Please help! Upgrading to 24.10.0 half works, half breaks router

I upgraded my Linksys E8450 (UBI) following the instructions here, choosing the "preserve configuration" option. I used v1.1.3 of the UBI installer as advised although I noticed there's a newer version v1.1.4. Afterwards, I followed the post-installation tips

The upgrade worked (it didn't brick the router and the software seems to be updated) but I have several problems:

• I can connect to the wireless networks from before on MacOS and access the internet, but on a Google Pixel when I connect, the networks have no internet access
• I can no longer ssh into the router unless I enable password authentication for root, even though my public key is still present in Luci
• When I do ssh into the router, it doesn't seem to have internet access. I can't ping any websites and opkg update fails with Failed to send request: Operation not permitted
• Attended sysupgrade has disappeared as an option from Luci
• The http-dns-proxy package has disappeared

I've been troubleshooting for hours including rebooting, restarting the wireless interfaces, and reading other people's suggestions and experiences, but I can't seem to fix any of these issues. Please could someone help me?

Also, what time does the router think it is?
System/General settings

Thanks for your help!

**ubus call system board** 
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}





**cat /etc/config/network**

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'


config globals 'globals'
option ula_prefix <REDACTED>


config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'


config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr <REDACTED>
option netmask <REDACTED>
option ip6assign '60'


config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username <REDACTED>
option password <REDACTED>
option ipv6 'auto'


config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'


config interface 'guest'
option proto 'static'
option ipaddr <REDACTED>
option netmask <REDACTED>
option device 'radio0.network3'




**cat /etc/config/wireless**

config wifi-device 'radio0'
option type 'mac80211'
option path <REDACTED> 
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'GB'


config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid <REDACTED>
option encryption 'sae'
option key <REDACTED>


config wifi-device 'radio1'
option type 'mac80211'
option path <REDACTED>
option cell_density '0'
option country 'GB'
option he_su_beamformee '1'
option he_bss_color '8'
option htmode 'HT20'
option band '5g'
option channel 'auto'


config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid <REDACTED>
option encryption 'sae'
option key <REDACTED>


config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid <REDACTED>
option key <REDACTED>
option network 'guest'
option encryption 'sae-mixed'




**cat /etc/config/dhcp** 
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
list server '/use-application-dns.net/'
list server '127.0.0.1#5054'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5054'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5053'


config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'


config dhcp 'wan'
option interface 'wan'
option ignore '1'


config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'


config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'





**cat /etc/config/firewall** 


config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        


config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'


config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'


config forwarding
option src 'lan'
option dest 'wan'


config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'


config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'


config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'


config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'


config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'


config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'


config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'


config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'


config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'


config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'


config forwarding
option src 'guest'
option dest 'wan'


config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'


config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'


config rule
option name 'Block guest access to private network'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'DROP'

The system has the right date but the wrong time (not even correct in the minutes). I think this is because it can't connect to the timeservers. I did try syncing it with the timeservers (didn't seem to work) and the browser (which temporarily fixed the time but I think rebooting it has lost it again)

The time shown just now was 2025-02-16 15:31:49

Did you reinstall http-dns-proxy or include it in your sysupgrade image?

Odd, another user mentioned this. Can you provide you /etc/config/system?

It cannot sync because the time is so off it is being rejected. Nowhere in the world was it 2025-02-16 15:31:49 at the time you posted.

Ensure you are in the correct time zone, sync with browser then sync with NTP-Server; save and apply.
That should stick.

This may be related to deprecation of RSA and DSA keys. You may need to re-key the link with an EC key.

Remove the wifi-device sections from /etc/config/wireless and reboot to regenerate the device configuration. Add your country code (e.g. option country 'UK') to both radios.

Keeping settings files between major versions is not recommended because of issues like these. The configuration syntax and default settings are prone to change.

Good catch!

Did you reinstall http-dns-proxy or include it in your sysupgrade image?

I can't reinstall it because opkg can't connect to the internet. I'm not sure how to include it in the sysupgrade image but I thought keeping my configuration would do that for me?

I forgot to save and apply after I synced with the browser before. I've done it again and applied this time but still canot run opkg update successfully. I clicked the button for syncing with the NTP server and I'm not sure if it did anything or not?

/etc/config/system

config system
option hostname 'OpenWrt'
option timezone 'GMT0BST,M3.5.0/1,M10.5.0'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option compat_version '2.0'
option zonename 'Europe/London'
option log_proto 'udp'
option conloglevel '8'
option cronloglevel '7'


config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'


config led 'led_wan'
option name 'WAN'
option sysfs 'inet:blue'
option trigger 'netdev'
option mode 'link tx rx'
option dev 'wan'

It should have the correct time and date in the field.

Out of sync would cause all these issues all by itself. Fixing that and having no effect is weird.

please snip System/Time Synchronization and paste it here.

I was using an ed25519 key before, should I use an ecdsa or ecdsa-sk for the new ssh key?

It seemed to stick after I saved and applied. I rebooted to see if that would help and its now lost 10 minutes from the real time. I still get failures on all three diagnostics in network -> diagnostics. Here's the time syncrhonization:

Screenshot 2025-02-16 at 21.01.40999×589 40.3 KB

10 minutes is not enough to cause issues.

Nothing that was not working worked with the correct time?

Setting the correct time doesn't appear to have fixed the issues but I'm not sure exactly how I should test if it's worked

anything that was glitching:

try sshing in.

Still all the same issues. I get

Permission denied (publickey).

when I try ssh-ing without enabling password authentication

@lleachii and @mk24 found some syntax errors; see how that goes?.

Remove the wifi-device sections from /etc/config/wireless and reboot to regenerate the device configuration. Add your country code (e.g. option country 'UK') to both radios.

Ok I've removed those sections and rebooted. It's wiped my SSIDs etc so I guess I should set one back up for testing?

I enabled the default openwrt wireless network and tried connecting on the Pixel but still get the "no internet access" issue. Should I just factory reset at this point and set up from scratch?