WiFi with DHCP not working (dnsmasq problem ?)

bdr · January 9, 2019, 8:12am

Hi,

I face a problem with my OpenWRT router. It works well for about 4 months.
Yesterday I tried to block internet access to a range of IP of my LAN but don't manage it.
I just add a Traffic Rule and suppress it after seeing it doesn't work at all. I reboot my router and then :

WiFi connection with DHCP not working
- WiFi authentification is OK
- DHCP probably don't work properly
WiFi connection with static IP is working

Once connected to WiFi I only have access to LAN (not to WAN).
Here are the main configuration files :

network

 config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd21:3720:5ad7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '40:31:3c:06:3d:64'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option dns '208.67.220.220 208.67.220.222'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.199.1'
	option netmask '255.255.255.0'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option domain 'infra'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option leasetime '30d'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Guest-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule
	option name 'Allow-Guest-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option network 'guest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

I manage to recover WAN access, in fact /tmp/resolv.conf was empty. Don't know why ?!
I have to put OpenDNS entries manually in /etc/resolv.conf and then it was OK. Is this normal ?

But I don't manage to recover WiFi access. I suspect dnsmasq is failling somewhere but don't know where.
Can someone help me ? Or explain a bit how to debug that ? There is nearly nothing in logs.

dnsmasq is not started and don't start.

root@Universe:~# /etc/init.d/dnsmasq start
root@Universe:~# ps | grep -E 'dnsmasq|odhcp'
 1337 root      1424 S    /usr/sbin/odhcpd
 1596 root      1032 S    odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth0.2
 28758 root      1192 S    grep -E dnsmasq|odhcp
root@Universe:~# killall dnsmasq
root@Universe:~# ps | grep dnsmasq
 3657 root      1192 S    grep dnsmasq
root@Universe:~# /etc/init.d/dnsmasq start
udhcpc: started, v1.29.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.29.2
udhcpc: sending discover
udhcpc: no lease, failing
root@Universe:~# ps | grep dnsmasq
 3765 root      1192 S    grep dnsmasq

I also find this log in adblock (I tried with adblock enabled and disabled) :

Wed Jan  9 07:22:22 2019 user.err adblock-3.5.5-2[12096]: 'dnsmasq' not running or not executable
Wed Jan  9 07:22:22 2019 user.err adblock-3.5.5-2[12096]: Please also check 'https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md'

but everything seems okay with the binary :

root@Universe:~# dnsmasq --help | head -n5
Usage: dnsmasq [options]

Valid options are:
-a, --listen-address=<ipaddr>                          Specify local address(es) to listen on.
-A, --address=/<domain>/<ipaddr>                       Return ipaddr for all hosts in specified domains.

root@Universe:~# ls -l /usr/sbin/dnsmasq
-rwxr-xr-x    1 root     root        146936 Sep  7 17:21 /usr/sbin/dnsmasq

Thanks in advance

trendy · January 9, 2019, 10:33am

Nope, not normal. Normally it is a symbolic link to /tmp/resolv.conf.auto which should contain the nameservers configured in the interfaces or advertised by your isp.

Regarding dnsmasq not running, what is in the logs after you restart the service?

/etc/init.d/dnsmasq restart
logread -f | grep dnsmasq

bdr · January 9, 2019, 10:50am

@trendy Thank you for your help !

I just found this issue at the same time by editing the init.d script for dnsmasq to print log to stdout.
The problem was the following:

Wed Jan  9 11:34:12 2019 daemon.crit dnsmasq[4612]: FAILED to start up
Wed Jan  9 11:34:14 2019 daemon.crit dnsmasq[4613]: duplicate dhcp-host IP address 192.168.10.21 at line 43 of /tmp/dns.conf

I add this IP from the GUI 3 days ago, I tought a verification was made.
So, at reboot dnsmasq haven't restarted.

--

Can I make the link manually ? Otherwise how to recover it ?

root@Universe:~# ls -l /tmp/resolv.conf*
-rw-r--r--    1 root     root            34 Jan  9 11:44 /tmp/resolv.conf
-rw-r--r--    1 root     root            68 Jan  9 07:13 /tmp/resolv.conf.auto

trendy · January 9, 2019, 11:11am

The symbolic link is in /etc
See mine:

root@fagri:~# ls -l /etc/resolv.conf 
lrwxrwxrwx    1 root     root            16 Aug 16 10:51 /etc/resolv.conf -> /tmp/resolv.conf

If it is not there, or if it is not a symbolic link, you can make it again with the command:
ln -s /tmp/resolv.conf /etc/resolv.conf

(and it is not the /tmp/resolv.conf.auto I mistakenly wrote before)

bdr · January 9, 2019, 4:02pm

@trendy I have the symbolic link, but resolv.conf is nearly empty compared to resolv.conf.auto.
Is this normal ?

root@Universe:~# cat /tmp/resolv.conf.auto
# Interface wan
nameserver 208.67.220.220
nameserver 208.67.220.222
root@Universe:~# cat /tmp/resolv.conf
search infra
nameserver 127.0.0.1
root@Universe:~# ls -l /etc/resolv.conf*
lrwxrwxrwx    1 root     root            16 Sep  7 17:21 /etc/resolv.conf -> /tmp/resolv.conf

trendy · January 9, 2019, 4:14pm

That is correct. It is using dnsmasq as nameserver.
Fix the duplicate IP as reported on the logfile and the dnsmasq should start without errors.

montgomeryb · December 3, 2019, 3:19pm

I encountered the same issue twice. I had assumed that luci would catch this issue. I'm not sure if there is somewhere to make some enhancement requests. The webpage doesn't show the full ip4 address which makes it difficult to see conflicts. It also doesn't allow sorting that would make it easier to see conflicts.

I have also since realized that looking at the system log shows the dnsmasq error. Maybe a text warning note on the dhcp page might help others in the same situation.