RE6500 unresponsive after flashing 23.05

I'm trying to use a Linksys RE6500 as a wired-to-wireless bridge. I was able to put 22.03.7 on it, but it wouldn't connect to the primary AP using its 5GHz radio (errors about being 'unable to follow' some sort of link layer configuration change) so I decided to see if 23.05 fixed that.

After flashing 23.05 (tried both .4 and .5), without preserving the old configuration, the device boots up but does not advertise itself as a wireless access point, nor does it respond to DHCP requests on its wired interfaces.

# tcpdump -i enp61s0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp61s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:33:41.595848 IP 0.0.0.0 > 224.0.0.22: igmp v3 report, 1 group record(s)
17:33:41.599121 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from yy:yy:yy:yy:yy:yy (oui Unknown), length 294
17:33:42.521354 IP 0.0.0.0 > 224.0.0.22: igmp v3 report, 1 group record(s)
17:33:43.599630 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from yy:yy:yy:yy:yy:yy (oui Unknown), length 294
17:33:45.902980 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from yy:yy:yy:yy:yy:yy (oui Unknown), length 294
17:33:50.720754 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from yy:yy:yy:yy:yy:yy (oui Unknown), length 294
17:33:59.198253 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from yy:yy:yy:yy:yy:yy (oui Unknown), length 294
[and then nothing]

If I give my computer's wired network a static IP address in 192.168.1.0/24 then I can ping the RE6500 as 192.168.1.1, but all standard ports are closed, in particular both SSH (22) and HTTP (80) service is unavailable.

# nmap -sS 192.168.1.1
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-27 17:27 EDT
Nmap scan report for 192.168.1.1
Host is up (0.011s latency).
All 1000 scanned ports on 192.168.1.1 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
MAC Address: xx:xx:xx:xx:xx:xx (Belkin International)
Network Distance: 1 hop
Nmap done: 1 IP address (1 host up) scanned in 40.97 seconds

So now I'm stuck. What might have gone wrong? How do I get into this thing to configure it?

Default clean configuration is with radio off. You need to connect with cable and complete setup.

Thanks, that explains part of it, but I can't get into Luci using a cable either. Both the DHCP and Nmap tests were done using a wired connection.

So apparently you did not reset configuration and have to start device in failsafe mode and either sysupgrade to same version or do firstboot.
https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset#entering_failsafe_mode

I was able to put it in failsafe mode and then ssh into the unit. The firstboot command printed

/dev/mtdblock6 is not mounted
/dev/mtdblock6 will be erased on next boot

So then I rebooted it and it sat with its blinkenlight flashing (the "slower, 2.5-per-second blink continuing to the end of normal boot") for a solid hour before I gave up and reset it back into failsafe mode.

I can think of a couple of other things to try now I know about failsafe mode, but if you have any further suggestions I'm all ears.

No joy with mount_root and then firstboot, either - same syndrome, stuck somewhere during boot.

sysupgrade to clean image not customizing packages, there was/is problem with changed images.

I am trying that now, but I assure you I used the stock firmware image ( https://downloads.openwrt.org/releases/23.05.5/targets/ramips/mt7621/openwrt-23.05.5-ramips-mt7621-linksys_re6500-squashfs-sysupgrade.bin ).

I don't like the look of these messages from failsafe-mode dmesg:

[    2.174969] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[    2.187000] spi-nor spi0.0: mx25l6405d (8192 Kbytes)
[    2.197045] 4 fixed-partitions partitions found on MTD device spi0.0
[    2.209751] OF: Bad cell count for /palmbus@1e000000/spi@b00/flash@0/partitions
[    2.224353] OF: Bad cell count for /palmbus@1e000000/spi@b00/flash@0/partitions
[    2.239473] OF: Bad cell count for /palmbus@1e000000/spi@b00/flash@0/partitions
[    2.254140] OF: Bad cell count for /palmbus@1e000000/spi@b00/flash@0/partitions
[    2.269069] Creating 4 MTD partitions on "spi0.0":
[    2.278661] 0x000000000000-0x000000030000 : "u-boot"
[    2.290010] 0x000000030000-0x000000040000 : "u-boot-env"
[    2.301764] 0x000000040000-0x000000050000 : "factory"
[    2.313187] 0x000000050000-0x000000800000 : "firmware"
[    2.324991] 2 uimage-fw partitions found on MTD device firmware
[    2.336826] Creating 2 MTD partitions on "firmware":
[    2.346723] 0x000000000000-0x0000002ae8ad : "kernel"
[    2.356614] mtd: partition "kernel" doesn't end on an erase/write block -- force read-only
[    2.374280] 0x0000002ae8ad-0x0000007b0000 : "rootfs"
[    2.384220] mtd: partition "rootfs" doesn't start on an erase/write block boundary -- force read-only

Running sysupgrade -n /tmp/firmware.bin (where firmware.bin is the file downloaded from the URL in the previous post, and yes I checked its SHA256) brought me back to the situation when I originally posted this thread: it boots all the way up but doesn't respond to DHCP queries and, if I give my laptop a static IP address on an Ethernet cable connected to LAN port 1, it's pingable as 192.168.1.1 but connections to ports 22 and 80 are refused (TCP RST).

In failsafe mode, mount_root works and the contents of /etc/config look sensible. The next thing I am going to try is commenting out most of /etc/config/firewall.

Do you have any experience with serial console/ using a TFTP server?

Only other thing I can think of is TFTP server, boot the ramdisk (initramfs) option per the wiki instructions? That would isolate any flash issues.

Looks like there's instructions on the wiki on how to get to the bootloader too but it's behind password and apparently is timing dependent from what I can read.

Just had the thought.

Is it using one of the LAN ports as a WAN?
Would that mean LAN port 1 is WAN and behind firewall WAN group?

Look like this thing has multiple ports even though it's an extender?

I had to use a TFTP server to get past the locked bootloader in the first place. When I follow the instructions on the wiki to load up a ramdisk image using TFTP, I can get into the Luci web interface fine, but I didn't try configuring it, only using the "flash new firmware" screen.

If I understood the wiki correctly, to access a serial console I would have to physically disassemble the device's case to get at the serial port, which I would rather not do. Also I don't have the right cables.


Commenting out most of /etc/config/firewall and changing the default input policy to 'accept' from failsafe mode changed the problem. Now I can connect to ports 22 and 80, but the device responds extremely slowly to SSH -- multi-second keystroke lag. HTTP is even worse: it consumes the initial HTTP query and then, instead of sending an actual response, it goes into an infinite loop (continuing even after the client times out and sends a FIN) of transmitting zero-byte packets.

20:37:28.506084 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [S], seq 649975242, win 64240, options [mss 1460,sackOK,TS val 2786453797 ecr 0,nop,wscale 7], length 0
20:37:28.507391 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [S.], seq 1029527753, ack 649975243, win 65160, options [mss 1460,sackOK,TS val 3251323840 ecr 2786453797,nop,wscale 3], length 0
20:37:28.507431 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2786453798 ecr 3251323840], length 0
20:37:28.507575 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [P.], seq 1:75, ack 1, win 502, options [nop,nop,TS val 2786453799 ecr 3251323840], length 74: HTTP: GET / HTTP/1.1
20:37:28.508471 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [.], ack 75, win 8136, options [nop,nop,TS val 3251323841 ecr 2786453799], length 0
20:37:29.578819 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [.], ack 75, win 8136, options [nop,nop,TS val 3251324912 ecr 2786453799], length 0
20:37:29.578859 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2786454870 ecr 3251323841], length 0
20:37:30.628536 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [.], ack 75, win 8136, options [nop,nop,TS val 3251325962 ecr 2786454870], length 0
20:37:30.628574 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2786455920 ecr 3251323841], length 0
20:37:31.659044 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [.], ack 75, win 8136, options [nop,nop,TS val 3251326992 ecr 2786455920], length 0
20:37:31.659082 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2786456950 ecr 3251323841], length 0
20:37:32.698812 IP 192.168.1.1.80 > 192.168.1.100.52528: Flags [.], ack 75, win 8136, options [nop,nop,TS val 3251328032 ecr 2786456950], length 0
20:37:32.698852 IP 192.168.1.100.52528 > 192.168.1.1.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 2786457990 ecr 3251323841], length 0

I'm packing it in for the evening because both I and my laptop are out of battery. I will read all further suggestions with great interest in the morning :slight_smile:

1 Like

Awesome thanks for confirming. Yeah looked like that was the only flash method.

I'd try getting initramfs to work again and confirm that it works properly. Then I can check what's actualy on the flash/dump the flash/ and/or reflash by sysupgrade from the initramfs.

Yeah that would require disassembly and a 3.3V TTL capable device that can do 57600baud rate.

It doesn't look like this is the problem, but I might not have understood the config files correctly. Here's /etc/config/network as seen from failsafe mode:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:654c:3daa::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
1 Like

Thanks.

That looks fine to me.
Can't think of anything else sorry.

Can you post /etc/config/firewall, boot log (i.e. logread right after boot before it overwrites ) and I guess the dhcp & wireless config? If web server is the problem given SSH is fine, perhaps the uhttpd/luci stuff too. I forget what the default they get you to do when asking for help.

Middle of the day in my local TZ. Yeah don't let me keep you up keeping on asking questions.

Back at it now...

For clarity, in a normal boot SSH is not fine. I can connect to it, but it's unusably slow on a scale of "takes multiple seconds to react to each keystroke" to "hangs forever during the initial handshake." Right now it's doing the latter, which means I cannot get at the boot log for a normal boot.

I can, however, extract config files from the overlay partition using failsafe mode. So here's all of them.

current /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
original /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

#config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

## Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

## Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT
/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:654c:3daa::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
/etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
/etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
/etc/config/dropbear
config dropbear
	option PasswordAuth 'on'
	option RootPasswordAuth 'on'
	option Port         '22'
/etc/config/luci
config core 'main'
	option lang 'auto'
	option mediaurlbase '/luci-static/bootstrap'
	option resourcebase '/luci-static/resources'
	option ubuspath '/ubus/'

config extern 'flash_keep'
	option uci '/etc/config/'
	option dropbear '/etc/dropbear/'
	option openvpn '/etc/openvpn/'
	option passwd '/etc/passwd'
	option opkg '/etc/opkg.conf'
	option firewall '/etc/firewall.user'
	option uploads '/lib/uci/upload/'

config internal 'languages'

config internal 'sauth'
	option sessionpath '/tmp/luci-sessions'
	option sessiontime '3600'

config internal 'ccache'
	option enable '1'

config internal 'themes'
	option Bootstrap '/luci-static/bootstrap'
	option BootstrapDark '/luci-static/bootstrap-dark'
	option BootstrapLight '/luci-static/bootstrap-light'

config internal 'apply'
	option rollback '90'
	option holdoff '4'
	option timeout '5'
	option display '1.5'

config internal 'diag'
	option dns 'openwrt.org'
	option ping 'openwrt.org'
	option route 'openwrt.org'
/etc/config/rpcd
config rpcd
	option socket /var/run/ubus/ubus.sock
	option timeout 30

config login
	option username 'root'
	option password '$p$root'
	list read '*'
	list write '*'
/etc/config/system
config system
	option hostname 'OpenWrt'
	option timezone 'UTC'
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option compat_version '1.1'

config timeserver 'ntp'
	option enabled '1'
	option enable_server '0'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'
/etc/config/ucitrack
config network
	option init network
	list affects dhcp

config wireless
	list affects network

config firewall
	option init firewall
	list affects luci-splash
	list affects qos
	list affects miniupnpd

config olsr
	option init olsrd

config dhcp
	option init dnsmasq
	list affects odhcpd

config odhcpd
	option init odhcpd

config dropbear
	option init dropbear

config httpd
	option init httpd

config fstab
	option exec '/sbin/block mount'

config qos
	option init qos

config system
	option init led
	option exec '/etc/init.d/log reload'
	list affects luci_statistics
	list affects dhcp

config luci_splash
	option init luci_splash

config upnpd
	option init miniupnpd

config ntpclient
	option init ntpclient

config samba
	option init samba

config tinyproxy
	option init tinyproxy
/etc/config/uhttpd
config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '0'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

/etc/config/firewall is the only one I have modified from what was in the sysupgrade image.

Which likely means you looped cables somewhere.

There is one cable right now. It is plugged into my laptop and the device being troubleshot. The three other ethernet ports on the device are disconnected.

What about my previous message made you think there was a cabling loop? Why would a cabling loop cause the SSH and HTTP servers to be unusably slow to respond to incoming protocol messages? These are serious questions. You seem to be running on a completely different troubleshooting checklist than me and I'd like to understand what's in your head.


Given that the device is accessible via SSH in failsafe mode but not in normal mode, my troubleshooting checklist says the next thing to try is disabling all of the boot scripts that don't look absolutely essential to SSH access in normal mode. Here's the original contents of /etc/rc.d:

K10gpio_switch
K21wpad
K50dropbear
K85odhcpd
K89log
K90boot
K90network
K90sysfixtime
K90umount
S00sysfixtime
S00urngd
S10boot
S10system
S11sysctl
S12log
S12rpcd
S19dnsmasq
S19dropbear
S19firewall
S19wpad
S20network
S25packet_steering
S35odhcpd
S50cron
S50uhttpd
S80ucitrack
S94gpio_switch
S95done
S96led
S98sysntpd
S99bootcount
S99urandom_seed

And here's the scripts I turned off (renamed each one with a _disable_ prefix)

S19dnsmasq
S19firewall
S19wpad
S25packet_steering
S35odhcpd
S50cron
S50uhttpd
S80ucitrack
S98sysntpd

And indeed that makes it possible to SSH in when the device is booted normally. Before I start turning them back on one at a time to see which one breaks it, have you (or anyone else) got a theory for what's wrong based on this?

Time to do firstboot for real. Scripts look intact as normal.