Issue with 2.4Ghz and nest / ring devices in 386.2 alpha 2

[brummygit]

I've been having general issues with this beta over the last couple of days and I'm starting to think it's also using the guest networks that is the root of my problem. I had 1 camera on guest network 1 with isolation, the rest were still on the primary network. I'm seeing lost of connectivity now like you were - strangely everything had worked well from the initial upgrades to Alpha 2 and the first few hours of the Beta so I'm wondering if it's related to DHCP leases expiring and not being re-issued. The devices already had IP addresses when I upgraded so wouldn't initially have had problems.

I ran overnight with Cake disabled and also no Guest network - everything has been fine for over 12 hours. I just turned both back on and my network is falling apart with 2.4Ghz devices unable to connect (including Ring and Nest). This is very strange so I will do more investigation and let you know if I find anything relevant.

 

[brummygit]

So my network has stabilised again by turning off Guest Network 1 and leaving Cake turned on. Guest Network 1 (which had been broken for a long while but I was convinced was working when I tried the Alpha) is breaking connectivity for 2.4Ghz devices on my main network as well as the guest network.

I now have all of my Ring and Nest devices online and stable again.

 

[dbell]

Hey thanks for the info. Seems like my devices are getting dhcp responses as they show associated with the .101. address but just can't reach the internet to register their state with the nest or ring services.

 

[john9527]

It was the case that on 386 disabling intranet access on Guest 1 also automatically enabled ap isolation (the devices couldn't talk to any other local devices, even those on the same Guest 1 network). So any system relying on a hub or base would likely fail.

 

[dbell]

It was the case that on 386 disabling intranet access on Guest 1 also automatically enabled ap isolation (the devices couldn't talk to any other local devices, even those on the same Guest 1 network). So any system relying on a hub or base would likely fail.

Hey John thanks for joining in. I had this setup in place before 386 came along and did not experience the issue (and did not have to make any changes) while using the various 386.1 builds - only became an issue with 386.2 alpha 2. If I go back to 386.2_alpha1-ga84fed8777 the issue goes away - possibly a regression ?

 

[john9527]

only became an issue with 386.2 alpha 2. If I go back to 386.2_alpha1-ga84fed8777 the issue goes away - possibly a regression ?

Well, the code that forces the ap_isolate behavior hasn't changed since May of last year

cdfc71fd209 (Eric Sauvageau 2020-05-20 23:42:51 -0400  630)         if(amesh_support && amesh_wgn_support){
cdfc71fd209 (Eric Sauvageau 2020-05-20 23:42:51 -0400  631)             $("input[name='wl_ap_isolate']").attr("disabled", false);
cdfc71fd209 (Eric Sauvageau 2020-05-20 23:42:51 -0400  632)             var wl_ap_isolate = ($("select[name='wl_lanaccess']").val() == "off") ? 1 : 0;
cdfc71fd209 (Eric Sauvageau 2020-05-20 23:42:51 -0400  633)             $("input[name='wl_ap_isolate']").val(wl_ap_isolate);
cdfc71fd209 (Eric Sauvageau 2020-05-20 23:42:51 -0400  634)         }

The code delta between the levels you mentioned was primarily GPL/binary blob merges...one was so big it basically hung gitk on my system. Maybe it's the other way around....they broke and then fixed something that affected ap_isolate?

 

[dbell]

Depends on your definition of "fixed" I suppose. Now that you mention it I do recall reading some debate about disable intranet access causing ap isolation as well. But I would have expected to have tripped over it before now unless the thing that was fixed was unique to AC5300 that others experienced on other devices and I did not until now.

Renders using the guest network useless then for IoT purposes where you want Internet but not Intranet access.

Just looking at my nvram dump from 16 feb on 386.1_2 and:

wl_ap_isolate=0
wl0.1_ap_isolate=1
wl_lanaccess=off

Today, with allow intranet access disabled they are:

wl_ap_isolate=0
wl0.1_ap_isolate=1
wl_lanaccess=off

and with intranet access enabled:

wl_ap_isolate=0
wl0.1_ap_isolate=0
wl_lanaccess=off

Curious why wl_lanaccess=off in that last case.

So that code you shared doesn't line up with what I see above. That code says that if wl_lanacces=off then wl_ap_isolate should be set to 1 (true case : false case) in the boolean selector statement but clearly it does not unless something else is changing it.

 

[john9527]

Just looking at my nvram dump from 16 feb on 386.1_2 and:

The wl_ vars are just working/tmp vars for the gui. To see the actual state, you need to use the full prefix, wl0.1, etc.

 

[dbell]

Ok so now I see lanaccess off and ap isolate 1, and vice versa for the wl0.1 interface. They were lanaccess=off and ap_isolate=1 back in 386.1_2 on 16 feb too.

Thanks for the education.

 

[john9527]

@dbell

Try this and see if makes a difference
- Exit the gui
- ssh to the router and enter
nvram set wl0.1_ap_isolate=0
nvram commit
service restart_wireless

Don't go back into the gui (or at least the guest wireless page) and see if things appear any better.

 

[dbell]

Do I need to also do nvram set wl0.2_ap_isolate=0 on the node since wl0.2 is the equivalent interface there ? Mixing tri- and dual-band routers is not the best I think. Maybe I should just buy another AX86U.

 

[john9527]

Hmmm....forgot you alluded to a mesh config, but didn't see any detail. Can you summarize your configuration...primary, any nodes, type of backhaul, etc.

 

[dbell]

AC5300 router (2.4g / 5g-2 enabled) <-- ethernet backhaul --> AX86U node (2.4g / 5g enabled) - the AX86U is the node because it serves the larger area and more devices, but the Internet ingress is near the AC5300. It's definitely a disadvantage to have the admin UI be tied to the AC5300 rather than the AX86U.

I disabled the 5g-1 on AC5300 to have more symmetrical bands across the two devices.

2.4g fixed ch 6, 5g fixed ch 153

 

[dbell]

@brummygit @john9527

Looks like the fix for corrupted firewall rules in 386.2_beta2-g1e6831e65a has solved this problem. My IoT devices remained connected overnight with allow intranet access disabled

 

[dbell]

My second AX86U arrived so now I replaced the AC5300 and 386.2 beta 1 works fine and does not exhibit the same issue as on the AC5300.