Lose Internet every 30 minutes

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
ansym3
DD-WRT Novice


Joined: 28 Mar 2019
Posts: 8

PostPosted: Fri Apr 19, 2019 1:44    Post subject: Lose Internet every 30 minutes Reply with quote
I just upgraded my ddwrt the other day and reset to fix a separate issue. Every 30 minutes I lose Internet both wirelessly and wired, can’t even access the ddwrt admin page about maybe 65% of the time, though I can 35%ish. I have to reboot to fix it.

I’m fairly confident that it is precisely every 30 minutes, which makes me think some default setting is screwing with this?

My VPN killswitch: iptables -I FORWARD ! -o tun1 -j DROP

VPN config:
tls-client
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

My router is in wireless repeater mode. The router it repeats does not lose Internet.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Apr 19, 2019 2:15    Post subject: Reply with quote
I recommend keeping an eye on the syslog (or vpn client log) during this time to see if there are any relevant messages. Most likely the VPN is going through a soft-restart, perhaps caused by the OpenVPN server. IOW, your OpenVPN provider may be forcing a restart just to make sure the OpenVPN client is really there, and if not, he saves resources by killing the connection. Just a guess.

I would normally assume the reneg-sec setting was causing this. This defaults to 3600 (every hour). This causes the session key to be rekeyed. But obviously this can't be the culprit if the value is 0. As an aside, the VPN provider probably suggested this so he could reduce the overhead of having to rekey the session key. Once again, that saves him resources, but at the expense of your security! reneg-sec should be set to something reasonable, say 3600, 1800, etc., NOT 0!
ansym3
DD-WRT Novice


Joined: 28 Mar 2019
Posts: 8

PostPosted: Fri Apr 19, 2019 4:59    Post subject: Reply with quote
eibgrad wrote:
I recommend keeping an eye on the syslog (or vpn client log) during this time to see if there are any relevant messages. Most likely the VPN is going through a soft-restart, perhaps caused by the OpenVPN server. IOW, your OpenVPN provider may be forcing a restart just to make sure the OpenVPN client is really there, and if not, he saves resources by killing the connection. Just a guess.

I would normally assume the reneg-sec setting was causing this. This defaults to 3600 (every hour). This causes the session key to be rekeyed. But obviously this can't be the culprit if the value is 0. As an aside, the VPN provider probably suggested this so he could reduce the overhead of having to rekey the session key. Once again, that saves him resources, but at the expense of your security! reneg-sec should be set to something reasonable, say 3600, 1800, etc., NOT 0!


Thanks for the help. I thought it might have something to do with the rekey thing, guess not, The weird thing is not being able to access router admin page locally most of the time this happens. I don’t get the same issues using an OpenVPN client on same VPN service on another computer and non-repeated router.

I’ll see if I can see any router logs before I can’t connect to router admin anymore.

Didnt have issue before upgrading from v24 sp2 to this, same vpn provider and settings.

Maybe my killswitch is preventing local router admin access. But that makes no sense.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Apr 19, 2019 5:25    Post subject: Reply with quote
While I don't have an explanation for why it might be restarting (if indeed that's the case), I can explain one possibility why it can't get restarted.

It's sometimes possible for the VPN to get "stuck" because its using a domain name for the Server/IP Name field in the OpenVPN client GUI. Because of the way the OpenVPN client is configured (specifically, using the persist-tun directive, which I've complained about in the past), on a restart, that directive forces the router to re-resolve the domain name before attempting to reconnect. But sometimes that can be problematic. If the router's default gateway is still pointing to the VPN, or the DNS server have been pushed to the OpenVPN client and DNSMasq has been reconfigured to use the VPN provider's DNS servers, and those DNS servers are only available over the VPN, you have a classic catch-22. The router can't restart the VPN until it can resolve the domain name across that same VPN!

When this happens, you'll see messages in the syslog that say something to the effect "N RESOLVE: can't resolve <domain-name> ...". And as it keeps retrying, those errors messages repeat endlessly. It just gets stuck.

That's a long way of saying, try using explicit IPs for the Server/IP Name field rather than a domain name. See if it helps.
ansym3
DD-WRT Novice


Joined: 28 Mar 2019
Posts: 8

PostPosted: Sun Apr 28, 2019 0:24    Post subject: Reply with quote
eibgrad wrote:

That's a long way of saying, try using explicit IPs for the Server/IP Name field rather than a domain name. See if it helps.


Thanks for the help. I tried this but still get the issue.

It is not precisely every 30 minutes as I thought, though usually it is very close. Rarely it can be longer, like an hour.

I cannot check my OpenVPN client log by the time this happens. If anyone can give me a single clue as to why I would lose access to the local admin panel, I’d be grafeful.

Had to disable DNSMasq because as a separate issue, it causes DNS leaks. Still occurs.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3667
Location: Netherlands

PostPosted: Sun Apr 28, 2019 8:01    Post subject: Reply with quote
Well maybe that is the issue, that you disabled DSNMasq?

DNSMasq is not causing DNS leaks it is the way you use or setup (sometimes a bug can also play a role).

In my signature there is a thread for a simple-PBR script, in that thread there is also anot on DNS leakage, maybe that is helpfull in plugging the leak?

Furthermore you can write syslog to a remote client to see what is going on: https://wiki.dd-wrt.com/wiki/index.php/Logging_with_DD-WRT

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
ansym3
DD-WRT Novice


Joined: 28 Mar 2019
Posts: 8

PostPosted: Sun Apr 28, 2019 13:39    Post subject: Reply with quote
egc wrote:
Well maybe that is the issue, that you disabled DSNMasq?

DNSMasq is not causing DNS leaks it is the way you use or setup (sometimes a bug can also play a role).

In my signature there is a thread for a simple-PBR script, in that thread there is also anot on DNS leakage, maybe that is helpfull in plugging the leak?

Furthermore you can write syslog to a remote client to see what is going on: https://wiki.dd-wrt.com/wiki/index.php/Logging_with_DD-WRT


It also was occurring with DNSMasq enabled. I wouldn’t guess that DNS issues could prevent local admin access, but you two would know better than me. Thanks for advice on the separate leakage issue, I’m going to check that out.

I will follow the logging tutorial and report back. The work you guys do helping people on this forum is really great.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Apr 28, 2019 15:08    Post subject: Reply with quote
Btw, I don't recall you mentioning the hardware. There are known issues w/ specific hardware, and that's why sometimes it's better to address this type of problem in the forum for that router's chipset.

What go me thinking about this was the following thread over at Merlin's forum on SNB.

https://www.snbforums.com/threads/help-please-rt-ac86u-troubles.56347/

That's why I tend to stick w/ older, totally proven hardware (e.g., ASUS RT-AC68U). Sometimes it takes a few years before issues become well-known and develop a reputation of being problematic.
ansym3
DD-WRT Novice


Joined: 28 Mar 2019
Posts: 8

PostPosted: Mon Apr 29, 2019 14:59    Post subject: Reply with quote
eibgrad wrote:
Btw, I don't recall you mentioning the hardware. There are known issues w/ specific hardware, and that's why sometimes it's better to address this type of problem in the forum for that router's chipset.

What go me thinking about this was the following thread over at Merlin's forum on SNB.

https://www.snbforums.com/threads/help-please-rt-ac86u-troubles.56347/

That's why I tend to stick w/ older, totally proven hardware (e.g., ASUS RT-AC68U). Sometimes it takes a few years before issues become well-known and develop a reputation of being problematic.


I am using a TRENDNET TEW-818DRU. Chipset Broadcom BCM4708A0. I had an Asus router, but no ddwrt version was available for it, so I got this cheap thing a while ago. I may need to upgrade.

My ddwrt version is v3.0-r37305. This is apparently a beta, but I am fearful that if I downgrade I’ll be back to the 10 kilobyte per second Internet download problem I had.

I’d guess repeater mode is culprit, but I can’t connect my router any other way to test.

Having troubles logging. Of course, when the issue starts I lose access to both the Internet and local router admin, so I need log persistence locally.

I used this as a startup command:
killall syslogd
syslogd -L -s 8192 -O /var/log/messages

But unfortunately, after using cat on /var/log/messages, it just shows some logs from January 1st (have reset router plenty this month, must be Unix timestamp or something), then current session logs, but they do not persist after restart.

Since remote logging is not an option, how can I persist them? Filesystem readonly if any help.

Kill switch is this for reference, probably irrelevant:
iptables -I FORWARD ! -o tun1 -j DROP

EDIT: Just tried upgrading to a build from last week. Sure enough, 200 Kbps download bug returns.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 302
Location: California

PostPosted: Tue Apr 30, 2019 23:59    Post subject: Config Issues Reply with quote
Does it lose internet when the VPN isnt enabled?
Remove the kill switch and use it without the VPN and see if it drops your connection.

Also, I have seen this issue on various routers when the Wifi channels are manually set but the channels selected dont work right with the hardware.

What channels are you using for you 2.4 and 5G?

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum