strict rekeying does not work at all in this build
this only works in builds > r46169
Very good to know, thanks! I'll review my experiences with the r46169 to r462xx builds with that in mind, and potentially retest for Apple issues.
pbphoto wrote:
...
With just those 3 devices connected to the 5ghz-80vht antenna, pings never stopped but different apps or sessions within an app on my macbook would hang.
...
I kept management frame protection on enable on the 5ghz antenna but set it to auto on the 2.4ghz antenna, and a lot of devices were able to connect to the 2.4ghz antenna now. All traffic and pings hung up fairly quickly on my apple devices connected to the 5ghz antenna.
...
Unless that's a typo, it surprises me that changing management frame protection (MFP) on 2.4G would affect 5G pings at all. Possible, but definitely not what I would have expected! Just for reference, I'd changed both of my WPA2-EAP wlans (wlan0.1 and wlan1.1) to MFP Auto simultaneously.
I honestly don't remember which build that was on, but I think it was when I was trying to add our first suspected WPA3-capable device (a Win10 PC with Intel AC9560 nic) - probably sometime in early February. My underlying difficulty adding WPA3 turned out to be a careless typo (LoL) in my 5G Radius Auth Server Address, but I've kept the MFP Auto settings for WPA2 ever since and apparently lucked out of some of the connection issues that others had, at least until r463xx rained on my parade. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
20mhz width on the 5ghz channel AC-N mixed - Apple devices still hung up after a while.
80mhz width on he 5ghz channel AC-only - Apple devices still hung up after a while.
Turned off 5ghz radio forcing all clients to 2.4ghz radio - Apple devices still hung up after a while.
I'll probably be heading back to 44048. I did some more testing with 46380 and Apple devices appear to be very stable even after the crash-dump. I'll leave an upddate in the 46380 thread.
I had trouble with r46380 too, but actually slightly worse for PC than for iPad. Just in case it helps at all, attached are separate screenshots of the settings for each of our 5G wlans as both currently up on single ACSv2 under r46069 without issue. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
strict rekeying does not work at all in this build
this only works in builds > r46169
There was no r46169 beta. Do you mean strict rekeying was implemented or fixed after r46069 or after r46166? Your answer could help me concentrate my retesting time/effort on the most pertinent builds. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
Keep us posted. I tried BI=100 and DTIM=3 yesterday. It seemed to be good for about 30 minutes before Apple devices (IOS and MACOS) started hanging up and the wife started bitching. Went back to 44048 with BI=100 and DTIM=2. Maybe there is a magic suite of settings that works, but I can't find it. ps - I have a 1900ACSv1.
Between tests of current builds, I've been reverting back to this r46069 build (thanks to Fonzi's suggestion) for daily use with Apple and other devices. For those having trouble moving from r44048 to r46069 while still supporting Apple devices, I'm posting my wireless configuration. Attached are full pdf printouts of my wireless basic and wireless security pages with advanced settings displayed (login necessary to see/download). If you want to see any other webif GUI pages, just ask!
I should note that this router is currently set up as a Gateway with OpenVPN client and FreeRadius server, so my wifi is WPA3-Enterprise on one vlan and WPA2-Enterprise on another. But I don't think Enterprise (EAP) is required for this to work, since I have at other times had another vlan using wpa-personal such as wpa2-psk and/or wpa3-sae. However, if you want to set up Enterprise for presumably increased security, especially with wpa2, I basically just followed this how-to (but also beware that some special characters in the FreeRadius passphrase may prevent successful certificate generation): https://teledom.gr/tech/dd-wrt/dd-wrt-wrt1900acs-v2-freeradius/
EDIT: Posted "redacted" versions removing PII. If you downloaded before redactions, it's all good but please refrain from re-posting or sharing.
EDIT #2: I should also note that all of our Apple devices are fully updated, so even the old ones now support WPA3. Thus, the Apple devices are all currently connecting on my wlan0 and/or wlan1 where the DTIM is 3, and not on my wlan0.1 or wlan1.1 where the DTIM is still 2. Some of our PCs also use WPA3, so these are on wlan0 and wlan1 with the Apples. Unfortunately, none of our Android devices support WPA3 yet, so these are all on wlan0.1 and wlan1.1 with other PCs but no Apples. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
Thanks for sharing your settings. I didn't have any luck unfortunately. I tried your settings exactly except for ap-isolation-disabled and wpa2 instead of wpa3. No combination of BI and DTIM worked. The 20mhz full channel width was fairly stable - took a while to reproduce- but performance sucked. I tried other settings and I was even able to get a single IOS device to hang when it was the only device connected at the time.
I tried setting up a new 5ghz wlan0.1 VAP under a new test SSID using WPA3-personal. The only two devices connected were my iphone SE-2020 (IOS 14.4.2) and my 2018 Macbook Pro (11.2.3). Again, I tried every combination of BI and DTIM - no luck. Sometimes both devices would hang up at the same time. Sometimes I noticed that within the same browser on my iphone, one tab would be hung but others would update. Or, access google via the browser would be hung but speedtest would work for another minute or two.
Back to 44048 on my 1900ACSv1 with BI 100 and DTIM 2.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Jun 11, 2021 17:21 Post subject:
Sorry, KP... I just now saw this.
kernel-panic69 wrote:
I just emailed BrainSlayer about this to see if it's a cosmetic issue or what.
UPDATE: BrainSlayer says that there is 128K nvram configured on Marvells. Could you give more information on which build you ran out of nvram space on?
Just to be clear, the importance of this at this late date is that if in recent builds nvram is smaller than dd-wrt thinks it is, serious out-of-bounds errors could be the mechanism behind all the issues Marvell users have had with recent builds.
So, I experienced the truncation when flashing from 41954 to 42926. I hoped the over-detailed analyis to follow would somehow show that the nvram size threshold where truncation occurred was in some interval that includes 65536, but the trouble threshold seems to have been at or less than 63652 bytes (or maybe my caffeine level is too low to get the number right). In any case, going back and reducing nvram by some 6726 bytes by disabling traff and unsetting its nvram variables yielded a clean flash with no truncation.
-----details:
May 1 2020 in 41954:
"nvram show" stdout size: 63329
"nvram show | grep traff | wc -c" returns 6671 (bytes)
rc_startup is 8649 bytes
May 10 2020
first flash of 42926 (download labeled 42925)
discover rc_startup was seriously truncated
nvram size per "nvram show" stderr: "size: 63851 bytes (1685 left)"
booted back into 41954
restored May 1 config
removed traff vars
nvram size per "nvram show" stderr: 55033 bytes
re-flash 42926, maintaining config: no problems, rc_startup intact
nvram size per "nvram show" stderr: 55266 bytes (10270 left)"
"nvram show" stdout size: 55231 bytes
Let's start at the next-to-last line. The implied total size of nvram is 55266 + 10270 = 65536. The status page showed 64K as well, as it always did before, with earlier builds I had tried.
Now consider the last two lines. The stderr nvram size less the stdout nvram size is 55266 - 55231 = 35 bytes, a minor difference. At the top then, the implied nvram stderr size on May 1 is 63329 + 35 = 63364 bytes.
I don't have all the numbers for May 10, but we can reconstruct some of them. I can see in my saved "nvram show" outputs that traff-data size incteased 55 bytes from Feb 6 to Feb 15, so that's a good guess as to the increase from May 1 to May 10. (Same number of days, not spanning a month boundary.) The estimated nvram stderr size on May 10 then, before any flashing, is 63364 + 55 = 63419 bytes. The estimated traff data size just before the first flash on May 10 is 6671 + 55 = 6726 bytes.
Comparing the "nvram show" stderr numbers immediately before and after the reflash shows the new build required 55266 - 55033 = 233 more nvram bytes. So the estimated "nvram show" stderr size of the failed flash is 63419 + 233 = 63652 bytes.
I can't say why the flash failed at the latter number, but removing the estimated 6726 bytes of traff data to bring nvram down to 55231 + 35 = 55266 bytes (implied nvram stderr size) fixed things. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Fri Jun 11, 2021 19:18 Post subject:
Thanks for getting back to me. I just replied to BrainSlayer about it; took me a few minutes to find the email from March 29th...
Can anyone else please verify that newer builds on Marvell only show 64k nvram space or 128k nvram space, please? Need verification on WRT1200AC v1 / v2; WRT1900 AC v1 / v2; WRT1900ACS v1; WRT3200ACM; WRT32X. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Thanks for getting back to me. I just replied to BrainSlayer about it; took me a few minutes to find the email from March 29th...
Can anyone else please verify that newer builds on Marvell only show 64k nvram space or 128k nvram space, please? Need verification on WRT1200AC v1 / v2; WRT1900 AC v1 / v2; WRT1900ACS v1; WRT3200ACM; WRT32X.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sat Jun 12, 2021 1:27 Post subject:
I guess I should have clarified, "with output of nvram show | sort", not just the webUI info. But anyway, it looks as somehow the WRT1900AC* devices have something screwed up. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net