AC87U 5Ghz guest network

[Lucky-Strike]

God damnit, must be kidding me, it *seems* to be working on 384.11.
At least when SSIDs are created before update and without restore. I will try full reset to check if it's really working on .11.

Universal beamforming was on. Turned it off. But lost 10dB in the process . Might be coincidental.

 

[Zastoff]

Just curious - Can you define "broke"? Were the 5GHz SSIDs not broadcasting at all? If they were could you connect to them? Any messages in the syslog?

It was not broadcasting at all, Tried looking at log but not found anything yet

 

[Zastoff]

God damnit, must be losing me, it *seems* to be working on 384.11.
At least when SSIDs are created before update and without restore. I will try full reset to check if it's really working on .11.

Universal beamforming was on. Turned it off. But lost 10dB in the process . Might be coincidental.

Sorry for the "seems" but it worked here, Tested on my Android did speed test and browsing..can give it some more testing

 

[Lucky-Strike]

Sorry for the "seems" but it worked here, Tested on my Android did speed test and browsing..can give it some more testing

Thé *seems* only apply to my setup, not yours, I fully trust your testing .
So, after updating from 380.70 > 384.5 > 384.11 it WAS working on 384.11. The guest 5ghz network was visible and had internet access.
I did a factory reset on 384.11 and re-created the guests network on both 2.4 and 5ghz : the 5ghz is not broadcasting.
After a reboot, 5ghz guest IS broadcasting but has no internet access on it.

 

[ColinTaylor]

Guys, when testing I suggest that after applying any changes to the 5GHz WiFi you do a complete power off, wait 30 seconds and turn on. I only say this because doing a "soft reset" on the Quantenna might be different from a "hard". Maybe the Quantenna chip is remembering some of the previous settings with "soft"?

 

[Lucky-Strike]

Did a hard reset, the guest 5ghz network wasn't listed at first but it seems that it was due to Android masking it.
After deleting it from the "known networks" it appeared again and I could connect to it, but still no internet access.

// Startup
May  9 11:09:52 ntp: Initial clock set
May  9 11:09:52 rc_service: ntpd_synced 617:notify_rc restart_diskmon
May  9 11:09:52 disk_monitor: Finish
May  9 11:09:53 disk_monitor: be idle
May  9 11:10:03 crond[249]: time disparity of 531604 minutes detected
May  9 11:10:35 kernel: br0: received packet on vlan4000 with own address as source address
May  9 11:10:36 kernel: br0: received packet on vlan4000 with own address as source address
May  9 11:10:37 kernel: br0: received packet on vlan4000 with own address as source address
// Connecting to 5Ghz guest network => NO INTERNET
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPDISCOVER(br0) 94:65:2d:9a:c0:** 
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPOFFER(br0) 192.168.2.142 94:65:2d:9a:c0:** 
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPDISCOVER(br0) 94:65:2d:9a:c0:** 
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPOFFER(br0) 192.168.2.142 94:65:2d:9a:c0:**
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPREQUEST(br0) 192.168.2.142 94:65:2d:9a:c0:** 
May  9 11:10:39 dnsmasq-dhcp[241]: DHCPACK(br0) 192.168.2.142 94:65:2d:9a:c0:** OnePlus5
// Connecting to 5Ghz => INTERNET OK
May  9 11:12:32 dnsmasq-dhcp[241]: DHCPDISCOVER(br0) 94:65:2d:9a:c0:** 
May  9 11:12:32 dnsmasq-dhcp[241]: DHCPOFFER(br0) 192.168.2.142 94:65:2d:9a:c0:** 
May  9 11:12:32 dnsmasq-dhcp[241]: DHCPREQUEST(br0) 192.168.2.142 94:65:2d:9a:c0:** 
May  9 11:12:32 dnsmasq-dhcp[241]: DHCPACK(br0) 192.168.2.142 94:65:2d:9a:c0:** OnePlus5

Nothing much...

 

[Zastoff]

Turning on 5Ghz guest

Spoiler: From syslog

May 9 11:01:38 rc_service: httpds 367:notify_rc restart_wireless;restart_qos;restart_firewall;
May 9 11:01:38 custom_script: Running /jffs/scripts/service-event (args: restart wireless)
May 9 11:01:40 kernel: br0: port 2(eth1) entering forwarding state
May 9 11:01:40 kernel: device eth1 left promiscuous mode
May 9 11:01:40 kernel: br0: port 2(eth1) entering disabled state
May 9 11:01:40 kernel: br0: port 3(wl0.2) entering forwarding state
May 9 11:01:40 kernel: device wl0.2 left promiscuous mode
May 9 11:01:40 kernel: br0: port 3(wl0.2) entering disabled state
May 9 11:01:56 kernel: device eth1 entered promiscuous mode
May 9 11:01:56 kernel: br0: topology change detected, propagating
May 9 11:01:56 kernel: br0: port 2(eth1) entering forwarding state
May 9 11:01:56 kernel: br0: port 2(eth1) entering forwarding state
May 9 11:01:56 kernel: device wl0.2 entered promiscuous mode
May 9 11:01:56 kernel: br0: topology change detected, propagating
May 9 11:01:56 kernel: br0: port 3(wl0.2) entering forwarding state
May 9 11:01:56 kernel: br0: port 3(wl0.2) entering forwarding state
May 9 11:01:57 acsd: scan in progress ...
May 9 11:01:57 acsd: scan in progress ...
May 9 11:01:57 acsd: scan in progress ...
May 9 11:01:57 acsd: scan in progress ...
May 9 11:01:58 acsd: scan in progress ...
May 9 11:01:58 acsd: scan in progress ...
May 9 11:01:58 acsd: scan in progress ...
May 9 11:01:58 acsd: scan in progress ...
May 9 11:01:59 acsd: scan in progress ...
May 9 11:01:59 acsd: scan in progress ...
May 9 11:01:59 acsd: scan in progress ...
May 9 11:01:59 acsd: COEX: downgraded chanspec 0x1803 to 0x1001: channel 6 used by exiting BSSs
May 9 11:01:59 acsd: selected channel spec: 0x1001 (1)
May 9 11:01:59 acsd: Adjusted channel spec: 0x1001 (1)
May 9 11:01:59 acsd: selected DFS-exit channel spec: 0x1001 (1)
May 9 11:01:59 acsd: COEX: downgraded chanspec 0x1803 to 0x1001: channel 6 used by exiting BSSs
May 9 11:01:59 acsd: selected channel spec: 0x1001 (1)
May 9 11:01:59 acsd: Adjusted channel spec: 0x1001 (1)
May 9 11:01:59 acsd: selected channel spec: 0x1001 (1)
May 9 11:02:01 custom_script: Running /jffs/scripts/service-event (args: restart qos)
May 9 11:02:04 uiDivStats: Diversion statistic generation completed successfully!
May 9 11:02:21 BWDPI: fun bitmap = 17f
May 9 11:02:21 kernel: HTB: quantum of class 10001 is big. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 20001 is big. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 10009 is big. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 20009 is big. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 30001 is big. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 30010 is small. Consider r2q change.
May 9 11:02:21 kernel: HTB: quantum of class 20010 is small. Consider r2q change.
May 9 11:02:21 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
May 9 11:02:22 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
May 9 11:02:22 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May 9 11:02:23 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Zastoff/skynet )

no SSID for 5Ghz guest..
Hard Reboot (power off for 30 sec)
Guest 5Ghz SSID up
Internet access on 5Ghz guest tested again on my android phone

Spoiler: from syslog after hard reboot

May 9 11:17:58 mbss: prefix_bss_enabled:[wl1.2_bss_enabled][1]
May 9 11:17:58 mbss: prefix_lanaccess:[wl1.2_lanaccess][off]
May 9 11:17:58 kernel: device vlan4001 entered promiscuous mode
May 9 11:17:58 kernel: br0: topology change detected, propagating
May 9 11:17:58 kernel: br0: port 4(vlan4001) entering forwarding state
May 9 11:17:58 kernel: br0: port 4(vlan4001) entering forwarding state
May 9 11:17:58 mbss: dp-10 unit:[1], subunit:[2]

edit:
But when i am on 5Ghz guest i get
DNS_PROBE_FINISHED_NXDOMAIN on some(very few) sites not all...
switched to normal 5Ghz and i dont get that message
Will keep it up and continue testing

 

[ColinTaylor]

Did a hard reset, the guest 5ghz network wasn't listed at first but it seems that it was due to Android masking it.

Remember that if you have enabled DFS channels the 5GHz radio will take at least another 60 seconds to appear after the 2.4GHz.

edit:
But when i am on 5Ghz guest i get
DNS_PROBE_FINISHED_NXDOMAIN on some(very few) sites not all...
switched to normal 5Ghz and i dont get that message

Interesting. It might be useful to see the output of the following commands:

ebtables -t broute -L; ebtables -L

 

[Zastoff]

ebtables -t broute -L; ebtables -L

ASUSWRT-Merlin RT-AC87U 384.11-0 Wed May  8 22:15:02 UTC 2019
drizzt@RT-AC87U-99F8:/tmp/home/root# ebtables -t broute -L; ebtables -L
Bridge table: broute

Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4001 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i wl0.2 -j DROP
-o wl0.2 -j DROP
-i vlan4001 -j DROP
-o vlan4001 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

edit: From wireless log

Spoiler: Wireless 5Ghz

Wireless 5 GHz
SSID: ZASTOFF_5G Mode: AP
SNR: 77 dB Noise: -53 dBm Channel: 48/80 BSSID: xx:xx:xx:xx:xx:xx
Device IP Address Rx/Tx & RSSI Connected Flags
xx:xx:xx:xx:xx:xx
Daniel-Dator 192.168.1.37
585 / 1300 Mbps
-54 dBm 0:01:40 AU
xx:xx:xx:xx:xx:xx
Sony-XZ2 192.168.1.240
260 / 6 Mbps
-64 dBm 0:37:42 AUG

 

[ColinTaylor]

Thanks @Zastoff. That looks correct AFAIK. wl0.2 is the 2nd 2.4GHz guest network, and I'm assuming vlan4001 is the 1st 5GHz guest network. Neither of which have intranet access enabled.

Can you check the DNS from a client PC connected to the 5GHz guest:

nslookup google.com 8.8.8.8

nslookup google.com

 

[Zastoff]

From cmd connected to 5Ghz guest

C:\>nslookup google.com 8.8.8.8
Server:  UnKnown
Address:  8.8.8.8

Icke-auktoritärt svar:
Namn:    google.com
Addresses:  2a00:1450:400e:80b::200e
          172.217.20.110


C:\>nslookup google.com
Server:  router.asus.com
Address:  192.168.1.1

Icke-auktoritärt svar:
Namn:    google.com
Addresses:  2a00:1450:400e:80b::200e
          172.217.20.110

Did another nslookup google.com 8.8.8.8

C:\>nslookup google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Icke-auktoritärt svar:
Namn:    google.com
Addresses:  2a00:1450:400e:80b::200e
          172.217.20.110

C:\>nslookup google.com
Server:  router.asus.com
Address:  192.168.1.1

Icke-auktoritärt svar:
Namn:    google.com
Addresses:  2a00:1450:400e:80b::200e
          172.217.20.110


C:\>nslookup 8.8.8.8
Server:  router.asus.com
Address:  192.168.1.1

Namn:    google-public-dns-a.google.com
Address:  8.8.8.8

 

[ColinTaylor]

From cmd connected to 5Ghz guest

Thanks, that looks to be working as expected. I can only suggest that you try the same lookups on the domains that you're having problems with. Bear in mind that if you're using anything that interferes with DNS, like DNSFilter, DoT, Diversion, etc. that might be the cause of the problem.

 

[Grisu]

But lost 10dB in the process . Might be coincidental.

Maybe your 5G changed channel from >=149 with 1W power to any lower one with only 200mW or even less.

 

[Zastoff]

Did some more testing with all 3 5Ghz guest enabled and it`s working as long as intranet access is set to off for me
(Fw 384.11, DNSCrypt, DNSFilter Global Filter Mode=Router)

Spoiler: ebtables

ASUSWRT-Merlin RT-AC87U 384.11-0 Wed May 8 22:15:02 UTC 2019
drizzt@RT-AC87U-99F8:/tmp/home/root# ebtables -t broute -L; ebtables -L
Bridge table: broute

Bridge chain: BROUTING, entries: 4, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4000 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4001 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4002 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i wl0.2 -j DROP
-o wl0.2 -j DROP
-i vlan4000 -j DROP
-o vlan4000 -j DROP
-i vlan4001 -j DROP
-o vlan4001 -j DROP
-i vlan4002 -j DROP
-o vlan4002 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Spoiler: From syslog

May 10 08:45:49 mbss: prefix_bss_enabled:[wl1.1_bss_enabled][1]
May 10 08:45:49 mbss: prefix_lanaccess:[wl1.1_lanaccess][off]
May 10 08:45:50 kernel: device vlan4000 entered promiscuous mode
May 10 08:45:50 kernel: br0: topology change detected, propagating
May 10 08:45:50 kernel: br0: port 4(vlan4000) entering forwarding state
May 10 08:45:50 kernel: br0: port 4(vlan4000) entering forwarding state
May 10 08:45:50 mbss: dp-10 unit:[1], subunit:[1]
May 10 08:45:53 mbss: prefix_bss_enabled:[wl1.2_bss_enabled][1]
May 10 08:45:53 mbss: prefix_lanaccess:[wl1.2_lanaccess][off]
May 10 08:45:53 kernel: device vlan4001 entered promiscuous mode
May 10 08:45:53 kernel: br0: topology change detected, propagating
May 10 08:45:53 kernel: br0: port 5(vlan4001) entering forwarding state
May 10 08:45:53 kernel: br0: port 5(vlan4001) entering forwarding state
May 10 08:45:53 mbss: dp-10 unit:[1], subunit:[2]
May 10 08:45:57 mbss: prefix_bss_enabled:[wl1.3_bss_enabled][1]
May 10 08:45:57 mbss: prefix_lanaccess:[wl1.3_lanaccess][off]
May 10 08:45:57 kernel: device vlan4002 entered promiscuous mode
May 10 08:45:57 kernel: br0: topology change detected, propagating
May 10 08:45:57 kernel: br0: port 6(vlan4002) entering forwarding state
May 10 08:45:57 kernel: br0: port 6(vlan4002) entering forwarding state
May 10 08:45:57 mbss: dp-10 unit:[1], subunit:[3]

 

[ColinTaylor]

Did some more testing with all 3 5Ghz guest enabled and it`s working as long as intranet access is set to off for me
(Fw 384.11, DNSCrypt, DNSFilter Global Filter Mode=Router)

Thanks for the info.

So now we need to know what's happening when it doesn't work. What happens if you turn on intranet access for just one of the guest networks, say #1? Are any of the SSIDs visible? What do you see in System Log > Wireless Log? Any messages in syslog?

P.S. Have you had a re-occurrence of the intermittent DNS problem, or has that settled down now.

 

[Zastoff]

Thanks for the info.

So now we need to know what's happening when it doesn't work. What happens if you turn on intranet access for just one of the guest networks, say #1? Are any of the SSIDs visible? What do you see in System Log > Wireless Log? Any messages in syslog?

P.S. Have you had a re-occurrence of the intermittent DNS problem, or has that settled down now.

The DNS problem i had seemed fine here now it did not happen during testing earlier today
Will give it another go here and see if i can get some info on intranet access and so on before family gets home

 

[Zastoff]

Changed intranet access to yes for 5Ghz guest 1, the 5Ghz has no access on normal or guest says unidentified network
Managed to log on to router from 2.4 band

May 10 14:12:06 rc_service: httpds 398:notify_rc restart_wireless
May 10 14:12:06 custom_script: Running /jffs/scripts/service-event (args: restart wireless)
May 10 14:12:08 kernel: br0: port 2(eth1) entering forwarding state
May 10 14:12:08 kernel: device eth1 left promiscuous mode
May 10 14:12:08 kernel: br0: port 2(eth1) entering disabled state
May 10 14:12:08 kernel: br0: port 3(wl0.2) entering forwarding state
May 10 14:12:08 kernel: device wl0.2 left promiscuous mode
May 10 14:12:08 kernel: br0: port 3(wl0.2) entering disabled state
May 10 14:12:08 kernel: Interface wl1.1 doesn't exist
May 10 14:12:08 kernel: Interface wl1.2 doesn't exist
May 10 14:12:08 kernel: Interface wl1.3 doesn't exist
May 10 14:12:29 kernel: device eth1 entered promiscuous mode
May 10 14:12:29 kernel: br0: topology change detected, propagating
May 10 14:12:29 kernel: br0: port 2(eth1) entering forwarding state
May 10 14:12:29 kernel: br0: port 2(eth1) entering forwarding state
May 10 14:12:29 kernel: device wl0.2 entered promiscuous mode
May 10 14:12:29 kernel: br0: topology change detected, propagating
May 10 14:12:29 kernel: br0: port 3(wl0.2) entering forwarding state
May 10 14:12:29 kernel: br0: port 3(wl0.2) entering forwarding state
May 10 14:12:29 acsd: scan in progress ...
May 10 14:12:30 acsd: scan in progress ...
May 10 14:12:30 acsd: scan in progress ...
May 10 14:12:30 acsd: scan in progress ...
May 10 14:12:30 acsd: scan in progress ...
May 10 14:12:31 acsd: scan in progress ...
May 10 14:12:31 acsd: scan in progress ...
May 10 14:12:31 acsd: scan in progress ...
May 10 14:12:31 acsd: scan in progress ...
May 10 14:12:32 acsd: scan in progress ...
May 10 14:12:32 acsd: scan in progress ...
May 10 14:12:32 acsd: COEX: downgraded chanspec 0x1803 to 0x1001: channel 6 used by exiting BSSs
May 10 14:12:32 acsd: selected channel spec: 0x1001 (1)
May 10 14:12:32 acsd: Adjusted channel spec: 0x1001 (1)
May 10 14:12:32 acsd: selected DFS-exit channel spec: 0x1001 (1)
May 10 14:12:32 acsd: COEX: downgraded chanspec 0x1803 to 0x1001: channel 6 used by exiting BSSs
May 10 14:12:32 acsd: selected channel spec: 0x1001 (1)
May 10 14:12:32 acsd: Adjusted channel spec: 0x1001 (1)
May 10 14:12:32 acsd: selected channel spec: 0x1001 (1)

Will try reboot and see
edit1:
After reboot i have all SSID`s up internet works but no intranet access at all for 5Ghz normal or guest 1

edit2: from log after reboot

May 10 14:31:32 mbss: prefix_bss_enabled:[wl1.1_bss_enabled][1]
May 10 14:31:32 mbss: prefix_lanaccess:[wl1.1_lanaccess][on]
May 10 14:31:32 mbss: dp-11 unit:[1], subunit:[1]
May 10 14:31:36 mbss: prefix_bss_enabled:[wl1.2_bss_enabled][1]
May 10 14:31:36 mbss: prefix_lanaccess:[wl1.2_lanaccess][off]
May 10 14:31:36 kernel: device vlan4001 entered promiscuous mode
May 10 14:31:36 kernel: br0: topology change detected, propagating
May 10 14:31:36 kernel: br0: port 4(vlan4001) entering forwarding state
May 10 14:31:36 kernel: br0: port 4(vlan4001) entering forwarding state
May 10 14:31:36 mbss: dp-10 unit:[1], subunit:[2]
May 10 14:31:39 mbss: prefix_bss_enabled:[wl1.3_bss_enabled][1]
May 10 14:31:39 mbss: prefix_lanaccess:[wl1.3_lanaccess][off]
May 10 14:31:39 kernel: device vlan4002 entered promiscuous mode
May 10 14:31:39 kernel: br0: topology change detected, propagating
May 10 14:31:39 kernel: br0: port 5(vlan4002) entering forwarding state
May 10 14:31:39 kernel: br0: port 5(vlan4002) entering forwarding state
May 10 14:31:39 mbss: dp-10 unit:[1], subunit:[3]

But as before no intranet access at all on 5Ghz normal or guest

edit3:

ASUSWRT-Merlin RT-AC87U 384.11-0 Wed May  8 22:15:02 UTC 2019
drizzt@RT-AC87U-99F8:/tmp/home/root# ebtables -t broute -L; ebtables -L
Bridge table: broute

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p IPv4 -i wl0.2 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4001 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i vlan4002 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 6, policy: ACCEPT
-i wl0.2 -j DROP
-o wl0.2 -j DROP
-i vlan4001 -j DROP
-o vlan4001 -j DROP
-i vlan4002 -j DROP
-o vlan4002 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

vlan4000 dont show..the one i enabled intranet access on, but SSID is up and can use it for internet access
Cant see anything else..
What should i look for? @ColinTaylor

 

[ColinTaylor]

@Zastoff OK That's all useful information. The absence of vlan4000 in the output of ebtables is correct (for LAN access).

As for the rest, you'll have to bear with me as I don't own this model router and it's not like any of the others.

Can you show us the output of:

brctl show

 

[Zastoff]

ASUSWRT-Merlin RT-AC87U 384.11-0 Wed May  8 22:15:02 UTC 2019
drizzt@RT-AC87U-99F8:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.38d547e599f8       yes             vlan1
                                                        eth1
                                                        wl0.2
                                                        vlan4001
                                                        vlan4002

 

[Zastoff]

Haha omg did another reboot now i have intranet access on normal 5Ghz and guest 1
Now it seems to be working as it should..no access on 5Ghz guest 2 or 3

Edit:
Now did a hard reboot
Have intranet access on normal 2.4 and 5Ghz and guest1(5Gghz)
No intranet access on the other guest networks
So all seems to be working now dont understand..