Dnsmasq High CPU Usage

sr_guy · December 23, 2024, 3:28pm

Hello,

I have a OPR1+. I use the openwrt offline builder to build both snapshot, and 23.05 images. The issue happens with either official or snapshot build, and as far as I can remember, hasn't been an issue until now. I've tried to narrow down the issue by eliminating potential services that may be CPU intensive (adbock, adblock-fast Etc...) but to no avail.

These are the packages I build:

make image RELEASE="23.05.5" PROFILE="xunlong_orangepi-r1-plus" FILES="files" PACKAGES="base-files busybox ca-bundle dnsmasq dropbear e2fsprogs firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload kmod-usb-net-rtl8152 libc libgcc libustream-mbedtls logd luci mkf2fs mtd netifd nftables odhcp6c odhcpd-ipv6only opkg partx-utils ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd lm-sensors luci luci-app-commands luci-app-firewall luci-app-opkg luci-app-samba4 luci-app-statistics luci-app-upnp luci-app-vnstat luci-app-watchcat blkid bmon htop ifstat iftop iperf3 iwinfo lsblk lscpu lsblk fdisk resize2fs nano rsync rtorrent tcpdump arp-scan cfdisk cgdisk gdisk parted sfdisk sgdisk kmod-usb-storage kmod-usb-storage-uas kmod-fs-exfat kmod-fs-ext4 kmod-fs-ksmbd kmod-fs-nfs kmod-fs-nfs-common kmod-fs-nfs-v3 kmod-fs-nfs-v4 kmod-fs-ntfs kmod-usb-storage kmod-usb-storage-uas usbutils libblkid gdisk kmod-fs-exfat e2fsprogs kmod-fs-ext4"

High CPU rate impacts speeds cutting D'load by half, and potentially DHCP issues.

logread (minus DHCP leases/ mac id's):

root@OP-R1_Plus:~# logread | grep dnsm
Mon Dec 23 09:18:58 2024 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Mon Dec 23 09:18:58 2024 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 150
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 09:18:59 2024 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 41 names
Mon Dec 23 09:18:59 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:18:59 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:19:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 09:19:06 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 150
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 45 names
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Dec 23 09:19:11 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 09:19:11 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 45 names
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Dec 23 10:01:15 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:15 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:15 2024 daemon.err dnsmasq[1]: failed to send packet: Bad file descriptor
Mon Dec 23 10:01:15 2024 daemon.err dnsmasq[1]: failed to send packet: Bad file descriptor
Mon Dec 23 10:01:15 2024 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 45 names
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Dec 23 10:01:17 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:17 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 45 names
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Dec 23 10:01:19 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:19 2024 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 150
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.76#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.76#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 45 names
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon Dec 23 10:01:23 2024 daemon.err dnsmasq[1]: cannot read /var/run/adblock-fast/dnsmasq.servers: No such file or directory
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.76#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.75.75#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using nameserver 75.75.76.76#53
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Dec 23 10:01:23 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan

Network config:

root@OP-R1_Plus:/etc/config# cat network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd60:1ed0:ca21::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config device 'lan_eth1_dev'
	option name 'eth1'
	option macaddr 'c0:74:2b:ff:a0:85'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'
	option peerdns '0'
        list dns '8.8.8.8'
        list dns '75.75.75.75'
        list dns '75.75.76.76'



config device 'wan_eth0_dev'
	option name 'eth0'
	option macaddr 'c0:74:2b:ff:a0:84'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'Hitron_modem'
	option device '@wan'
	option proto 'static'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'

DHCP config:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,8.8.8.8,75.75.75.75'
	list dhcp_option '6,192.168.2.101,192.168.2.100'

Firewall Config:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '0'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'ss_rules'
	option path '/etc/firewall.ss-rules'
	option reload '1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.2.1'
	option name 'SSH-WAN'
	option src_dport '6565'
	option dest_port '7766'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '8702'
	option dest_port '8765'
	option name 'motion-OP'
	option dest_ip '192.168.2.102'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '5432'
	option dest_port '8888'
	option name 'postgresql'
	option dest_ip '192.168.2.101'

config rule 'samba_nsds'
	option name 'Allow-Samba/NS/DS'
	option src 'lan'
	option dest_port '137-138'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'samba_ss'
	option name 'Allow-Samba/SS'
	option src 'lan'
	option dest_port '139'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'samba_smb'
	option name 'Allow-Samba/SMB'
	option src 'lan'
	option dest_port '445'
	option proto 'tcp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

root@OP-R1_Plus:/etc/config# cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '0'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'ss_rules'
	option path '/etc/firewall.ss-rules'
	option reload '1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.2.1'
	option name 'SSH-WAN'
	option src_dport '6565'
	option dest_port '7766'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '8702'
	option dest_port '8765'
	option name 'motion-OP'
	option dest_ip '192.168.2.102'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '5432'
	option dest_port '8888'
	option name 'postgresql'
	option dest_ip '192.168.2.101'

config rule 'samba_nsds'
	option name 'Allow-Samba/NS/DS'
	option src 'lan'
	option dest_port '137-138'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'samba_ss'
	option name 'Allow-Samba/SS'
	option src 'lan'
	option dest_port '139'
	option proto 'tcp'
	option target 'ACCEPT'

config rule 'samba_smb'
	option name 'Allow-Samba/SMB'
	option src 'lan'
	option dest_port '445'
	option proto 'tcp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Pihole_Force_Traffic_PI'
	option src 'wan'
	option src_dport '5335'
	option dest_ip '192.168.2.101'
	option dest_port '5335'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Pihole_Force_Traffic_OP_DEN'
	option src 'wan'
	option src_dport '5335'
	option dest_ip '192.168.2.102'
	option dest_port '5335'

I've tried switching to strictly third party or ISP DNS (opposed to internal pihole) with no luck. Any suggestions would be helpful.

brada4 · December 23, 2024, 3:52pm

is it fw4 or fw? The includes are from both
pihole_force rule2 is never used.

killall -usr1 dnsmasq

then show what is in logread.

likely cause some adware is connecting ad server too often

sr_guy · December 23, 2024, 4:02pm

A little better, but still screaming:

I also have three DAPs running OpenWRT (23.05) and dnsmasq is screaming on those units too:

DAP:

EDIT

I reverted to default/stock firewall config, and added only my port forwards. It's better, but hovering at 50-60%

sr_guy · December 23, 2024, 5:32pm

I think I figured it out. It had no relation to pihole or my OPR1+ configs.

I have three wired DAP's. I recently upgraded all three to 23.03.5. The firewall was active on all three units, plus my OPR1+ . As soon as I disabled the firewall on all three DAP's, cpu rate on dnsmasq plummetted. Hopefully, that does the trick.

brada4 · December 23, 2024, 5:54pm

Such interaction between firewall and dnsmasq is currently not known. Can yoiu help me to repeat your DAP setup? (likely /etc/config/firewall explaining where the bridge to dhcp server is connected)

sr_guy · December 23, 2024, 7:04pm

Well the issue came back...

Firewall & Luci are disabled on the DAPs

Here is my DAP configs:

DHCP


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option domain 'lan'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Network Config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd28:dd05:5f19::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'no'
	option device '@lan'

brada4 · December 23, 2024, 7:12pm

You havee to disable lan dhcp server (luci-network-interfaces-lan-edit-dhcp server, check box)

sr_guy · December 23, 2024, 9:56pm

Thanks for that catch! I ended up disabling by using:

service dnsmasq disable
service dnsmasq stop

brada4 · December 23, 2024, 10:19pm

That disables nothing. See documentation and check each step.
https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

system · January 2, 2025, 10:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.