Uci-defaults not applying all changes

I'm trying to reconfigure my Cudy WR3000's network and firewall after flashing a customized image, to turn it into a "dumb" access point, but only some of the changes are applied - even if they're in the same batch.

This is my script:
root@wr3000:~# cat /rom/etc/uci-defaults/99_custom

#!/bin/sh

uci set system.@system[0].hostname='openwrt'
uci commit system

uci batch <<EOF
delete network.lan.ipaddr
delete network.lan.netmask
delete network.lan.ip6assign
set network.lan.proto=dhcp
set network.lan6=interface
set network.lan6.proto=dhcpv6
set network.lan6.device=br-lan
set network.lan6.reqaddress=try
set network.lan6.reqprefix=no
commit network
EOF
/etc/init.d/network restart

uci batch <<EOF
delete firewall.zone2
delete firewall.forwarding1
delete firewall.rule1
delete firewall.rule2
delete firewall.rule3
delete firewall.rule4
delete firewall.rule5
delete firewall.rule6
delete firewall.rule7
delete firewall.rule8
delete firewall.rule9
set firewall.defaults.input=ACCEPT
set firewall.defaults.forward=ACCEPT
add_list firewall.zone1.network=lan6
commit firewall
EOF
/etc/init.d/firewall restart

uci batch <<EOF
delete network.wan
delete network.wan6
add_list network.device_lan.ports=wan
commit network
EOF
/etc/init.d/network restart

exit 0

It supposed to enable DHCP on the lan interface, add a lan6 interface to get IPv6 from my local network, delete all firewall rules and the wan zone2, add the lan6 interface to the lan zone, and finally remove the wan and wan6 interfaces and add the wan port to the bridge of the lan interface.

Here's what works/doesn't work:

  • The lan interface is changed to DHCP
  • The lan6 interface gets created and comes up.
  • The lan6 is not added to the lan firewall zone.
  • None of the other firewall changes are applied, either.
  • The wan and wan6 interfaces are deleted, but the wan port is not added to the lan bridge interface.

This is what the uci output looks like after boot:

Network

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdac:51bf:6aac::/48'
network.device_lan=device
network.device_lan.name='br-lan'
network.device_lan.ports='lan1' 'lan2' 'lan3'
network.device_lan.type='bridge'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='dhcp'
network.lan6=interface
network.lan6.proto='dhcpv6'
network.lan6.device='br-lan'
network.lan6.reqaddress='try'
network.lan6.reqprefix='no'
network.device_phy0_ap0=device
network.device_phy0_ap0.name='phy0-ap0'
network.device_phy1_ap0=device
network.device_phy1_ap0.name='phy1-ap0'
network.phy0_ap0=interface
network.phy0_ap0.device='phy0-ap0'
network.phy0_ap0.proto='none'
network.phy1_ap0=interface
network.phy1_ap0.device='phy1-ap0'
network.phy1_ap0.proto='none'

Firewall

firewall.defaults=defaults
firewall.defaults.forward='REJECT'
firewall.defaults.input='REJECT'
firewall.defaults.output='ACCEPT'
firewall.defaults.syn_flood='1'
firewall.zone1=zone
firewall.zone1.forward='ACCEPT'
firewall.zone1.input='ACCEPT'
firewall.zone1.name='lan'
firewall.zone1.network='lan'
firewall.zone1.output='ACCEPT'
firewall.zone2=zone
firewall.zone2.forward='REJECT'
firewall.zone2.input='REJECT'
firewall.zone2.masq='1'
firewall.zone2.mtu_fix='1'
firewall.zone2.name='wan'
firewall.zone2.network='wan' 'wan6'
firewall.zone2.output='ACCEPT'
firewall.forwarding1=forwarding
firewall.forwarding1.dest='wan'
firewall.forwarding1.src='lan'
firewall.rule1=rule
firewall.rule1.dest_port='68'
firewall.rule1.family='ipv4'
firewall.rule1.name='Allow-DHCP-Renew'
firewall.rule1.proto='udp'
firewall.rule1.src='wan'
firewall.rule1.target='ACCEPT'
firewall.rule2=rule
firewall.rule2.family='ipv4'
firewall.rule2.icmp_type='echo-request'
firewall.rule2.name='Allow-Ping'
firewall.rule2.proto='icmp'
firewall.rule2.src='wan'
firewall.rule2.target='ACCEPT'
firewall.rule3=rule
firewall.rule3.family='ipv4'
firewall.rule3.name='Allow-IGMP'
firewall.rule3.proto='igmp'
firewall.rule3.src='wan'
firewall.rule3.target='ACCEPT'
firewall.rule4=rule
firewall.rule4.dest_port='546'
firewall.rule4.family='ipv6'
firewall.rule4.name='Allow-DHCPv6'
firewall.rule4.proto='udp'
firewall.rule4.src='wan'
firewall.rule4.target='ACCEPT'
firewall.rule5=rule
firewall.rule5.family='ipv6'
firewall.rule5.icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.rule5.name='Allow-MLD'
firewall.rule5.proto='icmp'
firewall.rule5.src='wan'
firewall.rule5.src_ip='fe80::/10'
firewall.rule5.target='ACCEPT'
firewall.rule6=rule
firewall.rule6.family='ipv6'
firewall.rule6.icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.rule6.limit='1000/sec'
firewall.rule6.name='Allow-ICMPv6-Input'
firewall.rule6.proto='icmp'
firewall.rule6.src='wan'
firewall.rule6.target='ACCEPT'
firewall.rule7=rule
firewall.rule7.dest='*'
firewall.rule7.family='ipv6'
firewall.rule7.icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.rule7.limit='1000/sec'
firewall.rule7.name='Allow-ICMPv6-Forward'
firewall.rule7.proto='icmp'
firewall.rule7.src='wan'
firewall.rule7.target='ACCEPT'
firewall.rule8=rule
firewall.rule8.dest='lan'
firewall.rule8.name='Allow-IPSec-ESP'
firewall.rule8.proto='esp'
firewall.rule8.src='wan'
firewall.rule8.target='ACCEPT'
firewall.rule9=rule
firewall.rule9.dest='lan'
firewall.rule9.dest_port='500'
firewall.rule9.name='Allow-ISAKMP'
firewall.rule9.proto='udp'
firewall.rule9.src='wan'
firewall.rule9.target='ACCEPT'

If i run the script manually, it does apply all the changes like i would have expected it to do when ran on first boot:

Network

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdac:51bf:6aac::/48'
network.device_lan=device
network.device_lan.name='br-lan'
network.device_lan.ports='lan1' 'lan2' 'lan3' 'wan'
network.device_lan.type='bridge'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='dhcp'
network.lan6=interface
network.lan6.proto='dhcpv6'
network.lan6.device='br-lan'
network.lan6.reqaddress='try'
network.lan6.reqprefix='no'
network.device_phy0_ap0=device
network.device_phy0_ap0.name='phy0-ap0'
network.device_phy1_ap0=device
network.device_phy1_ap0.name='phy1-ap0'
network.phy0_ap0=interface
network.phy0_ap0.device='phy0-ap0'
network.phy0_ap0.proto='none'
network.phy1_ap0=interface
network.phy1_ap0.device='phy1-ap0'
network.phy1_ap0.proto='none'

Firewall

firewall.defaults=defaults
firewall.defaults.forward='ACCEPT'
firewall.defaults.input='ACCEPT'
firewall.defaults.output='ACCEPT'
firewall.defaults.syn_flood='1'
firewall.zone1=zone
firewall.zone1.forward='ACCEPT'
firewall.zone1.input='ACCEPT'
firewall.zone1.name='lan'
firewall.zone1.network='lan' 'lan6'
firewall.zone1.output='ACCEPT'

I have already split the batches up a bit, in case there's any dependencies when adding/removing stuff, so they now all commit and restart the affected service - but i'd of course prefer it if it would all be possible in one batch...
... but first i need to get it to work as expected! :wink:

Sooo ... what could be the reason that some stuff doesn't get applied?

What is customized? Was this an image you generated, and if so, did you do it using the firmware selector? Or if not, where did it come from? What has been added/removed/modified?

Generally speaking, there is no need to customize a build for use as a dumb AP. The default images are the best option as they contain everything you need, and you simply make a few really easy config changes. No package additions or removals are necessary.

Would you mind posting your config in the following format (I find it easier to read than uci output):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I'm using imagebuilder to add OpenWISP packages and configuration, so the images are pretty much the same as from firmware-selector, minus dnsmasq and odhcpd.

Yes, but as i'm aiming for automated management of devices, i need to inject my OpenWISP config, and i thought simplifying the network/firewall while i'm at it would be a nice touch.

These are my configs after a reset:

BusyBox v1.36.1 (2024-05-23 20:15:33 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.3, r23809-234f1a2efa
 -----------------------------------------------------
root@wr3000:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "wr3000",
        "system": "ARMv8 Processor rev 4",
        "model": "Cudy WR3000 v1",
        "board_name": "cudy,wr3000-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@wr3000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd01:f70b:d153::/48'

config device 'device_lan'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option type 'bridge'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'lan6'
        option proto 'dhcpv6'
        option device 'br-lan'
        option reqaddress 'try'
        option reqprefix 'no'

config device 'device_phy0_ap0'
        option name 'phy0-ap0'

config device 'device_phy1_ap0'
        option name 'phy1-ap0'

config interface 'phy0_ap0'
        option device 'phy0-ap0'
        option proto 'none'

config interface 'phy1_ap0'
        option device 'phy1-ap0'
        option proto 'none'

root@wr3000:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel 'auto'
        option band '2g'
        option htmode 'HE160'
        option disabled '0'
        option country 'DE'
        option txpower '20'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE160'
        option disabled '0'
        option country 'DE'
        option txpower '20'

config wifi-iface 'wifi_phy1_ap0'
        option device 'radio1'
        option encryption 'psk2+ccmp'
        option ieee80211w '1'
        option ifname 'phy1-ap0'
        option key '<redacted>'
        option mode 'ap'
        option network 'lan'
        option ssid '<redacted>'
        option wmm '1'

config wifi-iface 'wifi_phy0_ap0'
        option device 'radio0'
        option encryption 'psk2+ccmp'
        option ieee80211w '1'
        option ifname 'phy0-ap0'
        option key '<redacted>'
        option mode 'ap'
        option network 'lan'
        option ssid '<redacted>'
        option wmm '1'

root@wr3000:~# cat /etc/config/dhcp
cat: can't open '/etc/config/dhcp': No such file or directory
root@wr3000:~# cat /etc/config/firewall

config defaults 'defaults'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        option syn_flood '1'

config zone 'zone1'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option name 'lan'
        list network 'lan'
        option output 'ACCEPT'

config zone 'zone2'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'

config forwarding 'forwarding1'
        option dest 'wan'
        option src 'lan'

config rule 'rule1'
        option dest_port '68'
        option family 'ipv4'
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule2'
        option family 'ipv4'
        option icmp_type 'echo-request'
        option name 'Allow-Ping'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule3'
        option family 'ipv4'
        option name 'Allow-IGMP'
        option proto 'igmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule4'
        option dest_port '546'
        option family 'ipv6'
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule5'
        option family 'ipv6'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option name 'Allow-MLD'
        option proto 'icmp'
        option src 'wan'
        option src_ip 'fe80::/10'
        option target 'ACCEPT'

config rule 'rule6'
        option family 'ipv6'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule7'
        option dest '*'
        option family 'ipv6'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option name 'Allow-ICMPv6-Forward'
        option proto 'icmp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule8'
        option dest 'lan'
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option src 'wan'
        option target 'ACCEPT'

config rule 'rule9'
        option dest 'lan'
        option dest_port '500'
        option name 'Allow-ISAKMP'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

You can find my git repo for this here: https://git.faked.org/jan/openwrt-openwisp

There are a lot of errors in your configuration. What's concerning is that this is the default state, which means that you have made many incorrect modifications to what would be expected and working.

I would suggest that you start with the default configuration of a standard image (feel free to add openwisp and remove any packages you don't need, although I'm not sure why you're taking out dnsmasq and odhcpd -- that should usually be left intact). I'd recommend using the firmware selector for creating the custom image.

Starting from a known good configuration, modify as needed, testing along the way with each major change. Fixing your current config will be more difficult than starting with one that is known to work properly.

To try to understand why some settings are not sticking, let's take a look at this:

df -h

Could you mention some of those errors in the configuration? I may have to add that the wifi config has been created by OpenWISP, but that's so far the only thing that's changed - besides what i'm trying to do with the uci-defaults.

I'm removing dnsmasq and odhcpd because that's all handled by my infrastructure, and if i can just get rid of the packages completely, then i don't have to manage their configs and undo some of the stuff they do by default.

The output of dh -h:

Filesystem                Size      Used Available Use% Mounted on
/dev/root                 5.0M      5.0M         0 100% /rom
tmpfs                   118.1M     80.0K    118.0M   0% /tmp
/dev/mtdblock8            6.6M    388.0K      6.2M   6% /overlay
overlayfs:/overlay        6.6M    388.0K      6.2M   6% /
tmpfs                   512.0K         0    512.0K   0% /dev