Help fixing persistent network failure

I think so.

• Each network is using a /24 netmask, so there’s no overlap.

• Put the phone’s allowed ip within the wg0 network.

• Deleted the vpn redirect confuguration.

I haven’t had a chance to replace the AP though. It hasn’t been 24hrs after all.

Let’s see the updated configs.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:4626:91c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.4.13/24'

config wireguard_wg0
	option description 'cullens_iphone'
	option public_key ''
	option private_key ''
	option persistent_keepalive '25'
	list allowed_ips '192.168.4.2/32'


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'BoboPlanet'
	option encryption 'psk2'
	option key ''
	option network 'lan'


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

The config generally looks good.

This doesn't necessarily mean anything is wrong.

Do all devices have connectivity loss? Does it happen all at the same time? Is there a difference between wired and wireless devices in terms of the connectivity issues?

I was waiting for it to happen again and it just has.

All devices lose connectivity at the same time. I also confirm that it affects both wired and wireless devices.

Sifting through the logs at the moment.

Does the Connectivity only fail towards the internet, or does the router itself stop responding?

Router is fine to my knowledge. I have SSH and HTTP access to it.

What is the power source you are using for the pi?

It's a CanaKit 3.5A USB-C ACDC power supply.

Ok. That should be fine.

Do you have a powered usb hub that you can insert between your pi and the usb Ethernet adapter?

Not presently. What do you have in mind? I do have a USB-to-serial adapter if that is of any use.

No. The idea is that it’s possible that the usb Ethernet adapter is drawing more power than the pi has to provide on those ports. If that is the case, a powered usb hub would offload the power for the Ethernet adapter from the pi to the hub.

You could try swapping the Ethernet ports in the config and then swap the cables. If the problem manifests again and the router itself becomes unreachable (even for just a moment) it would suggest the Ethernet adapter is suspect (power or otherwise).

A persistent ping from a wired machine to the router (after swapping the port functions and cables) might help reveal if anything is happening here.

Incidentally, I have a gigabit switch. Would it be possible to take the single ethernet port and create two virtual interfaces on top of it?

To be clear, I still intend to test the USB ethernet dongle but now I have this curiosity.

If it’s useful to know, I’m using a TP link U306 USB ethernet adapter plugged into the USB 3.0 port.

Is the gigabit switch a managed model?

It is. The specific model is the Netgear GS105Ev2.

I think, but I cannot say for sure, that the model switch you have is not suitable for a wan-facing situation. I know for certain that the TP-Link TL-SG1xxE series are not appropriate, and I believe that the GS105E has many of the same flaws. The primary thing is that you must be able to set the management VLAN on the switch. Does it have a feature allowing that? If not, it's a no-go. If so, you can do that and then it will be possible to try this.

M.Whitlock
Reviewed in the United States on February 3, 2025A professional network engineer might scoff at this "prosumer"-grade switch, but it does actually have a fair bit of flexibility in regard to its VLAN configuration, and you get a lot of bang for your buck. I bought it so I could connect two Internet gateways (a cable modem and an optical network terminal) to my router's single WAN port and two virtual LANs to my router's single LAN port. Despite the two passes that packets need to take through this switch on their way between the Internet and my LAN devices, I can still download the latest Chromium sources from Google at over 100 MiB/s (average over the course of a 2-GiB+ download) through my gigabit Internet link, so I know the switch matrix is doing a good job at keeping the crossing flows from colliding.
To pull off having two gateways connected to one WAN port on my router, I have two 802.1Q-tagged virtual interfaces configured on my router's WAN interface with distinct tags that I assigned as the PVIDs of the two switch ports that the gateways plug into. Each of those two switch ports is configured to pass the traffic of its respective VLAN untagged since the cable modem and the ONT are not expecting 802.1Q-tagged Ethernet frames. Then the switch port that is connected to my router's WAN port is configured as a member of both of the gateway VLANs and is configured to pass their traffic with tags so that my router can run its two virtual interfaces on its one WAN port. That switch port has its PVID set to a throwaway VLAN (of which no other ports are members) so that any untagged traffic coming from the router's WAN port will be thrown away and will not leak to the remaining five switch ports that connect my internal LAN.