Openwrt stops working only for Linux clients

peterpion · July 11, 2023, 10:11am

Hi,

I've got 2 Openwrt boxes that are set up on HH5 hardware. They are geographically separated - totally independent. The setup on each is simple, they just sit behind my ADSL router and act as a NAT device / router / wifi device. The internal side uses the HH5 wifi hardware and also plugs into a small switch for connected devices.

Sometimes, randomly it seems, my Ubuntu clients stop having access to the wifi. They are still connected but traffic stops. They can sometimes get extremely slow access to the Openwrt LEDE page(s) but routing to the internet is essentially stopped. I think sometimes a few packets can get through if I use ping with the majority dropping and the ones that pass, if any, having a very long delay.

Meanwhile my phone, other peoples phones, a Windows laptop all continue to work fine with the Openwrt. Access to the internet is at full speed. Wired devices are fine.

This has been going on for a long time. I've tried to work out a reason by examining logs on both sides but not found anything that seems significant. It can go for quite a few days with no trouble, and then the problem comes back. When the problem does come back, I can reboot both router and laptop which fixes it but it can come back within a couple of minutes sometimes - and sometimes not. One location is quite far from any other possible sources of 2.4GHz transmission so its not interference (this happens at both places).

The common factor are the laptops, the HH5 hardware and the OpenWRT versions (identical setups at both places) - but the laptops are different lenovo laptops, one newish and one about 10 years old. Both run Ubuntu (slightly different versions). I don't use them much with other wifi sources so I can't be sure this is a Openwrt thing - but it didn't happen in these locations before I used Openwrt, when I used hardware APs with the same laptops (although the versions of Ubuntu have doubtless been upgraded since then).

I don't really know how to drill deeper in an investigating to try to get to the bottom of this. Does anyone have any ideas of what I could do to narrow down the cause?

Thx, Pete

pluffmud · July 11, 2023, 11:41am

To start with I would take a hard look at how DNS is set up on the 2 Ubuntu clients .

flygarn12 · July 11, 2023, 2:31pm

This isn’t a OpenWrt problem since everything else work.

Sounds like the Ubuntu/Linux (get a working) wifi driver swamp.

You can live in the swamp for weeks and google things to test and find out the whole world with a specific wifi chip got the same problem with Ubuntu.

That is why I looked at Ubuntus certified hardware list and choosed wisely when I bought my last Ubuntu laptop.

peterpion · July 11, 2023, 9:48pm

Thanks John - that is one thing I have investigated already, trying to ping using ip address, or to connect to any services (like my own remote VPNs say, which are defined by ip address) produces the same result. So AFAICS its not lack of DNS that causes the 'outages'. DNS lookups do fail of course though, once connectivity goes down, but I don't think thats the original fault.

Over the months I've tried several things - many of them slip my mind now probably. Things like signal strength - I've gone and sat right next to the router, once the fault suddenly starts, with no change to the situation (IE no restoration of connectivity). Connected to the luci management page (very, very slow, but usually eventually it does come up), to see if 'prodding' the connection by making a connection to the router helps - but it does not.

The connection does not actually drop - so there's not much in the Ubuntu logs, IIRC. Of course typically it hasn't happened for a couple of days so I don't have a log sample to post today. But I'll add it as soon as possible. Still, really I am after ideas as to how to drill into this rather than someone fixing it for me.

peterpion · July 11, 2023, 9:48pm

Know what you mean but... Both laptops worked with hardware AP (I used a few brands). And the laptops use different WiFi chipsets (I checked). So it doesn't seem like a classic Ubuntu / chipset issue. More like Ubuntu WiFi stack / openwrt incompatibility... Idk. I've been in this business 30 years btw, using Linux for 20 an am a c programmer so I'm no noob. But I'm not a WiFi or networking guru so I don't know exactly where to put my test probe to decipher this one.

psherman · July 11, 2023, 10:29pm

Let's take a look at your configuration to see if there is anything atypical going on:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

peterpion · July 12, 2023, 9:23am

Thanks - the setup is pretty basic, everything internally is wide open because the ADSL router 'does' the security. But still it would be good sometime to sort that out and set security up properly. But obviously thats not affecting this problem I have asked about now. Heres the config:

ubus call system board
{
	"kernel": "5.4.188",
	"hostname": "OpenWrt",
	"system": "xRX200 rev 1.2",
	"model": "BT Home Hub 5A",
	"board_name": "bt,homehub-v5a",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.3",
		"revision": "r16554-1d4dea6d4f",
		"target": "lantiq/xrx200",
		"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
	}
}
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr 'redacted'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 'off'
	option delegate '0'
	option ipaddr '172.16.20.1'

config device
	option name 'dsl0'
	option macaddr 'redacted'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.1.47'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option device 'eth0.2'
	option broadcast '192.168.1.255'
	option ipv6 'off'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 4 2 0 1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 5'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	option private_key 'redacted'

config wireguard_vpn
	option public_key 'redacted'
	list allowed_ips '192.168.9.2/32'
	option description 'PHONE'

config wireguard_vpn
	option description 'Knap_lap'
	option public_key 'redacted'
	list allowed_ips '192.168.9.3/32'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option txpower '23'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option key 'redacted'
	option ssid 'TheAP_5'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:0e.0'
	option band '2g'
	option htmode 'HT40'
	option channel '11'
	option txpower '20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option key 'redacted'
	option ssid 'TheAP'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dynamicdhcp '0'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option mtu_fix '1'
	list network 'wan'
	option masq '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wireguard'
	option masq '1'
	list network 'vpn'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	option output 'ACCEPT'

config forwarding
	option src 'wireguard'
	option dest 'lan'

config forwarding
	option src 'wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config forwarding
	option src 'wan'
	option dest 'wireguard'

config nat
	option name 'SNAT-to-CCTV'
	option src 'lan'
	option dest_ip '172.16.20.185'
	option target 'SNAT'
	option snat_ip '172.16.20.1'
	list proto 'all'

Both the working phones, tablets, Windows computer etc and the Ubuntu laptops with the problem use DHCP. But their 'stack' is obviously different. Another thing I just remembered - I can get a temporary fix if it drops out by switching from the 2G to 5G AP (on the latop). Sometimes then, maybe soon, or maybe half an hour later, that will drop out and I switch back to the other frequency and achieve a fix. Usually immediately bouncing the connection down and up again will not fix it though.

flygarn12 · July 12, 2023, 9:45am

Half on topic…
There is a little wifi trick I learned from the TP-link EAP manual a couple of years ago.

Name all ssid connected to the same vlan with the same name regardless of frequency.

Often the names on home routers are called ”ssid_2,4” and ”ssid_5” or similar. But the correct way is to name them both “ssid”.
It is the wifi client responsibility to choose the pre-defined ssid with the highest working frequency available.

peterpion · July 12, 2023, 1:37pm

Thx - currently the ability to switch between the two frequency is useful to the Ubuntu clients because of this problem but I'll remember that for when I get it sorted.