Dumb AP DNS Issue

Hi all,

I recently installed OpenWRT on a Xiaomi AC2100. My device now works as a wireless AP and as a switch for wired devices connected to the LAN ports. I did the setup using this guide. The WAN port doesn't work so Im not using it. The only thing that doesn't work now is updating the package list in software.

Why? Cause apparently the DNS configuration is off and I have no idea how to fix it. I have set the DNS server as the ip of the cable modem but to no avail. Im typing this on a connected device by giving that device the 1.1.1.1 DNS ip. Then everything works fine. That trick doesnt work for OpenWRT however and if I remove 1.1.1.1 as the specified DNS server any connected device will not load any pages as it apparently cannot find the DNS server.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd9d:b352:67a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'
	list ipaddr '192.168.178.4/24'

config interface 'wan'
	option device 'wan'
	option proto 'none'

config interface 'wan6'
	option device 'wan'
	option proto 'none'

config interface 'wwan'
	option proto 'dhcp'

# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option channel '6'
	option txpower '10'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel '48'
	option txpower '10'
	option country 'NL'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'KW5'
	option encryption 'psk2'
	option key ''
	option network 'lan'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'KW'
	option encryption 'psk2'
	option key ''
	option network 'lan'
	option disabled '1'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I've now spent over 6 hours trying to crack this myself but any input from here would be greatly appreciated as I honestly am out of ideas.

Thanks in advance!

from the OpenWrt device (using ssh), what is the output of:

nslookup downloads.openwrt.org
nslookup downloads.openwrt.org 192.168.178.1
nslookup downloads.openwrt.org 8.8.8.8
nslookup downloads.openwrt.org 1.1.1.1

I usually just populate /etc/resolv.conf

# nslookup downloads.openwrt.org
Server:         192.168.178.1
Address:        192.168.178.1:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

# nslookup downloads.openwrt.org 192.168.178.1
Server:         192.168.178.1
Address:        192.168.178.1:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

nslookup downloads.openwrt.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

# nslookup downloads.openwrt.org 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1:53

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 2a01:4f8:251:321::2

Non-authoritative answer:
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:   mirror-02.infra.openwrt.org
Address: 168.119.138.211

No answer on all of them. Im starting to wonder now if the problem is really DNS related or something more basic.

The DNS request are reaching internet, the questions is, why isn't the traffic ?

Tiny error, for what it's worth : ipaddr is an option, not a list.

Thanks, Ill fix that at home just in case.

That is a good question. So are you saying the DNS is configured properly but something fishy is going on traffic wise? Its weird to me that a computer connected by cable to OpenWRT with a DNS set works fine until I remove the DNS, then everything stops working and the computer acts like OpenWRT does with no traffic coming in.

The situation is as follows:
192.168.178.1 -> ISP modem: Handles DHCP, Firewall etc, only WIFI is disabled (its bad).
192.168.178.2 -> Airport Extreme on bottom floor set to bridge mode.
192.168.178.3 -> Airport Extreme on second floor set to bridge mode.
192.168.178.4 -> the Xiaomi with OpenWRT for the top floor (still trying to set it to bridge mode).

The reason why Im using dumb access points is due to my parents. When the internet stops working they have the habit of contacting the ISP which resets the modem to default. If I setup the modem as a dumb modem and that happens I have to reconfigure their whole house again. Hence this solution. If its now reset I only need to disable the standard WIFI network next time Im over.

To make sure you're not serving dhcp yourself, in here, set dhcpv4 to disabled, or you can remove all the lines except ignore 1. Ignore is a deprecated setting and you have it in conflict with the new setting dhcpv4 'server'.

I usually set dumb APs to be DHCP client. Then they automatically follow the configuration of the main router (which you have noted, is subject to change beyond your control). This does require being able to log into the main router and examine its DHCP lease table to find the dumb AP's LAN IP, the main router supporting local DNS, or having another way to log into the dumb AP such as an administration network.

Is it the dumb AP that is experiencing DNS issues, or the clients that are connected to this AP?

In general, if the AP doesn't have working DNS, it's not critical unless you are doing things like installing additional packages or running certain types of services. Obviously the clients need to have DNS, though.

If your AP has a DHCP server active, it can serve improper DHCP to the whole network including of course clients connected to the AP. The dump AP will advertise itself as DNS and default route though those are supposed to be handled by the main router. This will cause loss of Internet access.

Ive changed it to the setting below:

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'disabled'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

This fixed it!

Ive also changed the setting mentioned by @badulesia:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd9d:b352:67a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option gateway '192.168.178.1'
	list ipaddr '192.168.178.4/24'
	list dns '192.168.178.1'

config interface 'wan'
	option device 'wan'
	option proto 'none'

config interface 'wan6'
	option device 'wan'
	option proto 'none'

config interface 'wwan'
	option proto 'dhcp'

Thanks for the replies all!

I still read list instead of option ipaddr
It may work as there is only one value.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.