Wi-Fi Mesh and Banking App - 24.10.4

psherman · January 4, 2026, 3:55am

Don’t use psk-mixed. Instead, use psk2 (wpa2).

Beyond that, have you tested with only the isp router?does it work?

Show us the rest of the config, please.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

NoSe · January 6, 2026, 7:51pm

When connected to the ISP router I’m able to get into the banking app login page. It’s just the WiFi on the OpenWrt router there is some request that is timing out.

The other test I did was on my laptop, I connected to the OpenWrt WiFi and to try and login. This triggers a push notification on my phone to approve. When my phone is on the WiFi from my ISP router or mobile data I can click confirm and on the laptop I can login. However when I put my phone on the OpenWrt WiFi when I try and click confirm to approve, the request just hangs after clicking confirm and I can see a spinning wheel.

This testing was done from a clean install and the only thing I changed was to create a new WiFi network. Here is the config you requested;

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc0:956e:fec8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option phy 'wl0'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option phy 'wl1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'my-ssid'
        option encryption 'psk2'
        option key 'password'
        option network 'lan'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
root@OpenWrt:~#

bluewavenet · January 6, 2026, 8:17pm

You do have ipv6 configured in a basic form. Does your isp actually provide ipv6?

Android devices will keep trying ipv6 in preference to ipv4, so this could be your problem.

What happens when you do the following?:
ping6 openwrt.org

Here is what I get:

root@meshnode-8ecb:/tmp# ping6 openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1a51:c001): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=0 ttl=48 time=49.873 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=1 ttl=48 time=38.342 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=2 ttl=48 time=34.696 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=3 ttl=48 time=31.751 ms
^C
--- openwrt.org ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 31.751/38.665/49.873 ms
root@meshnode-8ecb:/tmp#

Now for example, your bank might have ipv6 addresses in dns, but the app might only use ipv4.

NoSe · January 6, 2026, 8:37pm

I get the following;

root@OpenWrt-b:~# ping6 openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1a51:c001): 56 data bytes
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=0 ttl=49 time=34.542 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=1 ttl=49 time=32.983 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=2 ttl=49 time=33.089 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=3 ttl=49 time=32.320 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=4 ttl=49 time=31.850 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=5 ttl=49 time=31.316 ms
64 bytes from 2a03:b0c0:3:d0::1a51:c001: seq=6 ttl=49 time=31.234 ms
^C
--- openwrt.org ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 31.234/32.476/34.542 ms
root@OpenWrt-b:~#

Just as an FYI I’m adding back all my old changes hence why the device name has now changed to have “-b”.

I just remembered that when I moved to this ISP they gave me an IPv6 address but I asked them to change me back to IPv4. I wanted IPv4 so I could do port forwarding for WireGuard.

bluewavenet · January 6, 2026, 8:56pm

So you do have public ipv6, as indicated by the fact you can ping the openwrt.org ipv6 address.

This is typical of Android unless you have ipv6 configured correctly - it is very picky.

Here is a quick test and perhaps a usable workaround for your current use case. Do the following:
uci set network.wan6.disabled='1'

Then do:
service network restart; exit

This will terminate your ssh session immediately. Wait a few seconds for the network to come back up, then try again with both your mobile and laptop.

Rebooting will remove this change (because the change is not committed and only stored in ram memory).

If it works, you can make it permanent by doing:
uci commit network

NoSe · January 6, 2026, 10:06pm

Bingo, this fixed it. I can now get login on both Android phones to this banking app when on the OpenWrt WiFi.

Thanks so much @bluewavenet for your help on this.

Just out of curiosity is there anything I should watch out for with having this disabled?

_bernd · January 6, 2026, 11:21pm

This is no fix. As @bluewavenet said it's a quick and dirty trail and error workaround.
He just has confirmed that something is funky and odd with your local IPv6 and hence the issue with android and your banking app...

bluewavenet · January 7, 2026, 10:55am

Yes, upstream ipv6 will not work for you. Right now you will be unaware of this from the point of view of things working or not.
You might not have to do anything about this for a while, but sooner or later you will.

If you are happy with it for now, it's no problem, it can be fixed later when you need to - just remember this is just a workaround, not a proper fix - and by that I mean make sure you remember this in 2 or 3 years time or however long it takes.

NoSe · January 11, 2026, 2:56pm

I wonder how the ISP router is getting around this. I guess I can just do a ping6 while connected to that WiFi network.

Not sure if it’s related or not but when I’m connected to the OpenWrt router via WireGuard I get HTTPS is not supported but I don’t get it if I switch off WireGuard

bluewavenet · January 11, 2026, 7:01pm

It doesn't have to get round anything, it is configured correctly so Android is happy with it

You probably have port 443 blocked in wireguard.... But nothing to do with this thread.