Subnets stop communicating after some days uptime. Reboot solves the issue for a short time – help troubleshooting

confuseddonkey · February 14, 2025, 3:23pm

Firmware Version: OpenWrt 23.05.5 r24106-10cc5fcd00 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562
Kernel Version: 5.15.167
Device: GL.iNet GL-MT6000 / Flint 2
Architecture: ARMv8 Processor rev 4

I’m quite new to OpenWRT and would be grateful for help troubleshooting my issue.
My config is quite modest, I have the following firewall zones (picture attached):
lan – 192.168.20.0/24
vpn_zone - 192.168.21.0/24
tailscale
wan

lan and vpn_zone are trusted zones and I have set them to forward between zones – both ways. On a fresh reboot, this bi-directional communication works fine. However, after some days uptime – minimum 5 and maximum 25 so far –, the communication between zones stops and I cannot even ping between them. All devices regardless of zone still have internet access.

I have tried restarting the firewall service through LUCE by -> system / startup / ‘firewall restart’.
Restarting firewall does not work. But rebooting brings everything up and all the communication between zones works again for a few days.

tailscale seems unaffected. When I notice the drop in communication between lan and vpn_zone, I can still access devices on both zones on 5G through tailscale.

The reason for setting up like this, is that I want a quick way to switch my desktop PC between VPN and NO-VPN routing. I use my PC via wifi and so I have lan associated with NO-VPN-wifi, and vpn_zone associated with VPN-wifi.

I then route vpn-zone (192.168.21.0/24) through a wireguard tunnel using Policy Based Routing.

As I am an OpenWRT novice, I’m not sure how to read the logs, but I’ve copied and pasted the logs LUCE / Status / System Log here too I hope in an acceptable way below.

I have noticed a couple of lines that seem odd from the log, but I’m not sure if this is significant:

Fri Feb 14 11:22:34 2025 kern.warn kernel: [2216691.787739] Ignoring NSS change in VHT Operating Mode Notification from 1e:9b:dc:7b:cb:25 with invalid nss 2
Fri Feb 14 11:22:34 2025 kern.warn kernel: [2220984.640422] Ignoring NSS change in VHT Operating Mode Notification from e2:21:f4:8c:51:2c with invalid nss 1

I could just set a cron job to reboot the router every few days, but this does not seem like a very elegant solution.

Any help would be much appreciated as my wife is now a bit cross with me.

Fri Feb 14 06:42:43 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.20.131 MAC REDACT
Fri Feb 14 06:42:43 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.20.131 MAC REDACT Watch
Fri Feb 14 07:39:29 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.20 MAC REDACT
Fri Feb 14 07:39:29 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.20 MAC REDACT pihole1
Fri Feb 14 07:53:36 2025 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 07:53:36 2025 daemon.info hostapd: phy0-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 07:53:36 2025 daemon.info hostapd: phy0-ap0: STA MAC REDACT IEEE 802.11: associated (aid 1)
Fri Feb 14 07:53:36 2025 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 07:53:36 2025 daemon.info hostapd: phy0-ap0: STA MAC REDACT WPA: pairwise key handshake completed (RSN)
Fri Feb 14 07:53:36 2025 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 07:53:38 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.20 MAC REDACT
Fri Feb 14 07:53:38 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.20 MAC REDACT pihole1
Fri Feb 14 08:07:50 2025 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 08:07:50 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: disassociated due to inactivity
Fri Feb 14 08:07:51 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 08:08:18 2025 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 08:08:18 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: disassociated due to inactivity
Fri Feb 14 08:08:19 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 08:29:17 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.20.228 MAC REDACT
Fri Feb 14 08:29:17 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.20.228 MAC REDACT amazon-efff5154e
Fri Feb 14 08:31:07 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.235 MAC REDACT
Fri Feb 14 08:31:07 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.235 MAC REDACT Apple-TV
Fri Feb 14 08:32:03 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 08:32:03 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: disassociated
Fri Feb 14 08:32:04 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 08:35:39 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 08:35:39 2025 kern.warn kernel: [2135791.188439] Ignoring NSS change in VHT Operating Mode Notification from MAC REDACT with invalid nss 2
Fri Feb 14 08:35:39 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: associated (aid 3)
Fri Feb 14 08:35:39 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 08:35:39 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT WPA: pairwise key handshake completed (RSN)
Fri Feb 14 08:35:39 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 08:35:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-vpn) MAC REDACT
Fri Feb 14 08:35:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-vpn) 192.168.21.192 MAC REDACT
Fri Feb 14 08:35:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-vpn) MAC REDACT
Fri Feb 14 08:35:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-vpn) 192.168.21.192 MAC REDACT
Fri Feb 14 08:35:43 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.192 MAC REDACT
Fri Feb 14 08:35:43 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.192 MAC REDACT Grants-Mac-mini
Fri Feb 14 08:37:11 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 08:37:11 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: disassociated
Fri Feb 14 08:37:12 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 08:37:47 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 08:37:47 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: associated (aid 3)
Fri Feb 14 08:37:47 2025 kern.warn kernel: [2210980.622007] Ignoring NSS change in VHT Operating Mode Notification from 38:f9:d3:1d:95:e0 with invalid nss 3
Fri Feb 14 08:37:48 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 08:37:48 2025 daemon.info hostapd: phy1-ap0: STA ea:75:cf:dc:85:c7 WPA: pairwise key handshake completed (RSN)
Fri Feb 14 08:37:48 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 08:37:49 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-vpn) MAC REDACT
Fri Feb 14 08:37:49 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-vpn) 192.168.21.232 MAC REDACT
Fri Feb 14 08:37:50 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.232 MAC REDACT
Fri Feb 14 08:37:50 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.232 MAC REDACT
Fri Feb 14 09:21:46 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 09:21:46 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: disassociated
Fri Feb 14 09:21:47 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 09:24:58 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 09:24:58 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACTIEEE 802.11: associated (aid 2)
Fri Feb 14 09:24:58 2025 kern.warn kernel: [2211108.958349] Ignoring NSS change in VHT Operating Mode Notification from MAC REDACT with invalid nss 3
Fri Feb 14 09:24:58 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED MAC REDACTauth_alg=open
Fri Feb 14 09:24:58 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACTWPA: pairwise key handshake completed (RSN)
Fri Feb 14 09:24:58 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 09:24:58 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.100 MAC REDACT
Fri Feb 14 09:24:58 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.100 MAC REDACT
Fri Feb 14 09:26:27 2025 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 09:27:18 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 09:27:18 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACTIEEE 802.11: associated (aid 4)
Fri Feb 14 09:27:18 2025 daemon.notice hostapd: phy0-ap1: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 09:27:18 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT WPA: pairwise key handshake completed (RSN)
Fri Feb 14 09:27:18 2025 daemon.notice hostapd: phy0-ap1: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 09:27:18 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.20.168 MAC REDACT
Fri Feb 14 09:27:18 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.20.168 MAC REDACTWatch
Fri Feb 14 09:36:31 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.232 MAC REDACT
Fri Feb 14 09:36:31 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.232 MAC REDACT
Fri Feb 14 09:53:53 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.236 MAC REDACT
Fri Feb 14 09:53:53 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.236 MAC REDACT
Fri Feb 14 10:10:56 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 10:10:56 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 10:10:56 2025 kern.warn kernel: [2213936.754264] Ignoring NSS change in VHT Operating Mode Notification from MAC REDACT with invalid nss 2
Fri Feb 14 10:10:56 2025 kern.warn kernel: [2216691.775821] Ignoring NSS change in VHT Operating Mode Notification from MAC REDACT with invalid nss 1
Fri Feb 14 10:10:56 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: associated (aid 1)
Fri Feb 14 10:10:56 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 10:10:56 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT WPA: pairwise key handshake completed (RSN)
Fri Feb 14 10:10:56 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 10:10:56 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.236 MAC REDACT
Fri Feb 14 10:10:56 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.236 MAC REDACT
Fri Feb 14 10:24:57 2025 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 10:24:57 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: disassociated due to inactivity
Fri Feb 14 10:24:58 2025 daemon.info hostapd: phy0-ap1: STA MAC REDACT IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Feb 14 10:26:15 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:31:22 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:32:28 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.10 MAC REDACT
Fri Feb 14 10:32:28 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.10 MAC REDACT deepthought
Fri Feb 14 10:36:30 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:41:49 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:46:54 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:52:09 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 10:54:09 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.20.20 MAC REDACT
Fri Feb 14 10:54:09 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.20.20 MAC REDACT pihole2w
Fri Feb 14 10:57:16 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 11:02:31 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 11:07:46 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 11:12:50 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 11:17:53 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POLL-OK MAC REDACT
Fri Feb 14 11:22:33 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED MAC REDACT
Fri Feb 14 11:22:34 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: authenticated
Fri Feb 14 11:22:34 2025 kern.warn kernel: [2216691.787739] Ignoring NSS change in VHT Operating Mode Notification from 1MAC REDACT with invalid nss 2
Fri Feb 14 11:22:34 2025 kern.warn kernel: [2220984.640422] Ignoring NSS change in VHT Operating Mode Notification from MAC REDACT with invalid nss 1
Fri Feb 14 11:22:34 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT IEEE 802.11: associated (aid 2)
Fri Feb 14 11:22:34 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED MAC REDACT auth_alg=open
Fri Feb 14 11:22:34 2025 daemon.info hostapd: phy1-ap0: STA MAC REDACT WPA: pairwise key handshake completed (RSN)
Fri Feb 14 11:22:34 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED MAC REDACT
Fri Feb 14 11:22:34 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.100 MAC REDACT
Fri Feb 14 11:22:34 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.100 MAC REDACT
Fri Feb 14 11:41:15 2025 daemon.notice netifd: wan (14122): udhcpc: sending renew to server IP REDACT
Fri Feb 14 11:41:15 2025 daemon.notice netifd: wan (14122): udhcpc: lease of IP REDACT obtained from IP REDACT, lease time 86400
Fri Feb 14 12:12:25 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.20.113 MAC REDACT
Fri Feb 14 12:12:25 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.20.113 MAC REDACT
Fri Feb 14 13:10:27 2025 daemon.err uhttpd[1906]: [info] luci: accepted login on /admin/status/overview for root from 192.168.21.232
Fri Feb 14 13:53:38 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.20 MAC REDACT
Fri Feb 14 13:53:38 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.20 MAC REDACT pihole1
Fri Feb 14 13:57:05 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-vpn) 192.168.21.235 MAC REDACT
Fri Feb 14 13:57:05 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-vpn) 192.168.21.235 MAC REDACTApple-TV

egc · February 14, 2025, 3:40pm

That is not good on Valentine's day

It could help if we see your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

confuseddonkey · February 14, 2025, 4:27pm

Thank you so much @egc. Quite right, it's not the best day .

I will post all below as requested.

For info, I have two piholes on my network, both connected via wifi on
192.168.20.20 - on the No-VPN lan zone wifi
192.168.21.20 - on the vpn_zone wifi

Also, this OpenWRT router is plugged into my ISP router. The ISP router has IP of 192.168.5.0/24
But all the zones I have described above are within the OpenWRT router. I am not trying to communicate with any device on the ISP router network.

ubus call system board

# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "FlintWRT",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

cat /etc/config/network

# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACT::/48'

config device
        option name 'br-lan'
        option type 'bridge'

config device
        option name 'lan1'
        option macaddr 'REDACT'

config device
        option name 'lan2'
        option macaddr 'REDACT'

config device
        option name 'lan3'
        option macaddr 'REDACT'

config device
        option name 'lan4'
        option macaddr 'REDACT'

config device
        option name 'lan5'
        option macaddr 'REDACT'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.20.20'
        list dns '192.168.21.20'

config device
        option name 'eth1'
        option macaddr 'REDACT'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '192.168.20.20'
        list dns '192.168.21.20'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '192.168.20.20'
        list dns '192.168.21.20'

config device
        option type 'bridge'
        option name 'br-vpn'
        option bridge_empty '1'
        option mtu '1500'
        option ipv6 '0'
        list ports 'lan2'
        list ports 'lan3'

config interface 'VPN'
        option proto 'static'
        option device 'br-vpn'
        option ipaddr '192.168.21.1'
        option netmask '255.255.255.0'
        list dns '192.168.20.20'
        list dns '192.168.21.20'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACT'
        list addresses '10.2.0.2/32'
        option defaultroute '0'
        list dns '192.168.20.20'
        list dns '192.168.21.20'

config wireguard_wg0
        option description 'Flint_BMAT_UK17-UK-17.conf'
        option public_key 'REDACT'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACT'
        option endpoint_port 'REDACT'
        option persistent_keepalive '25'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

cat /etc/config/wireless

# cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '2'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'novpnt'
        option encryption 'psk2'
        option key 'REDACT'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'VPN'
        option mode 'ap'
        option ssid 'Abalone rehab 5'
        option encryption 'psk2'
        option key 'REDACT'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Abalone rehab 2'
        option encryption 'psk2'
        option key 'REDACT'
        option network 'VPN'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Abalone Hut 5'
        option encryption 'psk2'
        option key 'REDACT'
        option network 'lan'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

cat /etc/config/dhcp

# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list rebind_domain 'plex.direct'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '3'

config dhcp 'VPN'
        option interface 'VPN'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'deepthought'
        list mac 'REDACT'
        option ip '192.168.21.10'
        option leasetime '12h'

config host
        option name 'pihole2w'
        list mac 'REDACT'
        option ip '192.168.20.20'
        option leasetime '12h'

config host
        option name 'pihole1'
        list mac 'REDACT'
        option ip '192.168.21.20'
        option leasetime '12h'

config host
        option name 'pi3tv'
        list mac 'REDACT'
        option ip '192.168.21.12'

cat /etc/config/firewall

# cat /etc/config/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vpn_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPN'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'tailscale'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config forwarding
        option src 'vpn_zone'
        option dest 'lan'

config forwarding
        option src 'vpn_zone'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn_zone'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'tailscale'
        option dest 'vpn_zone'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config forwarding
        option src 'vpn_zone'
        option dest 'tailscale'

ip route show

# ip route show
default via 192.168.5.1 dev eth1 proto static src 192.168.5.2 
REDACT via 192.168.5.1 dev eth1 proto static 
192.168.5.0/24 dev eth1 proto kernel scope link src 192.168.5.2 
192.168.20.0/24 dev br-lan proto kernel scope link src 192.168.20.1 
192.168.21.0/24 dev br-vpn proto kernel scope link src 192.168.21.1

ip route show table all

# ip route show table all
default via 192.168.5.1 dev eth1 table pbr_wan 
default via 10.2.0.2 dev wg0 table pbr_wg0 
default via IP REDACT dev tailscale0 table pbr_tailscale 
192.168.20.0/24 dev br-lan table pbr_tailscale proto kernel scope link src 192.168.20.1 
192.168.21.0/24 dev br-vpn table pbr_tailscale proto kernel scope link src 192.168.21.1 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
IP REDACT dev tailscale0 table 52 
192.168.0.0/24 dev tailscale0 table 52 
192.168.12.0/24 dev tailscale0 table 52 
default via 192.168.5.1 dev eth1 proto static src 192.168.5.2 
IP REDACT via 192.168.5.1 dev eth1 proto static 
192.168.5.0/24 dev eth1 proto kernel scope link src 192.168.5.2 
192.168.20.0/24 dev br-lan proto kernel scope link src 192.168.20.1 
192.168.21.0/24 dev br-vpn proto kernel scope link src 192.168.21.1 
local 10.2.0.2 dev wg0 table local proto kernel scope host src 10.2.0.2 
local IP REDACT dev tailscale0 table local proto kernel scope host src IP REDACT 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.5.2 dev eth1 table local proto kernel scope host src 192.168.5.2 
broadcast 192.168.5.255 dev eth1 table local proto kernel scope link src 192.168.5.2 
local 192.168.20.1 dev br-lan table local proto kernel scope host src 192.168.20.1 
broadcast 192.168.20.255 dev br-lan table local proto kernel scope link src 192.168.20.1 
local 192.168.21.1 dev br-vpn table local proto kernel scope host src 192.168.21.1 
broadcast 192.168.21.255 dev br-vpn table local proto kernel scope link src 192.168.21.1 
IP REDACT::/48 dev tailscale0 table 52 metric 1024 pref medium
default from IP REDACT::/64 via fe80::1 dev eth1 proto static metric 512 pref medium
default from IP REDACT:6056 via fe80::1 dev eth1 proto static metric 512 pref medium
IP REDACT::/64 dev eth1 proto static metric 256 pref medium
unreachable IP REDACT::/64 dev lo proto static metric 2147483647 pref medium
fd00::/64 dev eth1 proto static metric 256 pref medium
IP REDACT::6401:4e50 dev tailscale0 proto kernel metric 256 pref medium
IP REDACT:1::/64 from IP REDACT::/64 via fe80::ce9e:a2ff:fe9b:7415 dev eth1 proto static metric 512 pref medium
IP REDACT:1::/64 from IP REDACT:6056 via IP REDACT:7415 dev eth1 proto static metric 512 pref medium
IP REDACT::/64 dev br-lan proto static metric 1024 pref medium
unreachable IP REDACT::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap1 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast IP REDACT:3d00:: dev eth1 table local proto kernel metric 0 pref medium
local IP REDACT7:6056 dev eth1 table local proto kernel metric 0 pref medium
local IP REDACT:6056 dev eth1 table local proto kernel metric 0 pref medium
local IP REDACT:4e50 dev tailscale0 table local proto kernel metric 0 pref medium
anycast IP REDACT:: dev br-lan table local proto kernel metric 0 pref medium
local IP REDACTe::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tailscale0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
local fIP REDACT:5670 dev eth0 table local proto kernel metric 0 pref medium
local IP REDACTf:fea7:6059 dev br-lan table local proto kernel metric 0 pref medium
local IP REDACT:fea7:6059 dev phy0-ap1 table local proto kernel metric 0 pref medium
local IP REDACT:fea7:6056 dev eth1 table local proto kernel metric 0 pref medium
local IP REDACT:6059 dev phy0-ap0 table local proto kernel metric 0 pref medium
local IP REDACT:605a dev phy1-ap0 table local proto kernel metric 0 pref medium
local IP REDACT:eee8 dev tailscale0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tailscale0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium

ip rule show

# ip rule show
0:      from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
29996:  from all fwmark 0x30000/0xff0000 lookup pbr_tailscale
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

wg show

# wg show
interface: wg0
  public key: REDACT
  private key: (hidden)
  listening port: REDACT

peer: REDACT
  endpoint: REDACT
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes ago
  transfer: 13.29 GiB received, 2.23 GiB sent
  persistent keepalive: every 25 seconds

egc · February 14, 2025, 5:23pm

I do not see any obvious mistakes at this moment but I see things which can be improved although not related to your problem

Remove all the list dns from all interfaces except the LAN, it is customary to set the upstream DNS servers on the interface they connect to, although it in reality does not matter as all the DNS servers set on the interfaces end up in the same basket

It looks like the Country code is missing on one of the Radio's (2.4 GHz) it is usually necessary to set a country code otherwise the radio can play tricks

I noticed the WireGuard interface is not very secure and not Masquerading , is it setup to a trusted server as site-to-site setup? if so no problem
Furthermore it seems you have implemented IPv6 but the WireGuard is IPv4 only so you could have an IPv6 leakage.

But as said those things are not related to your problem.

I can think of two things:
First Tailscale, there are tales of tailscale playing tricks so to test you might try to totally disable it and see if things get better

The second thing is that you have created two bridges to split your LAN ports.
It is possible that DSA not always plays nice with that and that you should use bridged VLANS, so you make one bridge with all the LAN ports and then two bridged VLANs to split those

Not at all sure about this so you might wait till one of the gurus chimes in

Summit48 · February 18, 2025, 12:39am

This looks unnecessarily complicated.

Is there any reason you haven't installed Tailscale on the PC and then just switch ON/OFF the Tailscale VPN on the PC.

What version of Tailscale are you running?

# tailscale version

confuseddonkey · February 18, 2025, 2:13pm

Thank you @egc for taking the time to look at my configs! For a novice like me, it's really very helpful of you.

list dns and country code
I will do this, thanks for the tip.

The VPN is a commercial VPN that I use when surfing the web to obscure my IP, so not site-to-site.
For the Masquerading - I have ticked the box under LUCE / Network / Firewall (picture below), is that all that is required?

IPv6 - I have turned off the WAN6 interface (picture below), is that correct? Or something else also required?

Understood. I will disable to tailscale as suggested. I just added it as it seemed a cool idea but it is just as easy to set up something else to be a subnet router and then just use the TS client on my PC when required (I have couple remote devices).

Alright. VLANs I think I conceptually understand but have not implemented one before.
Would it be just as good for now, to assign all the LAN ports to the lan_bridge, then any device hardwired needing tunneling through the wg tunnel, I could use MAC filtering via PBR?
Just to tide me over till I can get my head around setting up VLANs properly.
The devices connected via ethernet would not ever need to be switched between VPN or No-VPN access. This is just for the devices on wifi like my PC and tablet.

confuseddonkey · February 18, 2025, 2:28pm

Thanks for your reply.

The lan and vpn_zone is not for tailscale routing. My requirement is to allow wifi clients to easily switch between commercial VPN routing (e.g. Proton VPN), and No-VPN routing.

My use case is that I prefer all devices to go through the Proton VPN at all times. However, sometimes there are websites that do not work when a VPN is active. Therefore, for a few times per week I need to access a website that does not work with Proton VPN, I can just switch my PC or tablet to SSID_No-VPN and without much hastle, I can access the website and then switch back to SSID_VPN for normal browsing.

Also, I have a Firestick that I use for streaming. This is connected via wifi but is best to be on SSID_No-VPN because for example, BBC iPlayer does not work well with VPN active. But, I do still need the Firestick to be able to access my Plex server, which also hosts my ARR stack, which needs to be on VPN.

So I thought I needed SSID_VPN and SSID_No-VPN to make this happen, then the ability for these two zones to forward between themselves.

If there is a better / different way, then I would be really pleaed to hear. I'm a novice, so there is more that I don't know right now, than I know

# tailscale version
1.58.2
  go version: go1.21.13

I think there is a later version but this is just the one that installed with

opkg install tailscale

The reason I installed tailscale on my router was because it seemed like a cool idea and then I didn't need a different device to act as subnet router. But if TS is not great with OpenWRT, then it's no big deal to use something else for subnet routing and use the TS client on my PC or tablet when required.

egc · February 18, 2025, 2:31pm

Yes turn on Masquerading on the VPN firewall zone and also change INPUT and FORWARD to 'REJECT'
So you get this end result:

confuseddonkey:

config zone
        option name 'vpn_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VPN'
        option masq '1'

Yes you can certainly do that.

It is even possible to use destination based routing to route certain destinations always via a certain route although this does not always work as expected

See:

Summit48 · February 19, 2025, 1:11am

Tailscale v1.58.2 is a very old version.
You will need to upgrade to OpenWrt v24.10.0 to get Tailscale v1.80.0

OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------
root@USG-3P:~# tailscale version
1.80.0
  go version: go1.23.4
root@USG-3P:~# 
root@USG-3P:~# tailscale status
100.xx.xx.xxx  usg-3p               xxxxx@    linux   idle; offers exit node

Summit48 · February 20, 2025, 5:42am

Tailscale Mullvad Exit Node Integration might be an option, see here

egc · February 20, 2025, 7:14am

You are constantly pushing tailscale, are you paid by tailscale, or just enthusiastic about it?

Summit48 · February 20, 2025, 7:35am

People are looking for solutions and asking questions about Tailscale and I am responding, is this not what the forums are about?

Does that threaten you?