Suddenly lost access to Internet via WiFi - works by the cable from router

Hello,
I've been using OpenWrt with Cudy X6 since 2 months without any issues so far. After night I've lost access to Internet from WiFi devices - phone is able to connect to WiFi but no Internet at all. Same is with AP which is connected by cable to the router

Most funny thing is that I'm able to reach out Internet without any issues by the direct cable which is coming out from the main router with OpenWrt (not AP).

My suspicions is that my ISP has done some changes on their side over the night.

Here are my configs, anyone could support me? I'm new with OpenWrt

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd03:1b7d:d08e::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel 'auto'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'TEODORRR'
        option encryption 'sae-mixed'
        option key '***'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'TEODORRR'
        option encryption 'sae-mixed'
        option key '***'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'
        list server '127.0.0.1#5054'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

check if your WAN subnet suddenly is the same as your LAN subnet.

Could you please guide a bit where I can verify that?

check in interfaces, or on the status screen, the IP you have on your WAN port.

that's a no then

try to ping say 8.8.8.8 from the openwrt router, there's a test page in the webUI, can't tell you how to find it thought, since I don't have access to any openwrt device atm.

You should not share your private information like that, next time redact your mac address's and any public ip's (wan ip for example).

It's in the wireless tab I believe, last option, labeled "diagnostics"

Yeah, it works, I'm able to reach Internet by cable from OpenWRT router

obraz988×450 13.5 KB

it's a CGNAT IP, it's not public.

good, then try it again, but using the name openwrt.org, instead of 8.8.8.8.

Same, works fine

obraz1002×427 14.4 KB

ok,

that's great.

then try doing the same from one of your computers.
run ping 8.8.8.8 and ping openwrt.org from a command line window

Learned something new, didn't know 100.64.0.0 /10 was CGNAT reserved, thanks!

Ok, so If I do it from the computer I'm writing from (that one which has Internet), it works fine, I'm able to ping 8.8.8.8 and openwrt.org

obraz885×510 12.3 KB

BUT if I do the same from my mobile phone which is connected to WiFi then I'm able to ping only 8.8.8.8. For openwrt.org I'm getting "Can't resolve host"

OK,

so it appears to be a DNS issue on your phone.
if it's an Android device, disable system wide DoT, at least temp.

Actually it's an iPhone device. But it's worth to mention that the same problem occurs on all devices which are connected by WiFi (phone, other laptop, TV).

Some time ago I configured DNS over HTTPS with this https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

But everything was working fine until yesterday

perhaps it should have been mentioned, a lot earlier....

do one more thing on the Win client.

do a nslookup openwrt.org, and post the output.

Sorry for that, was pretty sure that I've mentioned about few devices...
Anyway:

C:\Users\mat>nslookup openwrt.org
Server:  UnKnown
Address:  fd03:1b7d:d08e::1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1a51:c001
          64.226.122.113

ok, do the same but add 192.168.1.1

nslookup openwrt.org 192.168.1.1

C:\Users\mat>nslookup openwrt.org 192.168.1.1
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    openwrt.org
Addresses:  2a03:b0c0:3:d0::1a51:c001
          64.226.122.113


C:\Users\mat>

that was kind of unexpected

your win box doesn't use your router's DNS, so it isn't very surprising it "always" works.

but it does work even if you force it to use your router's DNS.

question is why it doesn't work with your mobile devices.

does your computer have wifi too, so you can switch from wired to wireless connection ?