Weird DHCP/DNS behaviour

ssdnvv · February 3, 2021, 4:24pm

Hi,

I reinstalled TO (former: 3.x, now: 5.1.8; in both software versions serving as a dump AP) and now have weird behaviour regarding DNS/DHCP. Both are services are provided in my network via pihole for interfaces iot (VLAN-ID 20) and lan (VLAN-ID 10) and by my router for interface gast (VLAN-ID 50).
Before upgrading I had zero issues with the very same constellation now I got really severe problems:

DHCP: I have several devices (Dell XPS13 with Intel WIFI 9260; Samsung Galaxy S8) that cannot reconnect easily or sometimes entirely refusing to when roaming from one WiFi to another. With the Laptop I do not get a clear error log, with the smartphone it hangs in receiving an IP-address.
DNS: TO itself has severe issues resolving URLs, sometimes it doesn’t work at all. I thought this might be an issue of release 5.1.8 (therefore I posted a snipped of it here), but it seems to be much more than this:

first time after reboot I try to ping google.com, it takes several seconds until I receive slowly some kind of answer, the second time it is faster and only then it works seamlessly as expected
pkgupdate fails until I have run opkg update at least once (or vice versa - if I ran pkgupdate before running opkg update the first time after restarting the TO it worked without problems):

root@AP_EG1_OG:~# pkgupdate
line not found
line not found
line not found
ERROR:
runtime: [string "requests"]:417: [string "utils"]:420: Getting URI (https://repo.turris.cz/hbs/omnia/lists/base.lua) failed: Couldn't resolve host 'repo.turris.cz'

and after doing a opkg update:

root@AP_EG1_OG:~# pkgupdate
INFO:Target Turris OS: 5.1.8

I cannot reach my personal cloud, which is running inside a vm on my server (192.168.1.11) (which hosts 1 vm containing my openwrt router (192.168.1.1), 1 vm containing my pihole (192.168.1.12), 1 vm containing my nextcloud and jitsi appliances (cloud.mydomain.tld; 192.168.1.13)). In pihole I have a /etc/hosts file telling my network devices that cloud.mydomain.tld can be reached via 192.168.1.13. I can ping each IP directly, but when trying to ping cloud.mydomain.tld I get the following feedback:

root@AP_EG1_OG:~# ping cloud.mydomain.tld
ping: unknown host cloud.mydomain.tld

The complete network is just as before the TO upgrade, nothing changed and beforehand
My configuration is as follows:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<>'

config interface 'lan'
	option ifname 'lan0 lan1 lan2 lan3 lan4.1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option delegate '0'
	option _turris_mode 'managed'
	option gateway '192.168.1.1'
	option dns '192.168.1.12'

config interface 'iot'
	option ifname 'lan4.2'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option delegate '0'
	option gateway '192.168.2.1'
	option dns '192.168.2.12'

config interface 'gast'
	option ifname 'lan4.5'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.5.2'
	option netmask '255.255.255.0'
	option delegate '0'
	option gateway '192.168.5.1'
	option dns '192.168.5.1'

config interface 'wan'
	option ifname 'eth2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth2'
	option proto 'dhcpv6'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'lan'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'iot'

config zone
	option name 'gast'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option network 'gast'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'gast'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow IoT DHCP request'
	option src 'iot'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow IoT DNS Queries'
	option src 'iot'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow Gast DHCP request'
	option src 'gast'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow Gast DNS Queries'
	option src 'gast'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option port '0'
	list rebind_domain 'mydomain.tld'
	list rebind_domain 'cloud.mydomain.tld'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'iot'
	option interface 'lan'
	option ignore '1'

config dhcp 'gast'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/resolver

config resolver 'common'
	list interface '0.0.0.0'
	list interface '::0'
	option port '53'
	option keyfile '/etc/root.keys'
	option verbose '0'
	option edns_buffer_size '1232'
	option msg_buffer_size '65552'
	option msg_cache_size '20M'
	option net_ipv6 '1'
	option net_ipv4 '1'
	option prefered_resolver 'kresd'
	option prefetch 'yes'
	option static_domains '1'
	option dynamic_domains '0'
	option forward_upstream '0'
	option ignore_root_key '1'

config resolver 'kresd'
	option rundir '/tmp/kresd'
	option log_stderr '1'
	option log_stdout '1'
	option keep_cache '1'

config resolver 'unbound'
	option outgoing_range '60'
	option outgoing_num_tcp '1'
	option incoming_num_tcp '1'
	option msg_cache_slabs '1'
	option num_queries_per_thread '30'
	option rrset_cache_size '100K'
	option rrset_cache_slabs '1'
	option infra_cache_slabs '1'
	option infra_cache_numhosts '200'
	list access_control '0.0.0.0/0 allow'
	list access_control '::0/0 allow'
	option pidfile '/var/run/unbound.pid'
	option root_hints '/etc/unbound/named.cache'
	option target_fetch_policy '2 1 0 0 0'
	option harden_short_bufsize 'yes'
	option harden_large_queries 'yes'
	option qname_minimisation 'yes'
	option harden_below_nxdomain 'yes'
	option key_cache_size '100k'
	option key_cache_slabs '1'
	option neg_cache_size '10k'
	option prefetch_key 'yes'

config resolver 'unbound_remote_control'
	option control_enable 'yes'
	option control_use_cert 'no'
	list control_interface '127.0.0.1'

/etc/config/wireless

#########################################
#mPCIe00:01.0 WLE900VX --> WiFi 2,4GHz First floor

config wifi-device 'radio0'
	option type 'mac80211'
	option macaddr '<>'
	option hwmode '11g'
	option require_mode 'g'
	option channel '11'
	option htmode 'HT40'
	option txpower '17'
	option country 'DE'
	option legacy_rates '0'
	option noscan '1'
	option disabled '0'

config wifi-iface 'wifi2_OG_lan1'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'family-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0a'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi2_OG_iot'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'friends/iot-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0b'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi2_OG_gast'
	option device 'radio0'
	option network 'gast'
	option mode 'ap'
	option ssid 'guest-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0c'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

#########################################
#mPCIe00:02.0 WLE1216v5-20 --> WiFi 5GHz ground floor

config wifi-device 'radio1'
	option type 'mac80211'
	option macaddr '<>'
	option hwmode '11a'
	option require_mode 'n'
	option channel '48'
	option htmode 'VHT160'
	option txpower '16'
	option country 'DE'
	option disabled '0'

config wifi-iface 'wifi5_EG1_lan'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'family-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0a'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi5_EG1_iot'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid 'friends/iot-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0b'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi5_EG1_gast'
	option device 'radio1'
	option network 'gast'
	option mode 'ap'
	option ssid 'guest-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0c'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

#########################################
#mPCIe00:03.0 WLE1216v5-20 --> WiFi 5GHz first floor

config wifi-device 'radio2'
	option type 'mac80211'
	option macaddr '<>'
	option hwmode '11a'
	option require_mode 'n'
	option channel '153'
	option htmode 'VHT80'
	option txpower '13'
	option country 'DE'
	option disabled '0'

config wifi-iface 'wifi5_OG_lan'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'family-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0a'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi5_OG_iot'
	option device 'radio2'
	option network 'iot'
	option mode 'ap'
	option ssid 'friends/iot-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0b'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

config wifi-iface 'wifi5_OG_gast'
	option device 'radio2'
	option network 'gast'
	option mode 'ap'
	option ssid 'guest-ssid'
	option encryption 'psk2+ccmp'
	option key '<>'
	option macaddr '<>'
	option ieee80211r '1'
	option ft_over_ds '1'
	option mobility_domain '0a0c'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option wpa_group_rekey '86400'
	option disabled '0'

The reinstallation should not have been the problem as I provided a *.md5-file along with the archive. Or do you think I need to do another reinstallation?
Can anyone help solving this nightmare? My wife is close to killing me - obviously the woman acceptance factor of “DAS WLAN FUNKTIONIERT JA SCHON WIEDER NICHT!” (in english: “WIFI IS AGAIN NOT WORKING!”) is below zero

Thanks,
ssdnvv

dibdot · February 3, 2021, 5:34pm

Why did you post your firewall/dhcp/resolver configs if you’re using your Omnia as a dump AP … all these services should be disabled in this mode!?

E.g. that’s in one of my APs (rc.local):

root@blackhole2:/etc$ cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

services="firewall resolver dnsmasq kresd odhcpd umdns socat"
for service in ${services}
do
   /etc/init.d/${service} disable >/dev/null 2>&1
   /etc/init.d/${service} stop >/dev/null 2>&1
done

exit 0

ssdnvv · February 3, 2021, 6:45pm

Do you have VLAN separating network interfaces from each other? If so you need to have firewall rules allowing the necessary DHCP requests and denying all other access. At least this was the case several major openwrt versions ago in the past and served me well. I never disabled those services and it worked well until before the upgrade.
Regarding the resolver/dnsmasq you may be right, but I then still don’t understand why it worked well until before I upgraded.

ssdnvv · February 16, 2021, 1:36am

Problem solved - reason/issue can be found ⇨here

protree · February 16, 2021, 8:34am

Just a quick note on this: It is only necessary for a „dump AP“ to have one interface to be reachable (configured most likely as DHCP Client or static). All other (VLAN-)Interfaces as your IOT and Guest Interfaces can be configured as unmanaged. Thereby they can still be bridged to LAN-Ports and WiFi-Interfaces, but the AP itself isn‘t part of these networks and you don‘t have to worry about VLAN isolation on layer 3 on this AP.

I took this one step further in my network setup by using the default LAN network (with no vid) only to connect to all networking devices (routers, switches, APs), you might call it my „managment network“. All other networks, including my „real lan“ network are set up as vlans with restriced access to the router (only DHCP and DNS) and no access to my APs and switches (as I said because they only bridge these networks without beeing part of it). Of course you have to connect all reachable lan ports of your switches and APs to the „real lan“ network and not to the „managment (default lan)“ network, but once this is set up this has several advantages as it simplifies routing and firewall configuration a lot as you can simply restrict access to your network devices through their own firewall zone. Plus you add a layer of security to your network as Cross-Site-Scripting attacks can‘t reach your network devices through your lan devices. If you want to have access to your network devices you just need to connect to your „managment“ network (just set up a distinct ssid for this network).

system · February 19, 2021, 8:34am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.