Hi so I recently finished my DL-WRX36 + AP setup and everything was working well. See post here:
But I just recently discovered the second ethernet port of my access point (AP) was no longer connecting to internet.
WiFi from the AP is good, just that this second port is not working. I connect a gaming console to it sometimes.
Help please?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Isn't the 2nd port WAN ?
ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Dynalink DL-WRX36",
"board_name": "dynalink,dl-wrx36",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ipq807x/generic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd09:b0ce:1b1f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'REDACTED'
option password 'REDACTED'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan4:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan4:t'
config interface 'work'
option proto 'static'
option device 'br-lan.40'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/c000000.wifi'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'guest'
option mode 'ap'
option ssid 'WIFIGUEST'
option encryption 'psk2'
option key 'REDACTED'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/c000000.wifi+1'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'iot'
option mode 'ap'
option ssid 'WIFIIOT'
option encryption 'psk2'
option key 'REDACTED'
option disabled '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WIFIMAIN'
option encryption 'psk2'
option key 'REDACTED'
option network 'lan'
option disabled '1'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid WIFIWORK'
option encryption 'psk2'
option key 'REDACTED'
option network 'work'
option disabled '1'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'work'
option interface 'work'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
config zone
option name 'iot_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config forwarding
option src 'iot_zone'
option dest 'wan'
config forwarding
option src 'guest_zone'
option dest 'wan'
config zone
option name 'work_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'work'
config forwarding
option src 'work_zone'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot_zone'
config rule
option name 'iot_dns'
option src 'iot_zone'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'iot_dhcp'
option src 'iot_zone'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'work_dns'
option src 'work_zone'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'work_dhcp'
option src 'work_zone'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'guest_dns'
option src 'guest_zone'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'guest_dhcp'
option src 'guest_zone'
option dest_port '67'
option target 'ACCEPT'
This appears to be the main router, is that correct? This isn't the EAP245 that you're saying isn't working (2nd port), though. Can you clarify?
Oh my bad, I should have clarified.
Yes the ssh commands were run on the main router, DL-WRX36.
On LAN4 port of the main router, I connected an access point with original firmware (TPLink).
That AP is working (because I can connect to the SSID and the VLANs are respected).
But the 2nd ETH port of the AP is not working (laptop is not connected to internet when I plug it in that ETH port, like pass-thru concept).
It used to work this way when I was using an Archer C7 (vanilla, not running openwrt).
Is the EAP245 running OpenWrt? If so, please post the config files.
No, the EAP245 is not running openwrt.
Just the original firmware (TPLink firmware).
Since the EAP245 isn't running OpenWrt, the question really should be asked on TP-Link's support channels. Nothing about the OpenWrt configuration can change the way that the second port on that device operates, and we know that the OpenWrt configuration is working as expected.
That's unfortunate but very interesting.
Surprisingly if I plug it back in the ArcherC7 (not running openwrt), the 2nd port works again.
So I figured I should seek expertise from openwrt forums first.
The second port of the EAP245 starts working again? Actually, that would make some sense...
Right now, all VLANs are tagged on the OpenWrt side of things. Your C7 likely has an untagged network, and the EAP245 is just passing that through.
What that means is that you could untag a network on the OpenWrt side and that would then pass through the EAP245 to the other port. However, that also means you need to adjust the EAP245 AND the OpenWrt side.
Your C7 likely has an untagged network, and the EAP245 is just passing that through.
Yes that's right, no VLANs on Archer C7.
What that means is that you could untag a network on the OpenWrt side and that would then pass through the EAP245 to the other port.
Could you guide me on what to change please?
Thanks.
To be clear, it is very likely that all the tagged networks are also passing through to the secondary ethernet port, but the problem is that your downstream device isn't configured to understand tags.
So, we'll untag the network you want to make available to the downstream device...
With that in mind... which network do you want to be untagged?
Can we have all the WIFI on this access point to remain in VLAN,
and also have that 2nd port be untagged?
Meaning in the main router, can we have both tagged and untagged on that LAN4 port?
The 802.1q standard allows:
There are opinions that state that a trunk should only have tagged networks (no untagged network on the trunk), and in some specific hardware, this mix can cause a problem. But problems with hardware is the exception, not the rule.
With that in mind, we need to select the VLAN that will be untagged. Which one is it?
VLAN 10 probably. Thanks.
Ok...
First, in the EAP245 firmware (or Omada controller, if you're using it), you need to change the configuration such that the SSID servicing VLAN 10 instead looks for the untagged network, and you also need to change the management VLAN to be the untagged one (assuming that VLAN 10 is what you're using to manage the AP). Do this first.... Once these settings are applied, wifi will drop off for that network and you'll also be unable to reach the device for management... but that's just temporary.
Then, edit the bridge-vlan for VLAN 10 to make port 4 untagged (:u*)
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan4:u*'
Reboot the router and try again.
Thank you! Let me try this and report back tomorrow.
Sorry for getting back so late, got caught up on work so I had to keep the internet up (aka the previously working config).
For some reason, when I do the change, the openwrt router always failed to start back up and had to revert (good thing the 90second rollback timer was a thing).
Any ideas? TIA.