Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Fri May 19, 2023 22:24 Post subject:
as we dont know much about your wifi settings post a pic of your R7000
wifi settings and advanced 2.4ghz settings..
for your wifi security (make sure you use wpa2 128aes only and no tkip)
de-auth could be also caused by sending a null (malicious wifi de-auth) if you have a suspicious skinny, pale skin, greasy hair with spectacles, (chips and cola diet) neighbour... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
as we dont know much about your wifi settings post a pic of your R7000
wifi settings and advanced 2.4ghz settings..
for your wifi security (make sure you use wpa2 128aes only and no tkip)
de-auth could be also caused by sending a null (malicious wifi de-auth) if you have a suspicious skinny, pale skin, greasy hair with spectacles, (chips and cola diet) neighbour...
Ok, but keep in mind, you mentioned the deauthentication is happening to you too.. plus the only change is the dd-wrt build. I have not changed wifi settings in years.
Btw, most devices are using 5GHz, so that is where I noticed the deauthentication, but I have no reason to believe it doesn't also happen on 2.4GHz. I suppose I could test that.
I'm just hoping my observation about the rekeying time drift, and correlation of de-authentication when it reaches ~2 minutes total drift might be a clue in solving this issue. Again, as noted, this did not used to happen on older builds with the same wifi settings.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Fri May 19, 2023 23:13 Post subject:
im not using 5Ghz anywhere (its in my signature )
also since i sat key retaking to 14400 no drops at all..
ok i can spot few things around..
-i dont fiddle with bacon interval on broadcoms so i left mine to default same for DTIM
-i also use IP isolation, so clients dont see each other (whatever this option works) as with some apps this is not a problem..
-TX power i set to max...999 (just not happy with auto)
-on 2,4Ghz i dont use NG mixed on (broadcom) routers, use mixed instead...
-i dont use explicit or implicit beamforming...not sure this future is working well with all clients..
-same for TurboQ...clients must support it on driver level...so those are disabled..
to be honest i tested those for long time on/off and didn't see any advantage, running mixed vendor clients..
-ACK timing set to 90 is very incorrect...the lowest i used is 450, but its ok to 900 or even 3150...
-same for 5Ghz..beamforming and TurboQ along with ACK time...set it to 900
and make sure you use valid 5Ghz channels...your channels are lower lower, where it should be
52+UU upper upper
for the 5ghz radio, proper vht80 extension channel configs are:
There are only 6 possible 80Mhz blocks, so you can limit yourself to the following channels for testing purposes
36-48 36+UU
52-64 52+UU
100-112 100+UU
116-128 116+UU
132-144 132+UU
149-161 149+UU
The following should be noted:
36+UU
52+UU DFS
100+UU DFS
116+UU DFS RADAR Detection
132+UU DFS
149+UU in Europe for low range
try those setting i use, along with key 14400 and see how it goes... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
-ACK timing set to 90 is very incorrect...the lowest i used is 450, but its ok to 900 or even 3150...
Sir twindragon6 introduced this anomaly into the wiki by recommending this setting be 90, which is based on IEEE specs. This has been tested extensively in-house with mixed results. Quite honestly, 450, 900, or 1350 is more than enough. 3150 causes degradation in my opinion, but that's something some would argue over, I'm sure. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
im not using 5Ghz anywhere (its in my signature )
also since i sat key retaking to 14400 no drops at all..
ok i can spot few things around..
-i dont fiddle with bacon interval on broadcoms so i left mine to default same for DTIM
-i also use IP isolation, so clients dont see each other (whatever this option works) as with some apps this is not a problem..
-TX power i set to max...999 (just not happy with auto)
-on 2,4Ghz i dont use NG mixed on (broadcom) routers, use mixed instead...
-i dont use explicit or implicit beamforming...not sure this future is working well with all clients..
-same for TurboQ...clients must support it on driver level...so those are disabled..
to be honest i tested those for long time on/off and didn't see any advantage, running mixed vendor clients..
-ACK timing set to 90 is very incorrect...the lowest i used is 450, but its ok to 900 or even 3150...
-same for 5Ghz..beamforming and TurboQ along with ACK time...set it to 900
and make sure you use valid 5Ghz channels...your channels are lower lower, where it should be
52+UU upper upper
for the 5ghz radio, proper vht80 extension channel configs are:
There are only 6 possible 80Mhz blocks, so you can limit yourself to the following channels for testing purposes
36-48 36+UU
52-64 52+UU
100-112 100+UU
116-128 116+UU
132-144 132+UU
149-161 149+UU
The following should be noted:
36+UU
52+UU DFS
100+UU DFS
116+UU DFS RADAR Detection
132+UU DFS
149+UU in Europe for low range
try those setting i use, along with key 14400 and see how it goes...
Ok, changes made:
Advanced settings for wl0 and also wl1:
- Beacon interval: 100ms (default)
- DTIM: 1 (default)
- AP isolation still disabled for now
- TX Power: 999 (not 1000? ok.. although status page reports 1000mW )
Key renewal interval remains at 14400 for now for both wl0 and wl1. (takes longer to test vs shorter intervals)
5GHz channel is 52 + 58 (upper upper) as confirmed by the status page. Broadcom flips UU to LL, hence my setting.
---
Initial tests with iperf3 show no worse, and perhaps better, throughput with the new settings: 250-450 Mbps, say 300 Mbps typical. Very jumpy, but that is 5 GHz from the mighty R7000 AP in the basement going to a computer two floors up!
Now to check over time what happens with the rekeying and de-authentication.. stand by.
as this is Broadcom router and those run propriety drivers, not much you can do..try with different bacon times or longer key use i ve no problem with 14400..but...Broadcom WiFi is not the most compatible with various radio vendors and this is fact...one reason i stopped to use R7000 as an edge router..currently it serves various clients, intel, QCA, other broadcom and mediatek...i ve no issues but it seams your client is not very compatible...try to change country domain im on CANADA if this will help...also 5Ghz you must use the correct channels those are also very picky...among various clients...
give this client static IP from both sides router and client..if it helps...
or check if you have a odd character in your wifi password..no idea what else to try.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Did the proprietary Broadcom drivers change since r47925? I didn't have this issue with that build, so I doubt it has to do purely with my old or new settings or the same client devices.
The client from which those logs are obtained already has a static DHCP IP. And the client wifi devices affected include a variety of brands: Realtek, Intel, LG, and I haven't confirmed yet if it happens with Samsung and Motorola/Lenovo devices.
I upgraded to r52596 and reason 16 deauthentications are still happening.
Just thinking about the stated reason of group key handshake timeout, it seems sensible to look for time-related issues or anything that could cause delays. I already use NTP on the router/AP and clients, and the update deltas in the router logs are usually very small, 0 or 1.
ChatGPT has these suggestions
Quote:
If multiple users have reported the same issue with the DD-WRT firmware, and you have observed that the timestamp for the group key handshake shortens each time until a deauthentication occurs, it could potentially indicate a clock or timing issue within the router or the firmware.
A clock or timing issue can lead to synchronization problems between the client and the access point, causing the group key handshake to fail consistently and eventually result in a deauthentication. This type of issue could occur due to various reasons, such as:
Clock drift: The clock on the router or client device may not be accurate or may drift over time, leading to timing discrepancies during the handshake process.
Time synchronization: The router and client may not be properly synchronized with a reliable time source. If there is a significant time difference between them, it can cause issues during the handshake.
Firmware bug: There could be a bug within the DD-WRT firmware that affects the timing or clock synchronization during the group key handshake process.
Are your group rekeying timestamps consistent or do they drift too?
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sun May 21, 2023 19:24 Post subject:
ChatGPT is bollocks, try to ask him to wright you a snort script for Intrusion detection and prevention, than run it on your compliance...
If time was a factor all other platforms would be affected as NTP time is the same on all devices..vendors..its more likely either router wifi drivers or your clients..
You can try to set your NTP time, like i do ..i choose a time zone in my case London...and in
NTP time box i put those 2 IP 216.239.35.8 162.159.200.123 (google NTP time and clouflare )
just copy paste those,must be a interval between them as it is...save and apply..reboot..
I dont know any clients that will try to synch time from the router NTP time...usually they make their own requests via their NTP time servers...and NTP time on the router side its only for its own demands..no idea how those 2 will be connected...
To be honest, i dont know if Broadcom wifi drivers ware updated recently and dont follow their update...very likely those to run the last available binary..and those could be the reason...if so..
The thing is my R7000 (i use only 2,4Ghz) is ok and dont see any drops or those happen very quick and cant notice... nope i just checked my log's nothing for 2 days, so far...no idea where else to look at..
-check your static devices names doesn't contain any spaces or unhallowed characters
-try to reset and manually recompile (press reset button for 8-10 sec) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
NTP is already working fine on the router, AP, and clients. To be clear, the clients have their own NTP setup, I don't mean they sync with the router/AP...
Instead of playing with dozens of variables blindly, I kept them as-is and changed the one variable which was observed to make a difference: the dd-wrt version. Testing back on r47925, the client uptime is as long as the AP uptime, no reason 16 deauthentications in over 2 days so far:
Quote:
May 21 20:38:47 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 21 21:38:45 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 21 22:38:40 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 21 23:38:39 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 00:38:34 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 01:38:30 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 02:38:28 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 03:38:25 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 04:38:24 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 05:38:21 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 06:38:19 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 07:38:18 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 08:38:16 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 09:38:14 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 10:38:13 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 11:38:11 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 12:38:10 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 13:38:08 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 14:38:07 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 15:38:04 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 16:38:00 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 17:37:51 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 18:37:31 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 19:37:27 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 20:37:18 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 21:37:14 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 22:37:13 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 22 23:37:09 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 00:37:05 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 01:37:04 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 02:37:01 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 03:36:55 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 04:36:53 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 05:36:52 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 06:36:50 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 07:36:45 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 08:36:38 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 09:36:33 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 10:36:31 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 11:36:29 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 12:36:27 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 13:36:24 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 14:36:21 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 15:36:19 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 16:36:16 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 17:36:07 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 18:36:04 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
May 23 19:35:56 [hostname] wpa_supplicant[2294]: wlp6s0: WPA: Group rekeying completed with [AP MAC] [GTK=CCMP]
Other clients also have long uptimes. So this mostly rules out settings and clients as the culprits.
That's not a de-authentication, that is a group rekey.
fizikz wrote:
Did the proprietary Broadcom drivers change since r47925?
https://svn.dd-wrt.com/changeset/49789 _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
The last time the proprietary Broadcom binary object files were updated and uploaded to the public repository. Outside of that, you'd have to look through the "automatic commit of driver changelogs" entries. Have fun. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Ok, thanks for digging up that info. The released versions that straddle r49789 are r49741 (08-15-2022) and r49792 (08-20-2022).
To test the Broadcom drivers angle, I've upgraded to r49792 to see if the issue reoccurs, and if it does, I'll downgrade to r49741 to see if it goes away.
Both r49792 and r49741 have had reason 16 de-authentications.
Not sure what else to try. I could either stay on known working old version like r47925 and risk security vulnerabilities, or upgrade to the latest and hope the issue gets fixed eventually.
The de-authentication events are fortunately very brief and the clients re-establish connection almost seamlessly, but I'm not sure if it could create issues for time-sensitive applications like voip or video calls.