I’m one of a surprisingly large amount of people that have loaded third-party firmware onto their wireless network router at home. One long standing flaw of the DD-WRT flavour of firmware has been a pair of issues that lead to a momentary loss of connectivity when one’s DHCP server provided IP lease requires renewal.
There are three causes of this issue, and most people will need to address both to solve their connectivity problems:
- A popular and recommended version of the DD-WRT firmware – v24-sp2 (10/10/09) micro – build 13064, to be specific – has a flaw in it that leads to a dump of the UPnP mapping list when a DHCP lease renewal ACK is received.
- The SPI Firewall, if enabled, blocks DHCP renewal responses by default.
- If the DMZ is enabled, DHCP renewals are mistakenly sent there instead of to the router.
Let’s address these issues in order. First up: The firmware.
While the official DD-WRT website lists the 2009-10-10 firmware as its recommendation for my Linksys WRT54G v5 router, the forum dedicated to Linksys (Broadcom) routers surprisingly lists this as a build to explicitly avoid. Their alternative solution: Build 14929. (Make sure to take a quick glance at the upgrade procedure before attempting the update.)
Once you’ve logged back into the interface of your freshly flashed router (you should now be running v24-sp2 (08/12/10) micro – build 14929), we can tackle the issue number two. To allow the DHCP renewal messages to be received by your router, you have one of two options: You can disable the SPI Firewall feature completely (Security > Firewall > SPI Firewall), or you can add a rule to specifically allow those messages. Do this by navigating within your router’s interface to Administration > Commands, and entering the following into the Commands fields:
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
Press the Save Firewall button to save the rule to be executed whenever the router is restarted.
Finally, you’ll need to disable the DMZ option in DD-WRT by going to NAT / QoS > Demilitarized Zone (DMZ) > Use DMZ and setting it to Disable.
For me, the combination of these three items led to my first uneventful DHCP lease renewal in months. Some of the members of the DD-WRT forums have reported that the second issue was only solved by completely disabling their SPI firewall, so give that a try if the preferred option of adding a rule doesn’t work out.
References:
The iptables command actually seems to have worked.
Thanks for the fix!
I’m having the same issue, but to me the DHCP server is responding with DHCPNAK. See:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=664855
Dunno what’s correct according to the DHCP RFC, but DD-WRT immediately drops the IP address and searches for a new one, leading to short network outages. My Fedora box is smart and keeps the IP although a NAK was received :(
Thanks for this!
This problem is seen by people using Sonic.net because they renew their leases every 5 minutes (!).
This fixes it.
Looks like the 13491 VINT build is plagued by this as well. After putting that line into the firewall the connection appears to be stable. Before I was getting disconnects every 3 to 10 minutes.
First off, just want to say thanks for sleuthing and making a post about this. Even though this is years down the line, I just gave it a go and will see if it improves because I am running a relatively old (ancient) router and new builds are not an option (build 21061).
Secondly, would you mind giving a breakdown about the firewall rule and what is happening, or perhaps a good reference to easily digest info on the basics for a relative networking noob? Just looking to get more insight on the technical side.
Thanks!
Amazing this looks to have fixed my issue turning off SPI firewall alltogether, and I was tempted to ebay the router and get a new one due to it.
I was thinking Draytek Vigor 2862ac (WAN2) to replace my Linksys WRT3200ACM