Second SSID has trouble getting ip from dhcp

On my D-Link DIR-860L b1 as AP which is behind the another router, both 5G and 2.4G WiFi works normally, until I'd like to add a guest SSID to 2.4G channel.

The problem is, when I use either single SSID on 2.4G there's no issue at all, while when enabled both SSIDs on 2.4G, ether one of the 2.4G SSID or the SSID on 5G will have trouble getting ip addresses from dhcp.

It's possibly just a symptom of wrong configurations, but I don't know the exact culprit. This configuration also could cause either 2.4G or 5G not up at all after reboot.

wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT40'
        option cell_density '0'
        option channel '157'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option network 'guest0'
        option encryption 'wpa2+ccmp'
        option auth_server '192.168.1.3'
        option auth_port '1812'
        option auth_secret 'xxxxxx'
        option acct_server '192.168.1.3'
        option acct_port '1813'
        option acct_secret 'xxxxxx'
        option ssid 'NETGEAR06-5G-ENT'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option cell_density '0'
        option country 'US'
        option channel '11'

config wifi-iface 'default_radio1'
       option device 'radio1'
       option mode 'ap'
       option encryption 'psk2+ccmp'
       option key 'xxxxxx'
       option ssid 'NETGEAR06'
       option network 'guest2'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'NETGEAR06-ENT'
        option encryption 'wpa2+ccmp'
        option auth_server '192.168.1.3'
        option auth_port '1812'
        option auth_secret 'xxxxxx'
        option acct_server '192.168.1.3'
        option acct_port '1813'
        option network 'guest1'
        option acct_secret 'xxxxxx'

network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd61:77d2:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr '54:xx:xx:xx:xx:90'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        option gateway '192.168.1.2'

config device
        option name 'wan'
        option macaddr '54:xx:xx:xx:xx:93'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config device
        option name 'lan1'
config interface 'lan_gateway'
        option proto 'dhcp'
        option device 'lan1'

config interface 'guest0'
        option device 'wlan0'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.2'

config interface 'guest1'
        option device 'wlan1'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.2'

config interface 'guest2'
        option device 'wlan1-1'
        option proto 'static'
        option ipaddr '172.16.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.2'

dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest0'
        option interface 'guest0'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.1'

config dhcp 'guest1'
        option interface 'guest1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.1'

config dhcp 'guest2'
        option interface 'guest2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.1'

firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'lan_int'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_gateway'

config zone
        option name 'guest0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'wlan0'
        list network 'guest0'

config zone
        option name 'guest1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'wlan1'
        list network 'guest1'

config zone
        option name 'guest2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'wlan1-1'
        list network 'guest2'


config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'guest0'
        option dest 'lan_int'

config forwarding
        option src 'guest1'
        option dest 'lan_int'

config forwarding
        option src 'guest2'
        option dest 'lan_int'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'

        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow Guest1 DHCP'
        option direction 'in'
        option device 'wlan1'
        option family 'ipv4'
        list proto 'udp'
        option src 'guest1'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src_port '67-68'

config rule
        option name 'Allow Guest0 DHCP'
        option direction 'in'
        option device 'wlan0'
        option family 'ipv4'
        list proto 'udp'
        option src 'guest0'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest2 DHCP'
        option direction 'in'
        option device 'wlan1-1'
        option family 'ipv4'
        list proto 'udp'
        option src 'guest2'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config nat
        option name 'Allow Access Samba'
        list proto 'tcp'
        list proto 'udp'
        option src_port '1024-65535'
        option dest_ip '192.168.1.3'
        option dest_port '445'
        option target 'SNAT'
        option snat_ip '192.168.1.2'
        option src 'lan_int'
        option device 'lan1'

Not sure how you came up with this config, especially the option gateway one?
Suggest to start from scratch and follow the Wiki https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

Could it be that you copied from here?

Just commented out the gateway configuration and restarted network and wifi stuff, the issue is still there, that I cannot get an ip address when trying to connect to NETGEAR06-ENT.

Edit: I've been re-started network several times, until the configurations works, without the suspicious option gateway.

Edit2: But it didn't survived a reboot.
BTW, I am using yeterday's snapshot.

Edit3: After reboot, only wlan0 can get connected normally, both 2.4G Hz SSID are up but cannot get connected.

Not there. I got the idea from OpenWRT – How to create a public network without using the wan interface.

So I think the issue still reside in the second SSID not working correctly here. Not sure if it can be resolved only by changing configurations.

dmesg shows:

reboot (no wlan1 up):

[   22.926435] IPv6: ADDRCONF(NETDEV_CHANGE): lan1: link becomes ready
[   22.997748] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1-1: link becomes ready
[   23.939656] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready

run 'wifi down & wifi up', now wlan1 is ready, but the SSID associated with it (NETGEAR06-ENT) still not working, the other one is working though.

[  338.068154] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[  338.092233] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1-1: link becomes ready
[  338.693009] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready

Edit: Just confirmed, restart network can made it work. It may indicates that there's some kind of bug in the master branch.

There's a lot wrong here but the immediate problem seems to be that you are trying to attach two physical interfaces (5 GHz AP and 2.4 GHz AP) to a network which is not a bridge. A non-bridge network is little more than aliasing the name and applying the IP address directly to the device. Which of course only works once.

Do not refer to wifi ifnames in /etc/config/network, this is taken care of by option network in /etc/config/wireless, since the names will vary as wifi interfaces are added or removed.

2 Likes

I just followed your suggestions and cleared the network configurations, it turned out to working.

Thanks for your kind help.

The working configuration is as following:

config interface 'guest0'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'

config interface 'guest1'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'

config interface 'guest2'
        option proto 'static'
        option ipaddr '172.16.2.1'
        option netmask '255.255.255.0'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.