Very slow DNS resolver wireless network (2 ssid)

diogopms · June 9, 2018, 12:55pm

Hello,

I have a TP-Link TL-WR1043N / ND v4 router with the latest version of OpenWRT.
I have very slow dns resolver only in one Wifi network

Setup:

Wifi:
OpenWRT - 192.168.3.1 DHCP: true -> DNS fast
Wireless - Bridge to WAN - 192.168.1.1 --> DNS slow

Cable:
Port 4 -> Bridge to WAN - 192.168.1.1 --> DNS slow

Vlan:
Router port 1,2,3 - Disabled.
Router port 4,5 -> Enabled and bridged to Wireless ssid network

Debug with traceroute

SSID: OpenWRT --> WORKS WELL

traceroute: Warning: cnn.com has multiple addresses; using 151.101.65.67
traceroute to cnn.com (151.101.65.67), 64 hops max, 52 byte packets
 1  router (192.168.3.1)  1.481 ms  0.899 ms  0.965 ms
 2  192.168.1.1 (192.168.1.1)  1.320 ms  1.280 ms  1.280 ms
 3  2.128.189.46.rev.vodafone.pt (46.189.128.2)  3.358 ms  3.163 ms  3.216 ms
 4  107.41.30.213.rev.vodafone.pt (213.30.41.107)  3.827 ms  4.167 ms  4.363 ms
 5  ae5-100-ucr1.lis.cw.net (195.10.57.9)  3.864 ms  6.280 ms  6.197 ms
 6  ae5-xcr1.mal.cw.net (195.2.30.230)  15.430 ms  18.133 ms  19.022 ms
 7  195.2.22.182 (195.2.22.182)  15.863 ms
    ae1-xcr1.max.cw.net (195.2.30.85)  17.516 ms
    195.2.22.182 (195.2.22.182)  14.857 ms
 8  lag-10.ear1.madrid1.level3.net (4.68.72.125)  15.314 ms  15.089 ms  14.873 ms
^C

SSID: Wireless --> NOT WORKING WELL -> DNS VERY VERY SLOW

traceroute: Warning: cnn.com has multiple addresses; using 151.101.1.67
traceroute to cnn.com (151.101.1.67), 64 hops max, 52 byte packets
 1  vodafonegw (192.168.1.1)  644.901 ms  4.371 ms  115.133 ms
 2  2.128.189.46.rev.vodafone.pt (46.189.128.2)  987.630 ms  919.925 ms  3624.827 ms
 3  107.41.30.213.rev.vodafone.pt (213.30.41.107)  1867.862 ms  1722.163 ms  788.147 ms
 4  ae5-100-ucr1.lis.cw.net (195.10.57.9)  1030.974 ms  914.520 ms  15.774 ms
 5  ae5-xcr1.mal.cw.net (195.2.30.230)  45.973 ms  91.610 ms  890.931 ms
 6  ae1-xcr1.max.cw.net (195.2.30.85)  124.211 ms  147.383 ms  1497.663 ms
 7  lag-10.ear1.madrid1.level3.net (4.68.72.125)  1358.897 ms  867.959 ms  1835.306 ms

OpenWRT configs:

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/qca956x_wmac'
	option htmode 'HT20'
	option country 'PT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key 'PASSWORD'
	option ssid 'OpenWRT (192.168.3.1) --> DNS VERY FAST'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key 'PASSWORD'
	option ssid 'Wireless (192.168.1.1) --> DNS VERY SLOW'
	option network 'wan'

#####################

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

#ssid: OpenWRT
config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'

#ssid: Wireless #vlan wan and port 4
config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 5 0t'

####################

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

####################
cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

##################

cat /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
#(EMPTY)

eduperez · June 9, 2018, 3:12pm

You have an unusual setup, you have two private IP ranges, and a wireless AP bridged to both LAN and WAN; perhaps you should give us a hint of your complete setup. Also, you should post your "firewall" and "dhcp" config files, so we can see what is going on here.

diogopms · June 9, 2018, 5:41pm

Thanks @eduperez, for your reply.

I updated the post with DHCP and firewall configs

diogopms · June 9, 2018, 5:48pm

Comparing the two trace routes between the two networks.

➜  ~ traceroute cnn.com
traceroute to cnn.com (151.101.193.67), 64 hops max, 52 byte packets
 1  router.lan (192.168.3.1)  2.672 ms  1.148 ms  1.209 ms
 2  192.168.1.1 (192.168.1.1)  1.359 ms  16.528 ms  1.280 ms

➜  ~ traceroute cnn.com
traceroute to cnn.com (151.101.65.67), 64 hops max, 52 byte packets
 **1  vodafonegw (192.168.1.1)  1376.301 ms  798.038 ms  61.173 ms**

eduperez · June 9, 2018, 10:35pm

Let's see...

WAN is just acting as a dumb access point for your main router. LAN is behind a double-NAT, and you should avoid that, but so far that part seems to be working fine. And traffic from LAN travels through WAN to reach the main router, but traffic from WAN takes longer to reach the router than traffic from LAN. Then, I would blame the wireless, but both LAN and WAN are using the same radio.

Sorry, but I cannot find a cause for this behaviour.

I would get rid of that double-NAT, if you can; I do not thing that is the direct cause of the issue, but could be related. Otherwise, I would also experiment to switch off both masquerading and MTU fixing on the WAN interface (even if that breaks internet on the LAN interface, temporarily).