Guest wifi connection dies shortly after connecting

Nocte · November 10, 2018, 4:44pm

Hi All,

I configured OpenWrt on an Archer C50 to be a wifi repeater. It connects to a primary router and emits one wireless network connected to the standard lan interface and another one with a Gust configuration.

The issue is that when I connect a device to the wireles guest network it losses that connection shortly afterwards (I am talking up to 10 seconds here) even thou I have been able to ping a website (google.com) for that short connection period.

What confuses me is that the lan network works perfectly fine. Probably I am just missing some small configuration. Please help.

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask 'xxx'

config globals 'globals'
	option ula_prefix 'xxx'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask 'xxx'
	option ifname 'xxx'
	option ipaddr 'xxx'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xxx'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xxx

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'Guest'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask 'xxx'

config interface 'VPN'
	option proto 'static'
	option ifname 'xxx'
	option netmask 'xxx'
	option ipaddr 'xxx'

config interface 'wwan'
	option proto 'dhcp'

Firewall:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option log_limit '500'
	option input 'DROP'
	option forward 'DROP'
	option network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option name 'Allow DNS Queries'
	option src 'Guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'Allow DHCP request'
	option src 'Guest'
#	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest_port 'xxx'
	option name 'OpenVPN'
	option proto 'tcp udp'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name 'VPN'
	option network 'VPN'
	option output 'REJECT'
	option forward 'REJECT'
	option input 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'VPN'

config forwarding
	option dest 'wan'
	option src 'VPN'

config rule
	option target 'ACCEPT'
	option src 'Guest'
	option name 'Guest Allow Web'
	option proto 'tcp'
	option dest 'wan'
	option dest_port '80 443'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option name 'Guest Allow Mail Client'
	option proto 'tcp'
	option dest_port '993 995'
	option src 'Guest'
	option dest 'wan'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option src 'Guest'
	option name 'Guest Allow Ping'
	option proto 'icmp'
	option dest 'wan'
	option enabled '0'

config forwarding
	option dest 'wan'
	option src 'Guest'

Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '0'
	option channel '52'
	option country 'DE'
	option legacy_rates '1'
	option distance '1'
	option txpower '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'

config wifi-device 'radio1'
	option enabled '0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10180000.wmac'
	option htmode 'HT20'
	option disabled '0'
	option legacy_rates '1'
	option country 'xxx'
	option txpower '0'

config wifi-iface
	option ssid 'xxx'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'sta'
	option bssid 'xxx'
	option key 'xxx'
	option network 'wwan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'Guest'

mike · November 10, 2018, 5:37pm

I have a working Guest network so I compared your configs to mine and you have a few entries I don't and missing one, so you might try removing/adding these entries and see if it works, if it does you can put them back one by one to see what breaks it -

Network - 

config interface guest - remove - 

option type
option dns

Firewall - 

config rule
	option name 'Allow DHCP request' - remove - 

option src_port

Add - 

option enabled '1'

eduperez · November 10, 2018, 6:16pm

You have not posted your wireless configuration file.
Have you seen any message I'm the logs when the issue happens?
What is happening exactly on the client? Does it lose wireless connection? Does all the traffic stop? Just external traffic?

Nocte · November 11, 2018, 10:06am

@mike
Thanks for your config. Unfortunately it does not work for me. I Updated the configuration in my first post. Could you please double check if I understood you correctly?

@eduperez
I have added the wirless configuration in the first post as well.

Have you seen any message I'm the logs when the issue happens?

I had a look at what happens when the devices connects via logread -f. (All messages regarding same device and same network interface:

info: authenticated
info: associated (aid 1)
notice: AP-STA-CONNECTED
info: WPA: pairwise key handshake completed (RSN)
info: DHCPREQUEST(wlan0-2) (with ip address)
info: DHCPACK(wlan0-2) (with ip address)
notice: AP-STA-DISCONNECTED

The last entry has a time stamp of +9 seconds compared to the previous ones.

What is happening exactly on the client? Does it lose wireless connection? Does all the traffic stop? Just external traffic?

The device connects and everything looks good (pinging and so on). After those somewhat 10 seconds the device simply looses the wireles connection as if I had chosen a different wifi network. Therefore the still running ping command says "network not reachable" and all the traffic stops.

What exactly do you mean by "just external traffic"?

eduperez · November 11, 2018, 4:11pm

You LAN wifi is on the 5GHz band and operating with a bandwidth of 80MHz, but your GUEST wifi is on the 2.4GHz band and restricted to 20 MHz. Perhaps the client is considering that the GUEST network is too slow, and disconnecting on purpose?

I woud try to move the APs around, and see what happens.

mike · November 11, 2018, 4:46pm

Your configs look ok, although in -

config wifi-device 'radio0'

You might try changing distance and txpower to this -

option distance '50'
option txpower '18'

And see if that makes a difference.

edit - Also in config wifi-device 'radio0 try changing the channel to somewhere between 36-48 or 149-161, I think 52 is a DFS channel.

Nocte · November 11, 2018, 11:05pm

@eduperez
I can try moving around the AP tomorrow.
Where did you got the information from that the GUEST wifi was still running at 2.4GHz? I was hoping I had abounded that frequency entirely... To enforce that I added option disabled to the radio1 device:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option disabled '0'
        option country 'xxx'
        option legacy_rates '1'
        option txpower '18'
        option distance '50'
        option channel '36'
        option htmode 'VHT40'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxx'
        option encryption 'psk2'
        option key 'xxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/10180000.wmac'
        option htmode 'HT20'
        option legacy_rates '1'
        option country 'xxx'
        option txpower '0'
        option disabled '1'

config wifi-iface
        option ssid 'xxx'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'sta'
        option bssid 'xxx'
        option key 'xxx'
        option network 'wwan'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'xxx'
        option encryption 'psk2'
        option key 'xxx'
        option network 'Guest'
        option isolate '1'

@mike
I have changed the options as you recomanded. unfortunately even with the channel set to 36 (I went to LUCI and configured it in the menu for the connetion to my primary router - the one with the wwan interface) for both my emitted networks I find " Locked to channel 52 used by Client" in the LUCI UI.

But what heavily confuses me is that my client devices do not show the SSIDs any more. Also I am not able to connect to the router via "connecting to a hidden network". Maybe that is related to my forcefully switch to 5GHz? Simply reactivating radio1 device does not help...

Any suggestions?

Thank your very much for the help so far!

mike · November 12, 2018, 1:41am

Sorry, I should have mentioned that the channel, distance and txpower should be changed on both the repeater and primary router, if that still doesn't work, here's my configs that I know work so you can check yours against them in case I may have missed something -

Network 

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

Firewall 

config forwarding
	option dest 'wan'
	option src 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'Guest'

Wireless

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid ‘xxxxxxxx’
	option network 'Guest'
	option encryption 'psk2+ccmp'
	option key ‘xxxxxxxx’
	option disabled ‘0’

eduperez · November 12, 2018, 7:41am

My mistake: I did not notice that the GUEST network was attached to radio0, I was confused because it is defined after radio1, but now I see it is on radio0.

So, if both LAN and RADIO are on the same hardware, the issue should not be here. Perhaps the client cannot connect to the internet and drops the connection?

Nocte · November 12, 2018, 8:41pm

@mike
Thanks again. I double checked and everything looks good.

@eduperez
Happends to me all the time . What you are saying makes perfect sense since my phone sayed "no internet connection" when it stopped trying to connect to the guest network.

Anyway since I had trouble to even see my 5GHz networks I went back to 2.4GHz.
Actually I have been here before and only changed because my "all 2.4GHz setup" (main router connection + home and guest network) reliable broke down as soon as a started some heavier download. I discussed it in a different thread and market it as solved since the issue seemed not to appear with all 5GHz setup. But then I encountered the issue described here.

What I am currently doing is having my AP connected to the primary router via 5GHz and the 2 wifi networks emitted via 2.4GHz. That is not really what I wanted but may work for now. At this point I do think the problems are related to driver compatibility since all the configurations are looking good.

I will fiddle around some more and if nothing else comes up I will close this thread next weekend.

Kind regards and thank you a lot!