How to troubleshoot client not connecting to Wifi? My vacuum robots (now defunct Neato brand) do not seem to like connecting with OpenWRT routers / APs. All other clients are not complaining, it's just these Neato's that don't work. They work fine with another brand (stock) router, so I wonder if I misconfigured something on the OpenWRT side. Is there a tool available with which I can follow communication between router and client based on MAC or hostname so I don't need to dig through all the logs?
I tried grepping the log the that didn't seem to do anything. Again, my setup works fine, it's just these two clients that won't connect and I would like to figure out why.
Maybe the encryption type?
let's see your config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Maybe the vacuum robots not compatible with your router setting.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Dynalink DL-WRX36",
"board_name": "dynalink,dl-wrx36",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ipq807x/generic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcc:2a05:1061::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.99'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '94.140.14.14'
list dns '94.140.15.15'
list dns '1.1.1.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option dns 'XXXX'
option peerdns '0'
config device
option name 'wan'
option macaddr 'XXXX'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-lan.4'
list ipaddr '192.168.3.1/24'
config device 'iot_dev'
option type 'bridge'
option name 'br-iot'
config interface 'iot'
option proto 'static'
option device 'br-lan.3'
list ipaddr '192.168.2.1/24'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:u*'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan1'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/c000000.wifi'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/c000000.wifi+1'
option channel '11'
option band '2g'
option htmode 'HE20'
option cell_density '0'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Crispy'
option encryption 'psk2'
option key 'XXXX'
option ieee80211r '1'
option mobility_domain 'XXXX'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option disassoc_low_ack '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'Crispy_5G'
option encryption 'sae-mixed'
option key 'XXXX'
option network 'lan'
option ieee80211r '1'
option mobility_domain 'XXXX'
option ft_over_ds '0'
config wifi-iface 'guest'
option device 'radio1'
option mode 'ap'
option network 'guest'
option ssid 'Crispy_Guest'
option encryption 'psk2'
option key 'XXXX'
option isolate '1'
option ieee80211r '1'
option mobility_domain 'XXXX'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'iot'
option device 'radio1'
option mode 'ap'
option network 'iot'
option ssid 'Dingen'
option encryption 'psk2'
option key 'XXXX'
option isolate '1'
option wmm '0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
option port '5353'
option dnsforwardmax '1024'
config dhcp 'lan'
option interface 'lan'
option start '10'
option limit '244'
option leasetime '24h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
list dns '::1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
list dhcp_option '6,192.168.1.1'
config dhcp 'iot'
option interface 'iot'
option start '10'
option limit '244'
option leasetime '24h'
list dhcp_option '6,192.168.1.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone 'iot'
option name 'iot'
option network 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
config rule 'iot_dns'
option name 'Allow-DNS-iot'
option src 'iot'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'iot_dhcp'
option name 'Allow-DHCP-iot'
option src 'iot'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option name 'Allow-IOT-To-HA'
option src 'iot'
option dest 'lan'
list dest_ip '192.168.1.88'
option target 'ACCEPT'
config rule
option name 'Allow-IOT-mDNS'
list proto 'udp'
option src 'iot'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
config rule
option name 'Allow-LAN-mDNS'
list proto 'udp'
option src 'lan'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
config rule
option name 'Block-IOT-to-Other'
option src 'iot'
option dest 'lan'
option target 'REJECT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
option family 'any'
option enabled '0'
according to https://support.neatorobotics.com/hc/en-us/articles/5908919250715-Problem-with-the-step-Connecting-to-WiFi , I think the vacuums should be able to connect to my Crispy network or Crispy_guest networks. They have been connected to these same networks with the same names and WPA keys but on stock routers.
frollic
December 29, 2024, 9:45pm
5
Try disabling 80211r, or try the iot SSID, where it isn't enabled.
frollic:
Try disabling 80211r,
+1 to this. I always recommend against using 802.11r as it tends to cause more problems than it solves, especially for IoT devices. Remove all traces of 802.11r from all of your APs and SSIDs, even though this doesn't directly apply to the IoT network.
Specifically on your iot ssid, remove the isolation and wmm options (last 2 lines):
I see that you're setting DHCP option 6 below, and further evaluation of your DNS situation is that you have changed the DNS handling on your network...
If you actually need to set dhcp option 6 because of the changes you made, set it to 192.168.2.1.
Remove the gateway and DNS from here:
Remove port lan1 from here, or make it tagged:
Same here:
Delete this:
And delete this, too:
Reboot after all these changes and test again.
1 Like
disabling 802.11r did the trick. Thanks for the other recommendations as well!
Questions:
I have changed the DNS handling because I am running Adguard on my router.
i need my lan1 port untagged for any vlans, and set the primary vlan to 99.
Some devices need to talk to each other (such as to a product specific 'gateway' or whatever). But if your IoT devices are happy with isolation enabled, go ahead and turn it back on.
Only one network is allowed as untagged on a given port.
So how do I made sure my Lan 1 port is on vlan 99? I need to be able to connect vlan unaware devices to it such as a unmanaged switch or laptop. I thought I needed to u tag it for all vlans (luci allows me to do it)..
If you want the port to be usable for non-VLAN-aware devices and you want them to join VLAN 99, just do as I had said before... remove port lan1 from VLANs 3 and 4.
1 Like
I want my IOT devices to not access the internet except for one specific host. I set up firewall rules for that.
That is not how it works.
They will route via the default gateway, but are limited by the firewall rules that you can put in place as needed.
1 Like
system
January 8, 2025, 11:54pm
13
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
