After rebooting my Beryl AX, the br-lan interface (WIFI-5G-VPN and LAN port) continues to route traffic correctly through the Tailscale exit node. However, standard internet access via the br-guest interface (WIFI-2.4G / WIFI-5G) now consistently fails to route traffic post-reboot. If i wait a while (~ a few hours) the br-guest starts to work properly without any intervention.
Key Observations:
- Expected Behavior:
br-lan: Isolated to Tailscale exit node (no direct WAN access).br-guest: Direct WAN routing for standard internet.
- Current Behavior:
br-lanworks as intended (Tailscale-only).br-guestloses all WAN/internet connectivity sometimes after reboot.
- Regression:
- Stable for ~1 year (survived prior reboots).
- Issue began occurring recently after reboots, despite no manual configuration changes.
Any advice or hint is highly appreciated. I can provide more logs or do some other tests.
$ uname -a
Linux beryl-ax 5.4.211 #0 SMP Thu Dec 5 01:20:09 2024 aarch64 GNU/Linux
$ ip route
default via 192.168.1.1 dev eth0 proto static src 192.168.1.13 metric 10
100.64.0.0/10 dev tailscale0 scope link
192.168.1.0/24 dev eth0 proto static scope link metric 10
192.168.7.0/24 dev br-lan proto kernel scope link src 192.168.7.1
192.168.9.0/24 dev br-guest proto kernel scope link src 192.168.9.1
/etc/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option log_level '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'tethering'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone
option name 'tailscale'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding
option src 'tailscale'
option dest 'lan'
option enabled '1'
config forwarding
option src 'lan'
option dest 'tailscale'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '0'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '0'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '0'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '0'
config rule 'glipv6_guest_dhcp'
option name 'Allow-DHCP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '546:547'
option family 'ipv6'
config rule 'glipv6_guest_icmp'
option name 'Allow-ICMP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'icmp'
option dest_port '58'
option family 'ipv6'
config include 'portal_ttl'
option path '/etc/firewall-portal.user'
option reload '1'
/etc/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd4f:fb01:7dd6::/48'
option packet_steering '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option macaddr '9....90'
config device
option name 'eth1'
option macaddr '94....:90'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option isolate '0'
option ipaddr '192.168.7.1'
option ip6hint '0000'
option ip6ifaceid '::1'
option ip6assign '60'
list ip6class 'wan6'
list ip6class 'wwan6'
list ip6class 'tethering6'
list ip6class 'modem_2_1_6'
list ip6class 'modem_1_1_6'
config device
option name 'eth0'
option macaddr '9...a:8f'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option classlessroute '0'
option metric '10'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '0'
option ip6prefix 'fd4f:fb01:7dd6::/48'
option ip6assign '64'
option ip6hint '0001'
option ip6ifaceid '::1'
option ip6class 'guest'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'tethering'
option proto 'dhcp'
option metric '30'
option device 'usb0'
option disabled '1'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2001'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
option hostname '*'
option mtu '1500'
/etc/wireless
config wifi-device 'mt798111'
option type 'mtk'
option band '2g'
option htmode 'HE40'
option channel 'auto'
option txpower '100'
option country 'DE'
option random_bssid '1'
option disabled '0'
option legacy_rates '0'
option hwmode '11g'
config wifi-iface 'wifi2g'
option device 'mt798111'
option mode 'ap'
option network 'lan'
option ifname 'ra0'
option key ''
option wds '1'
option isolate '0'
option ieee80211k '1'
option bss_transition '1'
option ssid 'WIFI-IOT'
option hidden '0'
option encryption 'sae'
option macaddr ''
config wifi-device 'mt798112'
option type 'mtk'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option txpower '100'
option country 'DE'
option random_bssid '1'
option disabled '0'
option legacy_rates '0'
option hwmode '11a'
config wifi-iface 'wifi5g'
option device 'mt798112'
option mode 'ap'
option network 'lan'
option ifname 'rax0'
option key 'XXX'
option wds '1'
option isolate '0'
option ieee80211k '1'
option bss_transition '1'
option ssid 'WIFI-5G-VPN'
option hidden '0'
option encryption 'sae'
option macaddr ''
config wifi-iface 'guest2g'
option device 'mt798111'
option network 'guest'
option mode 'ap'
option ifname 'ra1'
option guest '1'
option wds '1'
option disabled '0'
option hidden '0'
option isolate '0'
option ssid 'WIFI-2.4G'
option key 'xxx'
option encryption 'psk2'
option macaddr ''
config wifi-iface 'guest5g'
option device 'mt798112'
option network 'guest'
option mode 'ap'
option ifname 'rax1'
option guest '1'
option wds '1'
option disabled '0'
option hidden '0'
option encryption 'sae'
option isolate '0'
option ssid 'WIFI-5G'
option key 'xxx'
option macaddr ''