i was running OpenWrt in a PCENGINES ALIX 2D13 and when having 3 users with heavy youtube usage and 1 more IPTV, the router was not functioning properly. The connection was like a 56k dialup modem and even access to the router it was denied by SSH. I have installed watchcat that will reboot the machine if it looses 3 consecutive pings to 8.8.8.8, but it does not seem to be an issue of connectivity, rather a performance issue.
So i changed the router to a better one PCENGINES APU1 with OpenWrt 22.03.2. The thing is that i still have the same problem. I cannot see anything in the logs and i cannot find what is the issue. moments before the performance issues, htop shows:
any ideas what to look at and what to do to overcome this problem please?
I have an alix3d, and quite simply, a Geode chip is dog slow. It has x86 code compatibility and low power, but in no way is it fast.
When a CPU is maxed, the process causing it should be at the top of the top or htop list. Unless it is kernel irq's serving network cards etc-- there you would see a large number by sirq.
Does the problem manifest on wired? wireless? both? Do you have any switches in your network? What about APs? What actions do you need to take to resolve the issue (i.e. reboot the router, power cycle the whole network, etc.)?
Let's take a look at your config to see if there are any issues that can be found there:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
setup has no wireless in Openwrt, rather a dummy access point. The switches are unmanaged switches (TP-Link). Please find attached all of my config files and the network diagram. Let's hope that there is something wrong in my config.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd56:0ff6:1349::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.160.1'
config interface 'wan'
option device 'eth2'
option proto 'dhcp'
config interface 'WAN_pppoe'
option proto 'pppoe'
option device 'eth0'
option username 'atuxnull1@otenet.gr'
option password 'abc123!yada'
option ipv6 '0'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.4.4'
config interface 'WG_server'
option proto 'wireguard'
option private_key 'OExxyz12345678905zRQWY='
option listen_port '61820'
list addresses '10.14.0.1/24'
config wireguard_WG_server
option description 'Atux_mobile'
option public_key 'evxbn98765453xvbzMCbuHQ='
list allowed_ips '10.14.0.3/21'
option route_allowed_ips '1'
option persistent_keepalive '25'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '2m'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'Dell-laptop'
option mac '20:47:47:C7:A6:8D'
option ip '192.168.160.2'
config host
option name 'FritzboxAP'
option mac '9C:C7:A6:BF:55:1E'
option ip '192.168.160.250'
config host
option mac 'B8:27:EB:21:BB:E5'
option name 'RPI-vpn'
option dns '1'
option ip '192.168.160.251'
config host
option mac '0C:C6:FD:F7:96:BC'
option name 'Atux-mobile'
option dns '1'
option ip '192.168.160.249'
config host
option mac 'A4:55:90:FB:63:46'
option name 'Mary--mobile'
option dns '1'
option ip '192.168.160.248'
config host
option mac '3C:CF:5B:CD:B4:44'
option name 'TV-Box-bedroom'
option dns '1'
option ip '192.168.160.247'
config host
option mac 'A2:40:CF:A8:57:21'
option name 'TV-Box-living'
option dns '1'
option ip '192.168.160.246'
config host
option mac '54:8D:5A:21:3A:F9'
option name 'Main-Laptop'
option dns '1'
option ip '192.168.160.245'
config host
option mac '22:F7:C1:7E:F9:C2'
option name 'Helen-mobile'
option dns '1'
option ip '192.168.160.244'
config host
option name 'retropie'
option mac 'B8:27:EB:18:27:92'
option ip '192.168.160.243'
config host
option name 'rpi0wmqtt'
option mac 'B8:27:EB:01:05:D2'
option ip '192.168.160.240'
config host
option name 'Dell-laptop'
option mac '34:DE:1A:A5:EC:81'
option ip '192.168.160.3'
config host
option name 'Fujitsu-1'
option mac '6C:88:14:F9:DF:E0'
option ip '192.168.160.4'
config host
option name 'Fujitsu-2'
option mac '6C:88:14:EB:BE:EC'
option ip '192.168.160.5'
config host
option name 'TL-WA801N'
option mac '34:60:F9:18:E1:2C'
option ip '192.168.160.252'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WG_server'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'WAN_pppoe'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.160.251'
option dest_port '51820'
option name 'Wireguard_PI'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard_Router'
option src 'wan'
option src_dport '61820'
option dest_port '61820'
option dest_ip '192.168.160.1'
I doubt this would be the cause of the issue, but the allowed IPs here should be 10.14.0.3/32
As far as the specific issue is concerned, I'd recommend looking at your switches and/or AP as potential points of failure. Sometimes these devices can lockup after periods of high traffic due to component failures (such as capacitors and/or marginal power supplies).
Specifically, the next time the problem occurs (bonus if you can cause it to manifest on-demand), unplug switch 1 and plug a computer directly into the OpenWrt router. Does it work? If so, plug switch 1 back into the router and then connect your computer directly into switch 1 and repeat the process (but here, you might try unplugging switches 2 and 3 from switch 1 once things go awry and see if switch 1 is still locked.
Another possible culprit is if you have anything that is both wired and wireless... in a few (fortunately rare) situations, this can cause switching loop if the wired + wireless interfaces on that device are bridged (I've seen this happen with a Peloton bike).
Finally, as you work through the network and rule certain components as okay, you might also look to see if you have any misbehaving end-equipment. Some USB-C docking hubs with ethernet can cause a broadcast storm that brings down the entire network -- this happens when the host computer is disconnected or sleeping.
