They are not supposed to do any routing, another (non-openwrt) device is doing dhcp and gateway. Such device is attached to the rest of the network via a single port.
Wifi interfaces and wired lan are bridged, and the two APs are getting their addresses via DHCP.
I have usteer set up to encourage better channel utilization.
I see a weird behavior. Often clients cannot ping the other access point (same problem for both).
Other times, they cannot even do dhcp.
The problem doesn't happen if I disable the wifi of one of either access point.
It looks like the problem is at switch/bridge level, but I'm not sure what to look for.
Many devices don't like sae-mixed. You should use either WPA2 or WPA3, not mixed mode.
802.11k (as well as v and r) can cause problems with some devices. It is best optimize things first with those standards disabled. This is key because those standards really need a solid foundation of a properly tuned and optimized topology and radio tuning.
on the subject of radio tuning -- make sure you spend some time to do this. I like this video as a good explainer for how to go about the tuning -- from performing an RF site survey, to placement of your APs, and finally setting channels and power levels (i.e. reducing power in most cases).
A topology diagram would be useful for your network. This will help us understand the physical setup
Finally, we can review your configs for each of your APs.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Also, there is a high probability that the problem is related to the aging time of the MAC address table of the switch you are using. When a wireless client moves from one AP to another, traffic destined for its MAC address is still forwarded to the port where the old AP is connected until the switching table is updated.
Test with WPA2. I tested in the pass all the possibilities trying to make 802.11r work with sae-mixed, and the only solution was to "downgrade" to wpa2. With wpa2 all worked like a charm.
Maybe someone more clever than me is able to make it work, but I asked in the forum without luck.
I'll start by posting the current configuration then, before trying some of the proposals there (WPA2 only, no 802.11k/v, investigating switch configuration)
The wired topology is fairly simple: <DSL router/gateway>---<a simple switch>---<AP1 internal switch>---<AP2 internal switch>
AP 1:
# ubus call system board
{
"kernel": "5.15.137",
"hostname": "dev_1",
"system": "MediaTek MT7621 ver:1 eco:4",
"model": "ASUS RT-AX53U",
"board_name": "asus,rt-ax53u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd6e:7c5c:de31::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
option stp '1'
option igmp_snooping '1'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option delegate '0'
config interface 'wan'
option proto 'dhcp'
option auto '0'
config interface 'wan6'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
# cat /etc/config/wireless
config wifi-device 'radio0'
option band '2g'
option channel '1'
option country 'DE'
option ht_coex '1'
option htmode 'HT40+'
option log_level '1'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option txpower '17'
option type 'mac80211'
config wifi-device 'radio1'
option band '5g'
option channel 'auto'
option country 'DE'
option ht_coex '1'
option htmode 'HE80'
option log_level '1'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option type 'mac80211'
config wifi-iface 'ssid_2_2g'
option bss_transition '1'
option device 'radio1'
option disassoc_low_ack '1'
option encryption 'sae-mixed'
option ieee80211k '1'
option ieee80211w '2'
option key '<REDACTED>'
option mode 'ap'
option network 'lan'
option ssid 'ssid_2'
option tdls_prohibit '1'
option time_advertisement '1'
option wpa_disable_eapol_key_retries '1'
config wifi-iface 'ssid_2_5g'
option bss_transition '1'
option device 'radio0'
option disassoc_low_ack '1'
option encryption 'sae-mixed'
option ieee80211k '1'
option ieee80211w '2'
option key '<REDACTED>'
option mode 'ap'
option network 'lan'
option ssid 'ssid_2'
option tdls_prohibit '1'
option time_advertisement '1'
option wpa_disable_eapol_key_retries '1'
config wifi-iface 'ssid_1_2g'
option bss_transition '1'
option device 'radio1'
option disassoc_low_ack '1'
option encryption 'sae-mixed'
option ieee80211k '1'
option ieee80211w '1'
option key '<REDACTED>'
option mode 'ap'
option network 'lan'
option ssid 'ssid_1'
option tdls_prohibit '1'
option time_advertisement '1'
option wpa_disable_eapol_key_retries '1'
config wifi-iface 'ssid_1_5g'
option bss_transition '1'
option device 'radio0'
option disassoc_low_ack '1'
option encryption 'sae-mixed'
option ieee80211k '1'
option ieee80211w '1'
option key '<REDACTED>'
option mode 'ap'
option network 'lan'
option ssid 'ssid_1'
option tdls_prohibit '1'
option time_advertisement '1'
option wpa_disable_eapol_key_retries '1'
# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
