OpenWrt AP stops communicating to primary Router

Hello OpenWrt Community

First of all thanks you for the good work and possibilities you are creating!

I am quite new to OpenWrt and lower level IT environment and therefore requesting your help. Since I have to explain a bit I'd like to descripe the issue I am facing first. Afterwards I tell you about my setup so far and in the end I will attach some config files.

The Issue:
I have set up an OpenWrt Router as a Wireless Acces Point (wireless connection to the main - non OpenWrt - Router and wireless connection to other devices). Everything works fine.
When I am now starting a Bit Torrent download (current Ubuntu LTS) the Torrent client connects to some Peers and starts downloading at max speed as expected. However after just a few seconds (about 5) it stops. At this point I can still connect to the OpenWrt via ssh but from there I am not able to ping the primary router as I was before. After a reboot of the AP everything is back to normal

What I actually need help with is figuring out what that issue is related to. Since I have no idea what to start looking at al. If a similar issue was discussed already I am really sorry.

The Setup:
The described AP is a TP-Link AC50 v1. The overall Idea is to use it as a WiFi repeater (currently non bridged) emitting a fully accessible lan network and a restricted second Guest network at the same time. Furthermore it should provide a non bridged OpenVPN services with yet another VPN Network. What I refer here as "network" would be an "Interface" to OpenWrt. The Connection to the Internet is provided by the wan which is a wireless connection to a Speedport w724v I got from my ISP. In the end it would be perfectly possible if that thing is causing the issue...

The lan is fully forwarded to the wan whereas the Guest only has two firewall rules forwarding packets with destination ports 80, 443, 993 and 995. Additionally there are DNS and DHCP Allowed as mentioned in pretty much all the guest wifi guides. The Bit Torrent test I mentioned above used the lan network. When connected to Guest nothing happened at all - as intended.
The goal with the Guest network is to be restrictive and only ad more access when needed. When everything works properly it will be extend by things like VPN Ports. Anyway I would love your recommendations on that as well.

The Configs:
If you need any more information on anything pleas let me know

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10180000.wmac'
	option htmode 'HT20'
	option disabled '0'
	option legacy_rates '1'
	option country 'DE'
	option txpower '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'Guest'
	option isolate '1'

config wifi-iface
	option network 'wwan'
	option ssid 'xxx'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'sta'
	option bssid 'xxx'
	option key 'xxx'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option network 'lan'
	option encryption 'psk2'
	option key 'xxx'

Network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask 'xxx'

config globals 'globals'
	option ula_prefix 'xxx'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask 'xxx'
	option ifname 'eth0.1 tap0'
	option ipaddr 'xxx'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xxx'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xxx'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'Guest'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask 'xxx'

config interface 'VPN'
	option proto 'static'
	option ifname 'xxx'
	option netmask 'xxx'
	option ipaddr 'xxx'

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wwan'
	option log '1'
	option log_limit '500'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option name 'Allow DNS'
	option src 'Guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'Allow DHCP'
	option src 'Guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '1194'
	option name 'OpenVPN'
	option proto 'tcp udp'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name 'VPN'
	option network 'VPN'
	option output 'REJECT'
	option forward 'REJECT'
	option input 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'VPN'

config forwarding
	option dest 'wan'
	option src 'VPN'

config rule
	option target 'ACCEPT'
	option src 'Guest'
	option name 'Guest Allow Web'
	option proto 'tcp'
	option dest 'wan'
	option dest_port '80 443'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option name 'Guest Allow Mail Client'
	option proto 'tcp'
	option dest_port '993 995'
	option src 'Guest'
	option dest 'wan'

maybe the WAN port is not working? I had similar issues with TP-Link Archer C7, all of a sudden the WAN port is no longer active, I had to restart the network or reboot to get it back. You can use ifconfig to check if WAN port has IP addresses.

If WAN is not alive, you can not ping the upstream non-openwrt router thus no internet for p2p

To be honest, your device only has a 580 MHz CPU and 6 MB RAM, it may be crashing under stress...I've have similar problems on WRT54G based devices.

Can you run top on the router while testing...it will likely freeze, but you'll see the last results before crashing.

logread

service network reload

All right. Thank you very much for the input.

I am aware the my device is not the most powerful one. So if that really is the issue here I would like to track that down. If so probably no fancy settings will help.

I reran the test as you mentioned. When the transfer started there really was something named ksoftirqd/0 what generated some CPU load. But from what I have seen not above 35%. kworker/0:1 generated a load of about 10%. I had a look at the ifconfig. But the wan port still contains its IP address. Of course after a network restart it does not any more.
Furthermore I came to notice that the all wireless connection died. The laptop was not able to reconnect to the router again. Even though its wifi still showed an established connection.
But I have another wired connection to the router which was not affected at all. Top was running smoothly the whole time on that connection.

Regarding vgaetera suggestions:
logread is certainly interesting but only shows many drops end nothing special when I start my test.
more interestingly service network reload does execute but but does not resolve the wifi connection problem. So I tried out service network restart which took longer to execute but didn’t help ether.

At this point I would be interested in how to fix the problem without rebooting.
Is there anything else I can try to provide you with additional information.

Kind regards

Edit:
What I noticed (and find quite interesting)... if i do a logread -f and run my test. I am not able to ping the primary router anymore. Hover the logread command does not stop displaying new drops. Those seam to be incoming request directed to my OpenWrt router.
That means connection is dead but still incoming requests???

How fast is your WAN connection?

If I visit LUCI an go to Network -> Wireless under "RX Rate / TX Rate" it says 130 Mbit/s to 104 Mbit/s to the primary router.

The actual connection to the outside world is a 50 Mbit/s VDSL.

Hi All

I was about to configure sqm anyway so I played around with limiting traffic. What I found is that a limit of about 1 Mbit/s for up stream and down stream combined (currently 0.9 Mbit/s down and 0.1 Mbut/s up) does provide a stable download. Furthermore I did the same test with the wired connection (full download speed) and there was no problem at all. Therefore I do think the Issue is neither the CPU performance nor some firewall config but the wireless network connection itself. Are there any know issues with that particular peace of hardware? Please keep in mind that I do use the same physical device on my router for connecting to the primary router as well as emitting another two wireless networks.

Just to have it mentioned... when I monitor the download on the client which is actually performing it I do notice occasional downstream drops to 0 Mbit/s for about 1 to 2 seconds.

What I am seeking your advice with ad this point would be:

• further pinning down the root cause of this behaviour (maybe there is a somewhat easy solution in the end without just cutting the bandwidth to basically nothing)
• figuring out why video streaming like youtube does not seem to cause that issue
• why a service network restart does not fix the the connection after it died and I have to reboot the router

Thank you for your support so far!

Hi All

I was able to tinker around a bit more and from what it seams the whole issue is regarding the physical network interface I was using (2.4 GHz). Now I am Using the 5 GHz Interface which works for now.

Thank you to all who contributed.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.