Odhcpd and unbound for DoT causing WIFI connection problems

i just replaced dnsmasq with odhcpd and unbound to set cloudflare dns over tls setup was successful. However, I had a problem with the smartphone's wireless connection, I couldn't get the IP and enter WIFI even without a password. I need help there is a log attached.

Router: Mi Router 4a gigabit v.1
Firmware: OpenWRT 23.05.3

Mon May 27 16:55:29 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:55:29 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:55:29 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open
Mon May 27 16:55:52 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED fc:67:1f:7d:a1:7f
Mon May 27 16:55:52 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:55:52 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:55:52 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open
Mon May 27 16:56:07 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED fc:67:1f:7d:a1:7f
Mon May 27 16:56:07 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:56:07 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:56:07 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open
Mon May 27 16:56:29 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED fc:67:1f:7d:a1:7f
Mon May 27 16:56:29 2024 daemon.notice hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: did not acknowledge authentication response
Mon May 27 16:56:42 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:56:42 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:56:42 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open
Mon May 27 16:57:05 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED fc:67:1f:7d:a1:7f
Mon May 27 16:57:05 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:57:05 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:57:05 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open
Mon May 27 16:57:07 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED fc:67:1f:7d:a1:7f
Mon May 27 16:57:07 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: authenticated
Mon May 27 16:57:07 2024 daemon.info hostapd: phy0-ap0: STA fc:67:1f:7d:a1:7f IEEE 802.11: associated (aid 1)
Mon May 27 16:57:07 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED fc:67:1f:7d:a1:7f auth_alg=open

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I have already done this by inputting commands. Is there a solution to my problem? before I reset my router. the results are as follows.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd3:04a4:67eb::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option type 'bridge'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan wan wan6'
        option mode 'ap'
        option ssid 'Jasuke'
        option encryption 'none'
        option key 'kopisusu47!'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp
n'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option interface 'lan'
        option leasetime '12h'
        option ra 'server'
        option ra_management '1'

config odhcpd 'odhcpd'
        option maindhcp '1'
        option leasefile '/var/lib/odhcpd/dhcp.leases'
        option leasetrigger '/usr/lib/unbound/odhcpd.sh'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

guess you didn't read this part:

this is wrong:

this config are all wrong, wan , wireless etc

I agree.

@FAK47
reset, and start from scratch.
don't touch any network related config, except for wifi SSID names, and their security (WPA2/3 and password).

I have changed the settings but nothing works. if just resetting the router is the solution then I will do it.

nothing works because you have changed the settings...

it won't, it'll go back the default settings, which work.

skip odhcpd and unbound, leave the dnsmasq as it is, and install dns-over-https instead.

https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

Yesterday I tried DNS-over-https but I had a problem with not being able to log in to Luci, only via SSH. therefore I tried dns-over-tls for network security. After several times I couldn't register for AWS, Google Cloud, and Oracle to create a VPS and create a private VPN. thank you for your answer.

from LAN ?
then you did something you shouldn't have.
dns-over-https doesn't do anything with the the web server and webUI.
internet access failing would be a possible post install issue, accessing the webUI isn't.

yes I set it via lan. Is there any other solution to improve internet network security with OpenWRT?

you just tried two, and failed setting them up.

don't blame the software.

I don't blame the software. I will try again with dns-over-https. If this method fails, I will use the OpenWRT firewall settings for temporary internet network security. then try a VPN service with a good price.

if you can't get dns-over-https to work, which is by far the simplest of the solutions mentioned so far, you will probably not succeed with a DNS VPN tunnel.

Thank you for the advice

i tried dns-over-http it worked. Indeed, yesterday there were several settings that were wrong.

1 Like

I found a better and easier solution for using Cloudflare DoH and DoT by using the SmartDNS settings as follows.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.