WiFi Clients "deauthenticated due to inactivity" Immediately After Authentication

I just installed OpenWRT and can't connect to the access point with my phone. Every time I try, the connection fails and the following ends up in the log:

Sun Aug 25 21:37:00 2024 daemon.info hostapd: phy1-ap0: STA ca:bc:21:89:5c:bf IEEE 802.11: authenticated
Sun Aug 25 21:37:00 2024 daemon.notice hostapd: phy1-ap0: STA-OPMODE-N_SS-CHANGED ca:bc:21:89:5c:bf 2
Sun Aug 25 21:37:00 2024 daemon.info hostapd: phy1-ap0: STA ca:bc:21:89:5c:bf IEEE 802.11: associated (aid 1)
Sun Aug 25 21:37:00 2024 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED ca:bc:21:89:5c:bf auth_alg=open
Sun Aug 25 21:37:00 2024 daemon.info hostapd: phy1-ap0: STA ca:bc:21:89:5c:bf WPA: pairwise key handshake completed (RSN)
Sun Aug 25 21:37:00 2024 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED ca:bc:21:89:5c:bf
Sun Aug 25 21:37:11 2024 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED ca:bc:21:89:5c:bf
Sun Aug 25 21:37:11 2024 daemon.info hostapd: phy1-ap0: STA ca:bc:21:89:5c:bf IEEE 802.11: disassociated
Sun Aug 25 21:37:12 2024 daemon.info hostapd: phy1-ap0: STA ca:bc:21:89:5c:bf IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

I've already tried disabling Disassociate On Low Acknowledgement and setting a very high Station inactivity limit, but every time I try to connect to the wifi, it gets disconnected 10 seconds later while my phone is still trying to obtain an IP address.

There is no dhcp request logged.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Sorry, I tried sshing to get that info earlier and it was giving me an error then, but it seems to have fixed itself at some point between now and then.
root@OpenWrt:~# ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear R7450",
        "board_name": "netgear,r7450",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9e:c1e9:ab19::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.2.0.1'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option type 'bridge'
        option reqaddress 'try'
        option reqprefix 'auto'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel 'auto'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'wan'
        option mode 'ap'
        option ssid 'cy_nomap'
        option encryption 'sae'
        option hidden '1'
        option key 'pBx13_9#zDcl'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'wan6 wan'
        option mode 'ap'
        option ssid 'cy_nomap'
        option encryption 'psk2'
        option hidden '1'
        option key 'pBx13_9#zDcl'
        option skip_inactivity_poll '1'
        option disassoc_low_ack '0'
        option max_inactivity '999999'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Your 5G radio needs a country code too. VHT80 is ok.
Network section should contain only LAN (luci is misleading that you can have more than one network there)
Both cryptos need to be equal, you can even have wpa2 and wpa3 access points with same name and password on same radios which is more interoperable than wpa3 mixed mode.

Frankly so many mistakes not sure which disconnects
5Ghz withut country is slow at best
WAN network will not hand you more than few IP addresses
WPA3 involves downgrade prevention that you cannot connect anymore to wpa2 of same name.

General advice _nomap is not nice, you can randomize MAC addresses to the same effect -> see lower advanced tab for each access point.

Remove the last 3 lines below:

Also, there is no security value to hidden SSIDs.

Hiding the network name doesn't conceal the network from detection or secure it against unauthorized access. And because of how devices search for and connect to Wi-Fi networks, using a hidden network might expose information that can be used to identify you and the hidden networks you use, such as your home network. When connected to a hidden network, your device might show a privacy warning because of this privacy risk.

(source: https://support.apple.com/en-us/102766)

Remove the bridge lines from both of these stanzas:

The solution here was that I needed to set the network to lan. I had removed the country code at one point cause that was a solution I came across in my earlier attempts to get it working, same goes for the downgrade to WPA2. And the rest of the pairity issues between the two bands were because at one point I just decided to focus on getting the 5Ghz network up and ignore the other till I did. But yes, the Network setting was the issue, thank you very much.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.