Problems after Update - Netgear R6250

Hello,

I am slightly following up on a previous thread (having been away for a while I'm back to work at this Netgear R6250 router) Update gone Wrong?:

After the update I'm having some annoying problems.
So this is what I did:

1: Setting DHCP pool:

"Interfaces-LAN-Edit-DHCP server":
	set "start 192.168.0.20" "limit 280".

All leases are 192.168.1.x however (guess that's because the default gateway is in the 168.1.x range).

"Interfaces-LAN-Edit-General settings": IPv4 is set to 192.168.1.1, netmask 255.255.255.0.
	Change to 192.168.0.2 (intended default gateway for this router).
	"Apply & keep settings" 

=> connectivity loss (cable) / establishes connecton w. DCHP lease but no access to router or WAN.

tracepath 192.168.0.2 
	 "1?: [LOCALHOST]                      pmtu 1500"

2: Reset router!

192.168.1.1

is default again

set PW
set "Interfaces-LAN-Edit-DHCP server" start 192.168.0.20 limit 280
"Network-Wireless":
	set access point name, ESSID, Network = LAN
	set wireless security WPA/WPA2 mixed (WPA2/3 mixed would not connect my Android 10 J600 phone!)
	enable wireless, mode:master

?? how do I add another wireless network w. WPA3 security for compatible devices?
If I setup another instance, they both turn to "disabled".

Next is

"Network-DHCP and DNS":

?? How do I manually renew leases?
Leases are obviously in the range of 192.168.1.x (as the default gateway seems to require the 168.1.x range as I was unable to change it.

Next:

Network-Firewall-Port Forwards:
	add PFW
	select NAS from DHCP lease list
	external port 123 (as internal)
	source = WAN, destination = LAN

?? NAS unreachable from outside but can be reached within LAN

3: And on top of this, with a working WLAN instance, I am experiencing frequent connectivity loss, it just drops out and takes minutes for the router to re-establish connectivity and it is really slow and choppy.
Often the network also completely disappears from the list of available networks on a clients machine.
Observation: This seems to happen under higher loads (video streaming e.g.), but that may also be a mis-guided focus.
Connect the LAN cable and it's all perfect. But why this change in behaviour?

I haven't had all these issues before the update, yet the previous version was a really old one- but it worked.
This is what often makes me very suspicious about updating my devices.

Am I the only one?

The dhcp range looks wrong, but it is hard to know for sure without the rest of the details.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi,

The system info first:

"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear R6250 V1 (BCM4708)",
"board_name": "netgear,r6250-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "bcm53xx/generic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"

This is the network config:

  GNU nano 8.0                        network
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

The wireless file:

config wifi-device 'radio0'
        option type 'mac80211'
        option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0/etc...'
        option channel 'auto'
        option band '2g'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID'
        option encryption 'psk-mixed'
        option key 'KEY'

I wonder why the WLAN PW is in clear text here, but that's another matter...

The DHCP file:

  GNU nano 8.0                                                     dhcp
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '20'
        option limit '280'
        option leasetime '30d'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

And the firewall file:

  GNU nano 8.0                                                   firewall
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS'
        option src 'wan'
        option src_dport '123'
        option dest_port '123'
        option dest_ip '192.168.1.122'

There's a whole lot missing here... please repeat using the cat commands and ensure that you capture the entire file when you cut/paste it into place.

That said, at the very minimum, the DHCP server for your lan is invalid as the limit itself (before even getting to the calculated start/end addresses) is too large for a /24.

Chage limit to <=235, then reboot and try again.

Hmm, not sure why I missed some parts.
But here it is again:

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals';
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0/bcma1:1'
	option channel 'auto'
	option band '2g'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID'
	option encryption 'psk-mixed'
	option key 'KEY'

DHCP:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '20'
	option limit '280'
	option leasetime '30d'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Firewall:

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule;
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NAS'
	option src 'wan'
	option src_dport '123'
	option dest_port '123'
	option dest_ip '192.168.1.122'

Meanwhile I'll take a look at the DHCP pool once no other users are connected...

It is broadcom chipset, most likely max one function per radio device. Though check via iw list
no need for wpa1 or tkip, they are organic fertilizervequivalent for last 10 years.

On normal devices one can set one wpa2 one wpa3 AP and clients not capable of 2+3 mode can connect. Namely roomba and middle aged androids.

Hi,

Yes, 'iw list' seems to confirm this if I read it correctly

Wiphy phy0
	wiphy index: 0
	max # scan SSIDs: 4
	max scan IEs length: 2285 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Available Antennas: TX 0x3 RX 0x3
	Configured Antennas: TX 0x3 RX 0x3
	Supported interface modes:
	         * IBSS
	         * managed
	         * AP
	         * AP/VLAN
	         * monitor
	         * mesh point
	Band 1:
	        Frequencies:
		                * 2412 MHz [1] (20.0 dBm)
		                * 2417 MHz [2] (20.0 dBm)
		                * 2422 MHz [3] (20.0 dBm)
		                * 2427 MHz [4] (20.0 dBm)
		                * 2432 MHz [5] (20.0 dBm)
		                * 2437 MHz [6] (20.0 dBm)
		                * 2442 MHz [7] (20.0 dBm)
		                * 2447 MHz [8] (20.0 dBm)
		                * 2452 MHz [9] (20.0 dBm)
		                * 2457 MHz [10] (20.0 dBm)
		                * 2462 MHz [11] (20.0 dBm)

The next line looks like telling us that we cannot set up two WLAN instances on this device.

	interface combinations are not supported
	HT Capability overrides:
	         * MCS: ff ff ff ff ff ff ff ff ff ff
	         * maximum A-MSDU length
	         * supported channel width
	         * short GI for 40 MHz
	         * max A-MPDU length exponent
	         * min MPDU start spacing
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Supported extended features:
	        * [ RRM ]: RRM
	        * [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
	        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
	        * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
	        * [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
	        * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
	        * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
	        * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
	        * [ DEL_IBSS_STA ]: deletion of IBSS station support
	        * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
	        * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

Essential part about "interface combinations" is missing from copy
wds extender or wwan certainly are not possible with broadcom

Not ure what was missing, but here is the output again:

Wiphy phy0
	wiphy index: 0
	max # scan SSIDs: 4
	max scan IEs length: 2285 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Available Antennas: TX 0x3 RX 0x3
	Configured Antennas: TX 0x3 RX 0x3
	Supported interface modes:
	         * IBSS
	         * managed
	         * AP
	         * AP/VLAN
	         * monitor
	         * mesh point
	Band 1:
	        Frequencies:
		                * 2412 MHz [1] (20.0 dBm)
		                * 2417 MHz [2] (20.0 dBm)
		                * 2422 MHz [3] (20.0 dBm)
		                * 2427 MHz [4] (20.0 dBm)
		                * 2432 MHz [5] (20.0 dBm)
		                * 2437 MHz [6] (20.0 dBm)
		                * 2442 MHz [7] (20.0 dBm)
		                * 2447 MHz [8] (20.0 dBm)
		                * 2452 MHz [9] (20.0 dBm)
		                * 2457 MHz [10] (20.0 dBm)
		                * 2462 MHz [11] (20.0 dBm)
	interface combinations are not supported
	HT Capability overrides:
	         * MCS: ff ff ff ff ff ff ff ff ff ff
	         * maximum A-MSDU length
	         * supported channel width
	         * short GI for 40 MHz
	         * max A-MPDU length exponent
	         * min MPDU start spacing
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Supported extended features:
	        * [ RRM ]: RRM
	        * [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
	        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
	        * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
	        * [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
	        * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
	        * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
	        * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
	        * [ DEL_IBSS_STA ]: deletion of IBSS station support
	        * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
	        * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

Meanwhile I changed the DHCP range and I am getting leases within that range (/var/dhcp.leases . confirmed it).
What I haven't done is to change the default gateway to 192.168.0.1 instead of ...1.1 as this disconnected me before and currently I can't interfere too much, need to play it safe to keep users happy.
Also there is still no access to the NAS despite port forwarding set up on the firewall.
I prefer to make changes via the terminal over the GUI but might want to double check where I find the relevant files:

To change the default gateway and DCHP IP range

       option device 'br-lan'
       option proto 'static'
       option ipaddr '192.168.1.1'
       option netmask '255.255.255.0'
       option ip6assign '60'

"option ipaddr" would be the relevant entry in /etc/config/network right?

The firewall seems correctly set but there is no forwarding. So I wonder how one can test where the "blockage" occurs excactly.

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS'
        option src 'wan'
        option src_dport '123'
        option dest_port '123'
        option dest_ip '192.168.1.122'

...whereas I might need to change 192.168.1.122 to ...0.122 if the previous modification works.

interface combinations are not supported

vs mt76

  valid interface combinations:                                                    * #{ IBSS } <= 1, #{ AP, mesh point } <= 16, #{ managed } <= 19,
                   total <= 19, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }