interface 'VLAN20'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.247.1'
        option netmask '255.255.255.0'
        list dns '192.168.247.18'
        list dns '192.168.247.3'

config interface 'VLAN25'
        option proto 'static'
        option device 'br-lan.25'
        option ipaddr '192.168.250.1'
        option netmask '255.255.255.0'
        list dns '9.9.9.9'

config interface 'MULLVAD'
        option proto 'wireguard'
        option force_link '1'
        option private_key 'r:e:d:a:c:t:e:d'
        option listen_port '51281'
        list addresses 'r:e:d:a:c:t:e:d'

config wireguard_MULLVAD
        option description 'Mullvad Server'
        list allowed_ips '0.0.0.0/0'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option endpoint_host 'r:e:d:a:c:t:e:d'
        option public_key 'r:e:d:a:c:t:e:d'

config interface 'INBOUND'
        option proto 'wireguard'
        option force_link '1'
        option listen_port '51820'
        list addresses '10.200.200.1/24'
        option private_key 'r:e:d:a:c:t:e:d'
        list dns '192.168.247.3'
        list dns '192.168.247.18'

config wireguard_INBOUND
        option description 'mobileDevice'
        list allowed_ips '10.200.200.0/24'
        option persistent_keepalive '25'
        option private_key 'r:e:d:a:c:t:e:d'
        option public_key 'r:e:d:a:c:t:e:d'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '15'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '25'
        list ports 'eth1:t'

config device
        option name 'br-lan.5'
        option type '8021q'
        option ifname 'br-lan'
        option vid '5'

config device
        option name 'br-lan.15'
        option type '8021q'
        option ifname 'br-lan'
        option vid '15'

config device
        option name 'br-lan.20'
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'

config device
        option name 'br-lan.25'
        option type '8021q'
        option ifname 'br-lan'
        option vid '25'

root@R2S:~# 

R2S has no wifi hardware, there is no wireless config.

root@R2S:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'home'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option netmask '255.255.255.0'
        list dhcp_option '6,192.168.247.3,192.168.247.18'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN15'
        option interface 'VLAN15'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option netmask '255.255.255.0'
        list dhcp_option '6,192.168.248.3,192.168.248.18'

config dhcp 'VLAN20'
        option interface 'VLAN20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option netmask '255.255.255.0'
        list dhcp_option '6,192.168.247.3,192.168.247.18'

config dhcp 'VLAN25'
        option interface 'VLAN25'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option netmask '255.255.255.0'
        list dhcp_option '6,9.9.9.9'

config host
        option dns '1'
        option ip '192.168.250.101'
        option leasetime '12h'
        option name 'Claudette'
        list mac 'r:e:d:a:c:t:e:d'

config host
        option dns '1'
        option ip '192.168.250.102'
        option leasetime '12h'
        option name 'Blackie'
        list mac 'r:e:d:a:c:t:e:d'

config host
        option name 'rproxy'
        option dns '1'
        option ip '192.168.249.21'
        option leasetime '4h'
        option mac 'r:e:d:a:c:t:e:d'

config host
        option name 'avr'
        option dns '1'
        option ip '192.168.249.7'
        option leasetime '12h'
        list mac 'r:e:d:a:c:t:e:d'

config host
        option name 'Hama'
        list mac 'r:e:d:a:c:t:e:d'
        option ip '192.168.250.119'
        option leasetime '7d'

root@R2S:~# 

root@R2S:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'dfaultVLAN5'
        list network 'lan'
        list network 'INBOUND'

config zone
        option name 'abcVLAN20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN20'

config zone
        option name 'xyzVLAN15'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN15'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'iotVLAN25'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN25'

config forwarding
        option src 'zMullvad'
        option dest 'wan'

config forwarding
        option src 'dfaultVLAN5'
        option dest 'zMullvad'

config zone
        option name 'zMullvad'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'MULLVAD'

config forwarding
        option src 'abcVLAN20'
        option dest 'xyzVLAN15'

config forwarding
        option src 'abcVLAN20'
        option dest 'xyzVLAN25'

config forwarding
        option src 'abcVLAN20'
        option dest 'wan'

config forwarding
        option src 'abcVLAN20'
        option dest 'zMullvad'

config forwarding
        option src 'xyzVLAN15'
        option dest 'dfaultVLAN5'

config forwarding
        option src 'iotVLAN25'
        option dest 'wan'

config forwarding
        option src 'dfaultVLAN5'
        option dest 'iotVLAN25'

config redirect
        option dest 'dfaultVLAN5'
        option target 'DNAT'
        option name 'fwdWGInbound'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'
        option dest_ip '192.168.249.1'

config forwarding
        option src 'xyzVLAN15'
        option dest 'wan'

config forwarding
        option src 'dfaultVLAN5'
        option dest 'wan'

config forwarding
        option src 'dfaultVLAN5'
        option dest 'xyzVLAN15'

config forwarding
        option src 'dfaultVLAN5'
        option dest 'abcVLAN20'

config forwarding
        option src 'abcVLAN20'
        option dest 'dfaultVLAN5'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

root@R2S:~# 

Are static MAC addresses unique

yes, they're bare metal.

on my laptop I switched the intel ax201 card back to the realtek 8852ae it came with, same issue.

in the garden I've a fourth AP, with an ath79 soc (1st gen wAP AC) that doesn't suffer the same issue.

I already tried non-candela drivers, to no avail. All AP are back to CT drivers now.

thanks for any pointers

Remove all the 802.1q stanzas

Remove the netmask lines on each of the DHCP servers.

Remove the leastime arguments on each of the dhcp reservations

Reboot and try again.

Option "list dns" at "/etc/config/network" indicates the DNS available on that interface, and to be used by the router; it does not indicate the DNS to be used by the clients attached to that interface.

I did as instructed including reboot.
Now we'll have to wait a little bit.
I will report back either way.
thank you !

Thanks for looking at my posts.

I'm aware of the setting, and it is intentional.

The only link between DNS and layer2 worth remarking in my setup, is that I've been running 2 piholes in dockerctrs (using macvlan driver) even from before Piholes could handle separate blocklist per client. So one SSID is full Google/Social media (my wife's network) while my SSID is a privacy mancave. If I need to pay using my Bank I switch to her network.
This double PI /ssid setup has been running without issue for the last 5 years, admittedly on Mikrotik 6.xx AP's, but always owrt R2S. (MT frustrated me over not supporting WG and their weird ram and soc decisions, so I bailed to owrt with the router first, and AP's second. The only thing you learn from MT is their idiosyncrasies, I'll never buy from them again.)

But my AP's can have their own DNS entries for their own downloads, so its itentional.

unfortunately the mods didn't help.
When my laptop was kicked from the ssid again - inside the house on ipq4019's , I immediately ran to the garden in the broadcast of my single ath79 AP .. and my laptop instantly connected.

So I won't pursue this any further, I just now ordered some omada AP's, I lusted after its central management on proxmox anyways.

That said, my sentiments towards the owrt community are of the highest respect and gratitude. I just have too many projects waiting and can't afford the time. There is nothing wrong with owrt on my R2S, which I'll continue to use.