Help fixing persistent network failure

Hey all!

I have a small home network with about 5 connected devices all on WiFi. I'm using a RPi 4 with OpenWrt 24.10.1 as a router and WiFi access point. I seem to lose internet whenever a lot of bandwidth is used, or so I suspect. But after installing and configuring SQM according to https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm, my internet still fails perhaps once a day or every other day. Rebooting the router fixes the problem, but I'd like help with a more permanent solution.

Let’s start by reviewing your config

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

{
	"kernel": "6.6.86",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.5",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:4626:91c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.252.0'
	option ip6assign '60'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'fake key'
	option listen_port '51820'
	list addresses '192.168.4.13/22'

config wireguard_wg0
	option description 'phone'
	option public_key 'fake key'
	option private_key 'fake key'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.1/32'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'fake key'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
	option public_key 'fake key'
	option preshared_key 'fake key'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BoboPlanet'
	option encryption 'psk2'
	option key ''
	option network 'lan'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'vpn'
	option src 'wan'
	option src_dport '51820'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Completely, just Wi-Fi?

In addition to the configs would you include the system log 10 lines before, and including, it starts tossing fatal errors?

If you delete MACs, please use an identifier. e.g. 'a,b,c'. So we can differentiate hardware.

So your RPi4 also serves as AP by using internal WiFi chip? Also, what's your 2nd NIC?

Yes. My second NIC is eth0:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback a brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever

2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN group default qlen 1000
    link/ether b brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether c brd ff:ff:ff:ff:ff:ff
    inet public_ip brd public_ip scope global eth1
       valid_lft forever preferred_lft forever
    inet6  scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

4: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether d brd ff:ff:ff:ff:ff:ff permaddr 2c:cf:67:4d:2e:ab

7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/22 brd 192.168.7.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fddb:4626:91c::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2ecf:67ff:fe4d:2eaa/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

8: vpn: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none 
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
    inet6 fd00:9::1/64 scope global 
       valid_lft forever preferred_lft forever

9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.4.13/22 brd 192.168.7.255 scope global wg0
       valid_lft forever preferred_lft forever

19: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::60bc:d7ff:fed0:9c51/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

I didn't get any MAC addresses in the config files.

As for system logs, I'll have to wait until it happens again, since I rebooted the system last time.

Also, where do I find the log? I checked /tmp and /var, but found nothing. dmesg shows a bunch of maybe unrelated errors after attempting to reproduce the issue. I started a large download and video streams on a few hosts.

[41146.118275] brcmfmac: brcmf_sdio_read_control: last control frame is being processed.
[41146.126166] ieee80211 phy0: brcmf_cfg80211_dump_station: BRCMF_C_GET_ASSOCLIST failed, err=-512
[41149.287694] ieee80211 phy0: brcmf_proto_bcdc_query_dcmd: brcmf_proto_bcdc_msg failed w/status -110
[41149.296885] ieee80211 phy0: brcmf_cfg80211_get_station: GET STA INFO failed, -110

To tell you the truth I didn't have the foresight to check the other interfaces at the time. Now that I think about it though, in each case, everyone was still connected to the LAN but not the internet...

There will be in the system log.

LuCI/Status/System Log

I'm starting to think this isn't a problem with OpenWrt. There are known bugs with Broadcom wireless drivers that might explain the issue.

This isn't right:

You have two things going on here:

1. The WG and lan subnets are overlapping -- this will cause major issues.
2. Your WG address on and the allowed IPs of the peer are not in the same subnet. While not necessarily fatal, this may produce unexpected results.

This is unrelated to your issues, but should be deleted:

The drivers for the Pi work.

The radio is weak, but it's not known for driver failures. Although they are not perfect and do toss errors.
e.g. when it does a DFS scan.

Yes, I setup WG haphazardly. I had assumed incorrectly that WG and lan should overlap since I intended to access my lan through the WG interface.

Good to know.

In any case, I'll respond with logs when it happens again.

They must not overlap. As is the case for all routed interfaces -- they must all be unique and non-overlapping.

The solution is pretty easy -- set each of the networks to /24 (rather than /22). And change the phone peer to use an address on the WG subnet (i.e. 192.168.4.2/32).

Does this look right?

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever

2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN group default qlen 1000
    link/ether a brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether b brd ff:ff:ff:ff:ff:ff
    inet public_ip/25 brd public_ip scope global eth1
       valid_lft forever preferred_lft forever
    inet6 something/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

4: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether c brd ff:ff:ff:ff:ff:ff permaddr 2c:cf:67:4d:2e:ab

6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fddb:4626:91c::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2ecf:67ff:fe4d:2eaa/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.4.13/24 brd 192.168.4.255 scope global wg0
       valid_lft forever preferred_lft forever

18: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f0df:75ff:fea7:4697/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

Also regarding the redirect, wouldn't I need this if I want to allow access from remote hosts via wg0?

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'vpn'
	option src 'wan'
	option src_dport '51820'

I don't understand that subnet mask. Wouldn't that mean that the network has only one device (host?) on it? How do I access that ip

That looks better, but I prefer to review the config file itself.

You already have the rule that is needed to allow the VPN to connect remotely:

Also, regarding your wireless performance... as @LilRedDog points out, the radio is "weak" but works. It is a very poor choice as an AP. It has a very limited 1x1 radio which has poor range and poor throughput. But even worse is that it is not good at handling multiple client devices because of the 1x1 radio system -- this means that the performance severely degrades as a function of using multiple clients. It will still be functional, but you will have much better performance with essentially any old purpose built wifi AP or an all-in-one device (including older devices).

Once the main interface is a /24 and the peer is on the same subnet, you specify the peer as a /32 because only traffic bound for that peer should go through the tunnel. The traffic can be from anywhere, but it the /32 is the to address.

Okay, it happened again. I grabbed both the system and kernel log. From the system log, these notices came up multiple times. They seemed suspicious to me.

Fri Jun 13 15:26:49 2025 daemon.err dnsmasq[1]: failed to send packet: Required key not available
...

Sat Jun 14 10:12:18 2025 daemon.info hostapd: phy0-ap0: STA <unknown-mac> IEEE 802.11: disassociated

...

Sat Jun 14 10:52:21 2025 daemon.warn odhcpd[1113]: No default route present, overriding ra_lifetime to 0!

Did you make the changes I suggested?

You have applied all edits suggested by @psherman?