WRT3200ACM rango AP Client drops when using WPA3; fixed with WPA2

I'm running into a strange issue with my WRT3200ACM router, running OpenWRT.
I have my laptop connected via physical/wired LAN to the WR3200ACM router. I have that router connected wirelessly upstream to a non-OpenWRT router provided by my ISP. That is, the WRT3200ACM is acting as a wireless client of the upstream router.

Diagram:
[laptop]=>[WRT3200ACM]=>[ISP router]
[192.168.0.x]=>[192.168.1.1/24]=>[192.168.0.1/24]

The WRT3200ACM router is on subnet 192.168.1.0/24, gateway 192.168.1.1.
The ISP router is on subnet 192.168.0.0/24, gateway 192.168.0.1.
Both routers are hosting DHCP servers on their respective subnets.

When I reboot the WRT3200ACM router, the wwan interface comes online, establishes a connection to the upstream (ISP) WiFi AP, and gets a DHCP lease. I can ping the internet from my laptop and do nslookups from my laptop. But If I try to load a webpage or send any larger amount of traffic on my laptop, the WRT3200ACM's wwan interface drops, and my laptop's internet connection drops with it.

Here are the logs:

Tue May  9 01:54:33 2023 daemon.notice wpa_supplicant[1951]: wlan0: SME: Trying to authenticate with de:ad:be:ef:de:ad (SSID='SETUP-51FC' freq=5220 MHz)
Tue May  9 01:54:33 2023 kern.info kernel: [   26.733510] wlan0: authenticate with de:ad:be:ef:de:ad
Tue May  9 01:54:33 2023 kern.info kernel: [   26.738677] wlan0: send auth to de:ad:be:ef:de:ad (try 1/3)
Tue May  9 01:54:33 2023 daemon.notice wpa_supplicant[1951]: wlan0: Trying to associate with de:ad:be:ef:de:ad (SSID='SETUP-51FC' freq=5220 MHz)
Tue May  9 01:54:33 2023 kern.info kernel: [   26.750637] wlan0: authenticated
Tue May  9 01:54:33 2023 kern.info kernel: [   26.760143] wlan0: associate with de:ad:be:ef:de:ad (try 1/3)
Tue May  9 01:54:33 2023 kern.info kernel: [   26.768915] wlan0: RX AssocResp from de:ad:be:ef:de:ad (capab=0x1011 status=0 aid=34)
Tue May  9 01:54:33 2023 kern.debug kernel: [   26.859108] ieee80211 phy0: change: 0x2
Tue May  9 01:54:33 2023 kern.info kernel: [   26.859117] wlan0: associated
Tue May  9 01:54:33 2023 kern.info kernel: [   26.862178] wlan0: AP has invalid WMM params (CWmin/max=0/0 for ACI 2), using defaults
Tue May  9 01:54:33 2023 daemon.notice netifd: Network device 'wlan0' link is up
Tue May  9 01:54:33 2023 daemon.notice netifd: Interface 'wwan' has link connectivity
Tue May  9 01:54:33 2023 daemon.notice netifd: Interface 'wwan' is setting up now
Tue May  9 01:54:33 2023 daemon.notice wpa_supplicant[1951]: wlan0: Associated with de:ad:be:ef:de:ad
Tue May  9 01:54:33 2023 daemon.notice wpa_supplicant[1951]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Tue May  9 01:54:33 2023 daemon.notice wpa_supplicant[1951]: wlan0: Unknown event 37
Tue May  9 01:54:33 2023 kern.debug kernel: [   26.870154] wlan0: Limiting TX power to 30 (30 - 0) dBm as advertised by de:ad:be:ef:de:ad
Tue May  9 01:54:33 2023 daemon.notice netifd: wwan (3201): udhcpc: started, v1.35.0
Tue May  9 01:54:34 2023 daemon.notice netifd: wwan (3201): udhcpc: broadcasting discover
Tue May  9 01:54:34 2023 daemon.notice wpa_supplicant[1951]: wlan0: WPA: Key negotiation completed with de:ad:be:ef:de:ad [PTK=CCMP GTK=CCMP]
Tue May  9 01:54:34 2023 daemon.notice wpa_supplicant[1951]: wlan0: CTRL-EVENT-CONNECTED - Connection to de:ad:be:ef:de:ad completed [id=0 id_str=]
Tue May  9 01:54:34 2023 daemon.notice wpa_supplicant[1951]: wlan0: Unknown event 37
Tue May  9 01:54:34 2023 kern.info kernel: [   27.099325] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Tue May  9 01:54:37 2023 daemon.notice netifd: wwan (3201): udhcpc: broadcasting discover
Tue May  9 01:54:37 2023 daemon.notice netifd: wwan (3201): udhcpc: broadcasting select for 192.168.0.174, server 192.168.0.1
Tue May  9 01:54:38 2023 daemon.notice netifd: wwan (3201): udhcpc: lease of 192.168.0.174 obtained from 192.168.0.1, lease time 172800
Tue May  9 01:54:38 2023 daemon.notice netifd: Interface 'wwan' is now up
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using nameserver 68.105.28.11#53
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using nameserver 68.105.29.11#53
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using nameserver 68.105.28.12#53
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for test
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for local
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Tue May  9 01:54:38 2023 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Tue May  9 01:54:38 2023 user.notice firewall: Reloading firewall due to ifup of wwan (wlan0)
Tue May  9 15:58:13 2023 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Tue May  9 15:58:13 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Tue May  9 15:58:13 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 1 addresses
Tue May  9 15:58:13 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Tue May  9 15:58:15 2023 authpriv.info dropbear[3368]: Child connection from 192.168.1.2:33434
Tue May  9 15:58:15 2023 authpriv.notice dropbear[3368]: Auth succeeded with blank password for 'root' from 192.168.1.2:33434
Tue May  9 15:58:37 2023 daemon.notice wpa_supplicant[1951]: wlan0: CTRL-EVENT-BEACON-LOSS
Tue May  9 15:58:39 2023 daemon.notice netifd: Network device 'wlan0' link is down
Tue May  9 15:58:39 2023 daemon.notice netifd: Interface 'wwan' has link connectivity loss
Tue May  9 15:58:39 2023 daemon.notice netifd: wwan (3201): udhcpc: received SIGTERM
Tue May  9 15:58:39 2023 daemon.notice netifd: wwan (3201): udhcpc: unicasting a release of 192.168.0.174 to 192.168.0.1
Tue May  9 15:58:39 2023 daemon.notice netifd: wwan (3201): udhcpc: sending release
Tue May  9 15:58:39 2023 daemon.notice netifd: wwan (3201): udhcpc: entering released state
Tue May  9 15:58:39 2023 daemon.notice netifd: wwan (3201): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "wwan" } (Permission denied)
Tue May  9 15:58:39 2023 daemon.notice netifd: Interface 'wwan' is now down
Tue May  9 15:58:39 2023 daemon.notice netifd: Interface 'wwan' is disabled
Tue May  9 15:58:39 2023 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Tue May  9 15:58:39 2023 daemon.notice netifd: Interface 'wwan' is enabled

I've redacted a MAC address, thus the lines with de:ad:be:ef:de:ad
Notice the line Auth succeeded with blank password for 'root' from 192.168.1.2:33434.
Everything before that line shows OpenWRT connecting to the upstream successfully. This is the point where ping and nslookup work as expected. Then immediately after SSHing in, I tried loading google.com on my laptop, and the wwan interface dropped.

The ISP router is a newer router, using WPA3. My best guess is that there's some compatibility issue there that only arises when sending/receiving a large-ish amount of data, but I don't know how to proceed. Has anyone had a similar issue?

I'm running a fresh upgrade of OpenWRT and blew away the old config files, openwrt-22.03.2-mvebu-cortexa9-linksys_wrt3200acm-squashfs-sysupgrade.bin, as evidenced by the lack of a root password when SSHing in.

Logs and additional info:
Here's my /etc/config/network file (MACs redacted):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'ba:df:00:db:ad:f0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

Here's my /etc/config/wireless file (MACs redacted):

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option ieee80211w '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr 'ca:fe:ca:fe:ca:fe'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option channel '34'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr 'ca:fe:ca:fe:ca:fe'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'SETUP-51FC'
	option encryption 'sae'
	option key 'REDACTED'

Note that in /etc/config/wireless I've added option ieee80211w '0' for radio0. This was a troubleshooting attempt as I read that encrypting management frames was known to cause issues on the WRT3200ACM; it didn't seem to have any impact on my original issue, however.

  • there is a switch issue with that version of OpenWrt, go back, or preferably to master
  • WPA3 is horribly borked with rango, WPA2 only
3 Likes

I manually changed the encryption in /etc/config/wireless for config wifi-iface 'wifinet3' from option encryption 'sae' to option encryption 'psk2' and the issue seems to be solved :slight_smile: but yea, looks like WPA3 is essentially non-functional on 22.03.2 wrt3200acm rango :frowning: thanks for the reply!

WPA3 will probably 'never' work on mwlwifi hardware, regardless of the version (you have to thank Marvell and NXP for leaving a crap vendor driver behind).

Switch isolation is totally broken on 88F6820/ 88E6352 (as on your wrt3200acm) under kernel v5.10, but it's fine on v5.4 (21.02.x) or v5.15 (master/ 23.xy.0), it should (must-) not be used on this hardware, either upgrade (preferred) to current master snapshots or downgrade to 21.02.x.

3 Likes