I have D'Link DAP-2680 access point connected to x64 router, both with OpenWrt 22.03.3 installed. I have four VLANs set up each corresponding to a different SSID.
Everything works fine, each device (both wired and WiFi) connects to correct VLAN and gets correct IP, except for three devices: smart vacuum (which connects to IoT VLAN), photovoltaics controller (IoT VLAN) and older Android smartphone (Home VLAN). After a recent power loss those three connect to Access Point but then they seem to not be getting IP address. Before the power loss they all connected just fine and even reconnected correctly after simulated power losses I have done. And, in theory, nothing has changed since after the last power loss.
The VLANs and DHCP seem to be working fine - other devices connect without issues to both mentioned VLANs, both through WiFi and wired. DHCP pool has plenty of addresses and vacuum and pv controller have static leases set up. The only common thread I see is that all three devices are old/cheap and use 2.4GHz, but they correctly connect to AP so why would WiFi frequency affect IP acquisition.
Top screenshot is a (partial) list of connected devices from AP. All three use the same SSID, first one is a Chromecast using 5GHz, second and third are vacuum and pv controller using 2.4GHz. The noticeable difference between is that vacuum and pv controller don't have host IP, but one laptop connected to different VLAN also doesn't have host IP printed and works fine. The only other difference is lack of "MCS7 ...' line for vaccum and pv controller, but I suppose that's because there is no traffic from them.
I tried rebooting and reconnecting everything multiple times. I also tried disabling WMM as suggested in this thread but that didn't help. logread on AP only mentions that those devices authenticate correctly, and on router they are not mentioned at all. I attach screenshot of 2.4GHz IoT network configuration for more reference.
What else can I check and do to make those devices work?
Switch to WPA2 (PSK) only and that will likely solve the problem. Mixed mode WPA2/WPA3 (i.e. sae-mixed) doesn’t work well for many devices, especially IoT and other older devices.
If that doesn’t solve the issue, please post the configs in text form.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
After changing switching to WPA2 (PSK) vacuum and pv controller (not Android phone) worked for a brief moment but the stopped working again after Access Point reboot.
Configuration for Access Point (not that firewall and odhcp services are disabled):
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0e:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'wlan0'
list ports 'wlan0-1'
list ports 'wlan0-2'
list ports 'wlan0-3'
list ports 'wlan1'
list ports 'wlan1-1'
list ports 'wlan1-2'
list ports 'wlan1-3'
config device
option name 'eth0'
option macaddr '58:xx:xx:xx:xx:00'
config bridge-vlan
option device 'br-lan'
option vlan 'xx1'
list ports 'eth0:t'
list ports 'wlan0:u*'
list ports 'wlan1:u*'
config bridge-vlan
option device 'br-lan'
option vlan 'xx2'
list ports 'eth0:t'
list ports 'wlan0-1:u*'
list ports 'wlan1-1:u*'
config interface 'secured'
option device 'br-lan.xx1'
option proto 'static'
option ipaddr '17x.xx.xxx1.2'
option netmask '255.255.255.192'
option gateway '17x.xx.xxx1.1'
config interface 'home'
option proto 'none'
option device 'br-lan.xxx3'
config bridge-vlan
option device 'br-lan'
option vlan 'xx3'
list ports 'eth0:t'
list ports 'wlan0-2:u*'
list ports 'wlan1-2:u*'
config interface 'iot'
option proto 'none'
option device 'br-lan.xxx3'
config bridge-vlan
option device 'br-lan'
option vlan 'xx4'
list ports 'eth0:t'
list ports 'wlan0-3:u*'
list ports 'wlan1-3:u*'
config interface 'guest'
option proto 'none'
option device 'br-lan.xxx4'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option htmode 'VHT80'
option country 'xx'
option cell_density '1'
option channel '48'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option htmode 'HT40'
option channel '6'
option country 'xx'
option cell_density '1'
config wifi-iface 'wifinet0'
option device 'radio1'
option mode 'ap'
option ssid 'Sxxx_Securise'
option hidden '1'
option key 'xxx'
option network 'secured'
option encryption 'sae'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'Sxxx_Securise'
option hidden '1'
option key 'xxx'
option network 'secured'
option encryption 'sae'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Sxxx_Home'
option key 'xxx'
option network 'home'
option encryption 'psk2'
option ieee80211w '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Sxxx_Home'
option key 'xxx'
option network 'home'
option encryption 'psk2'
option ieee80211w '1'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Sxxx_IoT'
option key 'xxx'
option network 'iot'
option encryption 'psk2'
option ieee80211w '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Sxxx_IoT'
option key 'xxx'
option network 'iot'
option encryption 'psk2'
option ieee80211w '1'
config wifi-iface 'wifinet6'
option device 'radio0'
option mode 'ap'
option ssid 'Sxxx_Guest'
option key 'xxx'
option network 'guest'
option encryption 'psk2'
option ieee80211w '1'
config wifi-iface 'wifinet7'
option device 'radio1'
option mode 'ap'
option ssid 'Sxxx_Guest'
option key 'xxx'
option network 'guest'
option encryption 'psk2'
option ieee80211w '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Configuration for Router:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdda:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.xxx5'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx5'
list ports 'eth0'
config device
option type '8021q'
option ifname 'br-lan'
option vid 'xxx5'
option name 'br-lan.xxx5'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx0'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx1'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx2'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx4'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx7'
list ports 'eth0:t'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx8'
list ports 'eth0:t'
config interface 'wan'
option proto 'static'
option device 'br-lan.xxx7'
option ipaddr '192.xxx.xxx.2'
option netmask '255.255.255.248'
option gateway '192.xxx.xxx.1'
option metric '10'
config interface 'wanb'
option proto 'static'
option device 'br-lan.xxx9'
option ipaddr '192.xxx.xxx.2'
option netmask '255.255.255.0'
option gateway '192.xxx.xxx.1'
option metric '20'
config interface 'sysconf'
option proto 'static'
option device 'br-lan.xxx0'
option ipaddr '1xx.xx.2.1'
option netmask '255.255.255.192'
config interface 'secured'
option proto 'static'
option device 'br-lan.xxx1'
option ipaddr '1xx.xx.xxx1.1'
option netmask '255.255.255.192'
config interface 'iot'
option proto 'static'
option device 'br-lan.xxx2'
option ipaddr '1xx.xx.xxx2.1'
option netmask '255.255.255.192'
config interface 'guest'
option device 'br-lan.xxx4'
option proto 'static'
option ipaddr '1xx.xx.xxx4.1'
option netmask '255.255.255.192'
config interface 'home'
option proto 'static'
option device 'br-lan.xxx3'
option ipaddr '1xx.xx.xxx3.1'
option netmask '255.255.255.192'
config bridge-vlan
option device 'br-lan'
option vlan 'xxx3'
list ports 'eth0:t'
root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '127.0.0.1#5453'
list server '0::1#5453'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'sysconf'
option interface 'sysconf'
option leasetime '12h'
option start '10'
option limit '50'
config dhcp 'secured'
option interface 'secured'
option leasetime '12h'
option start '10'
option limit '50'
config dhcp 'iot'
option interface 'iot'
option leasetime '12h'
option start '10'
option limit '50'
config dhcp 'guest'
option interface 'guest'
option leasetime '12h'
option start '10'
option limit '50'
config host
option name 'pv controller'
option dns '1'
option mac '24:xxx:BB'
option ip '1xx.xx.xxx2.7'
config host
option name 'Printer'
option dns '1'
option mac 'E4:xxx:5A'
option ip '1xx.xx.xxx2.8'
config host
option name 'Chromecast'
option dns '1'
option mac '70:xxx:46'
option ip '1xx.xx.xxx2.5'
config host
option name 'Vacuum'
option dns '1'
option mac 'B0:xxx:F0'
option ip '1xx.xx.xxx2.6'
config host
option dns '1'
option mac '8C:xxx:9C'
option ip '1xx.xx.xxx2.4'
option name 'TV'
config host
option name 'Computer1'
option dns '1'
option mac '10:xxx:8B'
option ip '1xx.xx.xxx2.16'
config host
option name 'Laptop1'
option dns '1'
option mac '48:xxx:41'
option ip '1xx.xx.xxx2.14'
config host
option name 'Computer2'
option dns '1'
option mac 'A0:xxx:AC'
option ip '1xx.xx.xxx2.8'
config host
option name 'Laptop2'
option dns '1'
option mac 'A0:xxx:E1'
option ip '1xx.xx.xxx2.10'
config dhcp 'home'
option interface 'home'
option leasetime '12h'
option start '10'
option limit '50'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wanb'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'home'
option output 'ACCEPT'
list network 'home'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'secured'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'secured'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
option input 'REJECT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option input 'REJECT'
config forwarding
option src 'home'
option dest 'iot'
config forwarding
option src 'home'
option dest 'wan'
config forwarding
option src 'secured'
option dest 'home'
config forwarding
option src 'secured'
option dest 'iot'
config forwarding
option src 'secured'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'IoT DHCP and DNS'
option src 'iot'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Home DHCP and DNS'
option src 'home'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Home block modems'
option src 'home'
list dest_ip '192.xxx.xxx.1'
list dest_ip '192.xxx.xxx.1'
option target 'REJECT'
config rule
option name 'Guest block modems'
option src 'guest'
list dest_ip '192.xxx.xxx.1'
list dest_ip '192.xxx.xxx.1'
option target 'REJECT'
config rule
option name 'IoT block modems'
option src 'iot'
list dest_ip '192.xxx.xxx.1'
list dest_ip '192.xxx.xxx.1'
option target 'REJECT'
Would you be able to elaborate to what kind of problems are there?
I admit I'm a newbie in the networking world and created this setup as best as I could with the rather scarce resources I could find on the internet. So if I were start from scratch I would basically end up with more-less identical configuration.
The problems are numerous, so it would really be hard to describe all of them (and it is far faster to start from scratch here), but for the sake of a very quick discussion…
On the AP:
You’ve got all of the wlan ‘devices’ in the network file. They do not belong in the network file — only in the wireless file. You specify SSID in the wireless file, and in the same stanza you will specify the network to which that SSID is attached. So you need to remove all wlan references form the network file
You’ve also done DSA-type vlan assignment of the wlan networks (in the network file with the u* designations) — the wlan hardware doesn’t have any concept of tagged and untagged networks. All of that needs to be deleted, too.
On the router:
You’ve got DSA type config stanzas in there, but I think that your device is likely using swconfig. So all of those VLANs are incorrectly defined and need to be redone entirely.
Also, you’ve redacted VLAN IDs and RFC1918 addresses…. This is both unnecessary and actually may cause more confusion because it is harder to verify that things are correct. These things are not personal/sensitive and you can safely provide that info without compromising your security.
My suggestion is that you start with a completely default configuration on the router first. Post the network config file and describe the VLANs you want to have in your network. We’ll work to build one additional network… once that is proven to work, we’ll move on to the AP (reset and connect the two networks from the router). After that works, you’ll be able to apply the same formula to get the other networks and SSIDs created.
This is a fairly (from my point of view) complex setup with x64 Router-On-A-Stick, vlans, mwan, DNS-over-TLS and cake-autorate. I am a little bit surprised to hear how bad my setup is, as almost everything works and actually everything worked for quite some time until the power loss. So I am (hopefully understandably) a little bit hesitant about setting up everything from scratch.
But I am more than happy to discuss how my devices should be set up and what resources can help me with setting things up correctly. And then, with better understanding of my mistakes configure the devices.
I also would like to respond to your points, as I believe that discussion can be helpful for other begginers and OpenWrt community in general.
That is very important knowledge, thank you. I have configured virtually everything through LuCI, which I realize might have been my biggest mistake. Using DSA was just the only way I have found how to configure multiple SSIDs with VLANs in LuCI. But maybe that's also indication that LuCI interface (which is tempting for beginners like me) can result in wrong configurations.
As this is an x86_64 Router-On-A-Stick (just a cheap Lenovo Mini PC with single ethernet port) I am not sure if that device has swconfig capability. Ash returns swconfig not found but this command
also don't indicate that the router uses DSA.
Thank you for pointing out the issues with my configuration. And I will describe my desired network in the next post for topic clarity.
As both Router and AP have single Ethernet port their default configuration (as far as I remember) was br-lan device with single lan interface.
For router, from there I created VLAN (802.1q) devices for br-lan and created separate interfaces connected to them.
For AP, I created VLAN (802.1q) devices br-lan, added wireless networks to the bridge and configured VLAN filtering inside the bridge. Then, similarly to router, created interfaces connected to VLAN devices.
I will be glad for any suggestions or links to sources how this configuration should be done correctly.
Then I have created a single WiFi network (and some interface to manage the AP) following advice from this topic. Now the configuration looks like that and none of the devices connects to the WiFi:
Good point. But while we are on the topic, is there a situation where bridge-vlan is preferred over standard interface dotted notation when bridges are not needed (I.e just a single Ethernet port used for the VLANs)? I usually recommend simply eth0.x notation if a bridge is not explicitly needed.
This seems to be working, that is all previously affected devices now connect fine. I will give this configuration a few days for testing, before marking as solution. Thanks a lot for your help.
Somewhat related, should I set up a similar configuration on my Router-on-a-Stick as I have just set up on the AP (i.e. interfaces directly to eth0.x instead of DSA)?
