Main wifi unstable - Guest wifi works

Hi all,

my main wifi is very unstable. While I can always connect to it, I often don't have any internet (tested with multiple / different devices). However, my Guest wifi works flawless.

I use a ZyXEL NBG7815 (Armor G5) for OpenWrt and have a KPN 12 box for access to the internet. In addition, I run a raspberry pi as DNS server. Please find screenshots and config attached/below.

Thanks for any help, and please dont hesitate to let me know if there is info missing. I am quite new to the OpenWrt enviroment.



 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# ls /etc/config
attendedsysupgrade  luci                ucitrack-opkg
banip               luci-opkg           uhttpd
banip-opkg          luci_statistics     uhttpd-opkg
collectd            network             upnpd
dhcp                nlbwmon             upnpd-opkg
dhcp-opkg           rpcd                usteer
dropbear            system              vnstat
firewall            ubootenv            wireless
https-dns-proxy     ucitrack
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde9:f7a4:9121::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports '10g'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        list dns '192.168.3.2'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'auto'
        option auto '0'

config interface 'modem'
        option proto 'static'
        option device '@wan'
        list ipaddr '192.168.2.253'
        option gateway '192.168.2.254'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'
        option ipv6 '0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'
        option log '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'
        list network 'modem'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Plex'
        option src 'wan'
        option src_dport '42400'
        option dest_ip '192.168.3.159'
        option dest_port '32400'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect DNS to PiHole'
        option src 'lan'
        option src_ip '!192.168.3.2'
        option src_dport '53'
        option dest_ip '192.168.3.2'
        option dest_port '53'
        list src_mac '!B4:2E:00:A8:B4:6C'

config nat
        option name 'Prevent hardcoded DNS'
        list proto 'tcp'
        list proto 'udp'
        option src 'lan'
        option dest_ip '192.168.3.2'
        option dest_port '53'
        option target 'MASQUERADE'
        option src_ip '!192.168.3.159'

config rule
        option name 'Block port 5353'
        option src 'lan'
        option dest 'wan'
        option dest_port '5353'
        option target 'REJECT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Syncthing TCP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22000'
        option dest_port '22000'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Syncthing UDP'
        list proto 'udp'
        option src 'wan'
        option src_dport '22000'
        option dest_port '22000'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config rule
        option name 'Guest_DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Block_Guest_from_lan'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        option proto 'udp'
        option src 'guest'
        option family 'ipv4'
        option dest 'lan'
        option name 'Allow-guest-pihole'
        list dest_ip '192.168.3.2'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.3.2'
        option enabled '0'

config rule
        option name 'Block_Guest_all'
        option src 'guest'
        option target 'DROP'

config forwarding
        option src 'guest'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Force DNS for guest'
        option src 'guest'
        option src_ip '!192.168.3.2'
        option src_dport '53'
        option dest_ip '192.168.3.2'
        option dest_port '53'

config ipset 'nl'
        option name 'nl'
        option family 'ipv4'
        option match 'net'
        option loadfile '/var/ipset-nl'
        option enabled '0'

config ipset 'nl6'
        option name 'nl6'
        option family 'ipv6'
        option match 'net'
        option loadfile '/var/ipset-nl6'
        option enabled '0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '******'
        option encryption 'psk2'
        option key 'PASSWORT'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'NL'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '******'
        option encryption 'psk2'
        option key 'PASSWORT'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+2'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '******'
        option encryption 'sae-mixed'
        option isolate '1'
        option key 'PASSWORT'
        option network 'guest'

root@OpenWrt:~#

Thanks!
Best,