MT3000: Beryl AX Wi-FI 5G Wireguard DNS OPNsense

I recently bought an Opal as part of some testing I was doing. They went well enough that I then bought a Beryl AX to run the same tests.

The primary goal was to test VPN connectivity back to an OPNsense firewall. In doing so I configured Wireguard and OpenVPN VPNs. On the Opal these all work as expected with no issues.

On the Beryl there are a number of issues (with the firmware as shipped, with 4.6.9 and 4.7 beta).

When scanning for WiFi networks the Beryl reports 2.4G for a number of networks I have running in the office (Unifi 6E WAP's) or from Android hot-spot's (both OnePlus Wi-FI 6 Android 14 devices) which are running 2.4G & 5G.

Where it does not report a mixed network I am unable to connect to the 5g Wi-Fi and if I set an Android hot-spot to 5g only the Beryl does not see the network.

While both Wireguard and OpenVPN VPNs run on the Beryl there is a DNS issue with Wireguard. It looks similar to Wireguard DNS issues reported for earlier versions of firmware. I have iterated though the various Network/DNS options and not found a working combination.

If I run the OpenVPN connection DNS resolves correctly, after which any cached DNS entries are available to a subsequent Wireguard connection (as expected).

Any help appreciated.

Hi,

Please assist to check the Wi-Fi (repeater) scanning:
iwinfo
iwpriv ra0 get_site_survey

  1. Does the oneplus hotspot 5G SSID display in the list?
  2. If not, what the hotspot channel is? Can it change the hotspot channel to CH36? \
  3. Regarding the DNS issue, is it your self-hosted DNS server, public or in VPN network?
  4. Please export the syslog and PM me.

Does the oneplus hotspot 5G SSID display in the list?

ra0 reports as 2.4g so none of the 5G networks are listed.

Looking at rax0 I can see a list of 7 networks on channels between 36 and 60 some of which are hidden.

If not, what the hotspot channel is? Can it change the hotspot channel to CH36?

From my UniFi console I can currently see 19 5G (103 2.4G) networks.
All of the 5G networks are on channels between 153 and 161 (including my office networks).
What are not listed on the console are the networks on channels 36 to 60

I.e the Beryl reports the low channels and my console the high ones.

As for Android it will allow selection of any of the supported bands but no longer allows channel configuration. IIRC it used to.

I could force channel selection, but that won't be an option when out in the wild so it will be interesting to know what the restrictions on 5g are and why the Opal works OK (I might look at that later).

Regarding the DNS issue, is it your self-hosted DNS server, public or in VPN network?

The DNS is provided by the OPNsense firewall for the road warrior clients. This WG server has been running since 2020 and is in 24/7 use by all WG clients away from the office. The firewalls DNS uses local resources for the internal network lookups and resolves to well known public servers for external lookups.

The Opal is seeing channels from 36 to 161

Beryl -5G

On the Beryl I ran iwpriv apclix0 get_site_survey on a one minute loop.

After lunch I noticed it started to pick up a network on channel 108

apclix0   get_site_survey:  
Total=8     
No  Ch  SSID                             BSSID               Security               Rssi    Siganl(%)W-Mode      ExtCH  NT SSID_Len WPS DPID BcnRept   MWDSCap MDId FToverDS RsrReqCap  
0   36  XXXXXXXX                         80:72:15:37:bc:1d   WPA2PSK/AES            -87     7        11a/n/ac    ABOVE  In 8        YES      NO     NO   
1   36  XXXXXXXX                         90:02:18:4d:2f:02   WPA2PSK/AES            -93     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
2   36  XXXXXXXX                         80:75:1f:dd:3d:95   WPA2PSK/AES            -98     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
3   48                                   82:d6:d0:85:a5:27   WPA2PSK/AES            -85     13       11a/n       NONE   In 0        YES      NO     NO   
4   52                                   e8:76:40:53:45:b3   WPA2PSK/AES            -98     0        11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
5   52  XXXXXXXX                         e8:76:40:53:45:b5   WPA2PSKWPA3PSK/AES     -98     0        11a/n/ac/ax ABOVE  In 8        YES      NO     NO   
6   60  XXXXXXXXXXX                      a6:91:b1:f7:70:cb   WPA2PSK/AES            -96     0        11a/n/ac    ABOVE  In 11       YES      NO     NO   
7   108 XXXXXXXXXXXXXX                   d6:35:1d:06:9c:f5   WPA2PSK/AES            -99     0        11a/n/ac    ABOVE  In 14       YES      NO     NO

I then ran bandwith optimisation on my UniFi network which reassigned some of the WAP to channels <100.

apclix0   get_site_survey:  
Total=14    
No  Ch  SSID                             BSSID               Security               Rssi    Siganl(%)W-Mode      ExtCH  NT SSID_Len WPS DPID BcnRept   MWDSCap MDId FToverDS RsrReqCap  
0   36  XXXXXXXX                         90:02:18:4d:2f:02   WPA2PSK/AES            -92     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
1   36  XXXXXXXX                         80:75:1f:dd:3d:95   WPA2PSK/AES            -98     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
2   36  XXXXXXXX                         80:72:15:37:bc:1d   WPA2PSK/AES            -86     10       11a/n/ac    ABOVE  In 8        YES      NO     NO   
3   44                                   12:59:32:0e:4f:15   WPA2PSK/AES            -89     2        11a/n       NONE   In 0        YES      NO     NO   
4   44                                   be:d7:d4:59:12:0e   WPA2PSK/AES            -81     23       11a/n       NONE   In 0        YES      NO     NO   
5   44  MYNET3                           ea:38:83:25:6c:62   WPA2PSK/AES            -36     100      11a/n/ac/ax ABOVE  In 10        NO      NO     NO   
6   44  MYNET1                           ee:38:83:25:6c:62   WPA2PSK/AES            -36     100      11a/n/ac/ax ABOVE  In 4         NO      NO     NO   
7   44  MYNET2                           f2:38:83:25:6c:62   WPA2PSK/AES            -36     100      11a/n/ac/ax ABOVE  In 4         NO      NO     NO   
8   44                                   f6:38:83:25:6c:62   WPA2PSK/AES            -36     100      11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
9   44                                   fa:38:83:25:6c:62   WPA2PSK/AES            -36     100      11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
10  48                                   82:d6:d0:85:a5:27   WPA2PSK/AES            -86     10       11a/n       NONE   In 0        YES      NO     NO   
11  52  XXXXXXXX                         e8:76:40:53:45:b5   WPA2PSKWPA3PSK/AES     -99     0        11a/n/ac/ax ABOVE  In 8        YES      NO     NO   
12  52                                   e8:76:40:53:45:b3   WPA2PSK/AES            -98     0        11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
13  60  XXXXXXXXXXX                      a6:91:b1:f7:70:cb   WPA2PSK/AES            -96     0        11a/n/ac    ABOVE  In 11       YES      NO     NO

These could be seen within the GUI so I connected to one of my networks.

Having done this I rebooted the Beryl and re-scanned. I could still see the same networks. However via ssh the Beryl was now reporting WiFi networks with channels ranging from 36 to 161.

apclix0   get_site_survey:  
Total=26    
No  Ch  SSID                             BSSID               Security               Rssi    Siganl(%)W-Mode      ExtCH  NT SSID_Len WPS DPID BcnRept   MWDSCap MDId FToverDS RsrReqCap  
0   36  XXXXXXXX                         90:02:18:4d:2f:02   WPA2PSK/AES            -95     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
1   36  SKYABB7A                         90:02:18:c3:f2:4b   WPA2PSK/AES            -101    0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
2   36  XXXXXXXX                         80:75:1f:dd:3d:95   WPA2PSK/AES            -99     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
3   36  XXXXXXXX                         80:72:15:37:bc:1d   WPA2PSK/AES            -90     0        11a/n/ac    ABOVE  In 8        YES      NO     NO   
4   44                                   12:59:32:0e:4f:15   WPA2PSK/AES            -87     7        11a/n       NONE   In 0        YES      NO     NO   
5   44                                   be:d7:d4:59:12:0e   WPA2PSK/AES            -81     23       11a/n       NONE   In 0        YES      NO     NO   
6   44  MYNET3                           ea:38:83:25:6c:62   WPA2PSK/AES            -35     100      11a/n/ac/ax ABOVE  In 10        NO      NO     NO   
7   44  MYNET1                           ee:38:83:25:6c:62   WPA2PSK/AES            -35     100      11a/n/ac/ax ABOVE  In 4         NO      NO     NO
8   44  MYNET2                           f2:38:83:25:6c:62   WPA2PSK/AES            -35     100      11a/n/ac/ax ABOVE  In 4         NO      NO     NO   
9   44                                   f6:38:83:25:6c:62   WPA2PSK/AES            -35     100      11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
10  44                                   fa:38:83:25:6c:62   WPA2PSK/AES            -35     100      11a/n/ac/ax ABOVE  In 0         NO      NO     NO   
11  48                                   82:d6:d0:85:a5:27   WPA2PSK/AES            -86     10       11a/n       NONE   In 0        YES      NO     NO   
12  60  XXXXXXXXXXX                      a6:91:b1:f7:70:cb   WPA2PSK/AES            -95     0        11a/n/ac    ABOVE  In 11       YES      NO     NO   
13  108 XXXXXXXXXXXXXX                   d6:35:1d:06:9c:f5   WPA2PSK/AES            -100    0        11a/n/ac    ABOVE  In 14       YES      NO     NO   
14  153 AndroidNet                       b2:0c:09:c0:19:e8   WPA2PSK/AES            -51     99       11a/n/ac/ax BELOW  In 9         NO      NO     NO   
15  161 MYNET3                           ea:38:83:26:1f:93   WPA2PSK/AES            -74     39       11a/n/ac/ax BELOW  In 10        NO      NO     NO   
16  161 MYNET1                           ee:38:83:26:1f:93   WPA2PSK/AES            -74     39       11a/n/ac/ax BELOW  In 4         NO      NO     NO   
17  161 MYNET2                           f2:38:83:26:1f:93   WPA2PSK/AES            -74     39       11a/n/ac/ax BELOW  In 4         NO      NO     NO   
18  161                                  f6:38:83:26:1f:93   WPA2PSK/AES            -74     39       11a/n/ac/ax BELOW  In 0         NO      NO     NO   
19  161                                  fa:38:83:26:1f:93   WPA2PSK/AES            -74     39       11a/n/ac/ax BELOW  In 0         NO      NO     NO   
20  161 MYNET3                           ea:38:83:25:d7:29   WPA2PSK/AES            -59     78       11a/n/ac/ax BELOW  In 10        NO      NO     NO   
21  161 MYNET1                           ee:38:83:25:d7:29   WPA2PSK/AES            -59     78       11a/n/ac/ax BELOW  In 4         NO      NO     NO   
22  161 MYNET2                           f2:38:83:25:d7:29   WPA2PSK/AES            -59     78       11a/n/ac/ax BELOW  In 4         NO      NO     NO   
23  161                                  f6:38:83:25:d7:29   WPA2PSK/AES            -59     78       11a/n/ac/ax BELOW  In 0         NO      NO     NO   
24  161                                  fa:38:83:25:d7:29   WPA2PSK/AES            -59     78       11a/n/ac/ax BELOW  In 0         NO      NO     NO   
25  161                                  aa:b5:7c:e7:c8:d0   WPA2PSK/AES            -99     0        11a/n       NONE   In 0        YES      NO     NO

I still only see a single mode reported for my mixed networks. But it looks like a step in the right direction.

Just to note the enhanced network scanning does not survive after powering off.

Hi,

Regarding the repeater issue,

  1. did you modify the scan band setting, only 2.4GHz?
    image
  2. Are these two WiFi enable the 2.4GHz and 5GHz dual-band in one, and same SSID of the 2.4GHz and 5GHz?
  1. could you please test repeater in the op24 firmware Upgrade the firmware without 'keep settings'.
    GL.iNet download center

To clarify:
Does it mean that there is your office WiFi in the SSH scan but not in the GL GUI repeater?

I won't be able to do any testing until I get back to my office. Currently at sea.

IIRC for the UK I would expect to see 5GHz channels ranging from 32 to 173.

The Beryl regularly detects networks running on channels below 96. Occasionally detects networks on channel 100 and on only once detected channels above 100.

This would be in contrast to the Opal which shows all active channels.

As noted I'm currently at sea and have spent a couple of days looking at the Wireguard DNS issue.

One of the notable diagnostics is that a dig @dns.se.rv.er www.domain.com resolves over the OpenVPN link. While it reports ;; communications error to dns.se.rv.er#53: connection refused when running over the Wireguard VPN.

At the far-end firewall I'm logging all traffic for this VPN instance and DNS lookups are not seen.

Also this is not a routing issue as when I use a local hosts file on my PC the remote addresses are reachable.

In current topology of network, is the WG client (with the same VPN profile as Beryl AX) available on the PC?

Please export the syslog when router enabled VPN client, and share with me.

Try changing the Wi-Fi county code to US, to see how about the repeater scan list.

I can reproduce this in my office, which I'll do next week.

Which one issue? VPN or Repeater?

Wi-Fi issue split to separate thread.

I've now tested the Wireguard config with 4.6.6-op24 and DNS works as expected once the VPN is established.

1 Like

I'm currently in Barcelona on a guest internet connection.

What I have found is that while DNS resolves over the Wireguard connection it does not continue to do so. Looking into this further this is not so much an issue with DNS but with search domains.

Initially DNS was resolving correctly for those lookups that would normally resolve when the search domains are referenced. The Beryl has been left on continuously since I arrived at the apartment and restarting it has not resolved the issue. Though I've deliberately not powered it down at the moment.

To test if this is a near-end or a far-end issue I connected my laptop ( a new-build Linux system with no added entries to the hosts file ) to the same Wi-Fi and used a WG profile with the same DNS configuration. This worked. I also checked against my mobile hot-spot, remembering to clear the local DNS cache between each connection.

:thinking: hello, may I know if the DNS with VPN is normal on the GL router now?

Still running 4.6.6-op24 and I am still seeing the same behaviour.

FQDN queries resolve.

Non FQDN queries fail. When they would be expected to be resolved due to the Wireguard search domains settings.

I'll try with 4.7.0-op24 later.

Shows the same behaviour.

Sorry, the reply late.

Please upgrade the latest beta firmware v4.7.4 and test it one more.
If the WG still has the DNS issue, please export an issue syslog and send it to me through PM.