Privacy Warning and Wi-Fi Issues

pipedreams86 · January 19, 2022, 9:15am

Hi all,

I have a network of 4 Linksys WRT3200ACM routers, all of which have OpenWRT installed on them. One is the primary router connected to the modem from my ISP. The other 3 are setup as access points. I started with the primary router and first access point last year, and they have been working flawlessly since.

However ever since I setup the final 2 access points following the same instructions, I have had continual issues with them. The Wi-Fi connection to devices drops continually, and works sluggishly when it does connect and then at other times works much better.

Not sure if this is connected or a different problem, but on my iPad and iPhone under Wi-Fi it shows an error of ‘Privacy Warning’ and ‘This network is blocking encrypted DNS traffic’

The SSID for these new 2 access points is different from the SSID on the first 2 router/AP, not sure if this would cause the issues I’m having?

Thanks!

pipedreams86 · January 19, 2022, 9:24am

In case it’s useful here is the contents of the firewall config file for one of the problematic APs:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

pipedreams86 · January 19, 2022, 9:25am

And here is the DHCP config file for the AP:


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option dynamicdhcp '0'
	option dns_service '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

pipedreams86 · January 19, 2022, 9:32am

This is the network config for the AP:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd98:4c0e:c65d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.93'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'ea:9f:80:1a:52:78'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Nico1320 · January 19, 2022, 9:35am

pipedreams86 · January 19, 2022, 9:41am

Thanks, those are the instructions I followed to set up all 3 access points. 1 is working flawlessly, not sure why the second 2 I recently added aren’t working well.

AashishAS · January 19, 2022, 9:47am

Disable firewall on the APs.

Nico1320 · January 19, 2022, 9:47am

Is the privacy warning also present when connected to the main router? Also, mwlwifi kinda sucks...

https://forum.openwrt.org/t/users-needed-to-test-wi-fi-stability-on-linksys-wrt3200acm-wrt32x-on-openwrt-21-02/101700/731

tmomas · January 19, 2022, 10:24am

related (yet without feedback so far): Prevent privacy warning issued by iOS

pipedreams86 · January 19, 2022, 10:41am

No both the main router, and the first access point that I setup last year don’t have either privacy warnings, or any of the other issues I’m having. Those 2 have worked consistently with no drops in connection or any other issues, it’s only the 2 newer APs I’ve added that are having this issue…they are all daisychained, so ethernet runs from primary router to first AP that is working well then onto the others.

pipedreams86 · January 19, 2022, 10:43am

I disabled firewall, dnsmasq and odhpcd when i setup the APs.

pipedreams86 · January 19, 2022, 10:54am

I did just notice that the privacy warning only appears for the 2G band…the 5G network when I switch to that doesn’t give me that error. Although both have been having the other Wi-Fi issues like dropping connection etc.

Nico1320 · January 19, 2022, 11:28am

Strange... Then it doesn't appear to be a problem with the firewall. Are all routers running the same OpenWRT version?

pipedreams86 · January 19, 2022, 2:04pm

I checked the four routers, and these are the versions running:

Primary Router: OpenWrt 19.07.6

First AP (working well): OpenWrt 19.07.7

2 problem APs: OpenWrt 21.02.0

Nico1320 · January 19, 2022, 10:56pm

I suggest you use 19.07.x on the problem APs as well. Wait until wifi on 21.02 gets stable (or better). As for ios privacy issues, it shouldn't affect anything but I think enabling DoT or DoH might fix it. Try changing SSID on problem APs to confirm this theory.

pipedreams86 · January 20, 2022, 9:59am

Ok thanks that makes sense, what would be the recommended way to downgrade openwrt to a previous version? It was a fresh install of this new version when I bought the routers, not an upgrade of previous versions…

Nico1320 · January 20, 2022, 11:27am

Revert back to oem by booting to the next partition and flash 19.0.7x *factory.bin

Or

pipedreams86 · January 26, 2022, 10:45am

Wanted to jump back on and say thank you as it is all working flawlessly now! to confirm: it was the 21.02 software version that was causing all the issues I was having…I first of all tried upgrading to the latest version (21.02.1) to see if that worked better, but the issues continued. So I then downgraded to 19.07.7 on both of the problem APs and they have now worked for 4 days with no issues at all.

Also for anyone who reads this and has the same issue, I didn’t end up having to boot to the original OEM software or anything like that, I was able to go to System>Backup/Flash Firmware and upload the older version there and it installed with no issues. I did however make sure to not check the save configuration boxes, so I started with a fresh install of the older version and setup the APs from scratch.