Can only access LUCI when connected to bridged WIFI on RPi-400

So I have a Pi-400 set up as a bridged LAN WAP and plugged in to one of the LAN ports in my home fiber router.

To access and admin on the fiber router I access 192.168.254.254.
The IP pool for that router is 192.168.254.100 - 192.168.254.200

I have allocated a static IP address of 192.168.254.2/24 to the Pi-400.
The gateway is 192.168.254.254. I have turned DHCP off and I have set up 8.8.8.8 and 8.8.4.4 for my DNS.

With my PC's wired connection set to 192.168.254.3 and connected to the Pi-400 via and Ethernet cable I can ping it and administer it via LUCI at 192.168.254.2 as expected. Mask is 255.255.255.0 so same subnet.

If I plug the Pi-400 in to the back of the fiber router I can no longer ping it or admin it at 192.168.254.3 unless I connect to the WIFI of the bridged LAN on the Pi-400.

I would have thought I would be able to both ping and administer it from my home PC with a Wireless IP address of 192.168.254.200 to the Pi-400 at 192.168.254.2.

Any ideas?

Set the fiber router as bridge, and set the Pi-400 as main router.

If you have a true bridged AP config, you should be able to reach the device anytime your computer is connected to the same subnet.

What is the purpose of the pi400 on your network?

And let’s see the config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here the are entries you require. Thanks.

root@JDTRouter:~# ubus call system board
{
	"kernel": "6.12.74",
	"hostname": "JDTRouter",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 400 Rev 1.0",
	"board_name": "raspberrypi,400",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.1",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32768-b21cfa8f8c",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 25.12.1 r32768-b21cfa8f8c",
		"builddate": "1773711117"
	}
}

root@JDTRouter:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004a339311858d74726bb57a07068b83807'
	option ula_prefix 'fd47:8905:cd9a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.254.2/24'
	option gateway '192.168.254.254'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option multipath 'off'

root@JDTRouter:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option band '5g'
	option channel '36'
	option country 'PH'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FujiPisoWifi'
	option encryption 'psk2'
	option key '********'
root@JDTRouter:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option ra_preference 'medium'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

root@JDTRouter:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		DROP
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
````Preformatted text`

There should be no difference at all connecting to Ethernet vs WiFi.

This option?

Screenshot from 2026-03-26 14-24-05674×862 30.4 KB

I am not familiar with this. Check the LAN boxes? WAN Enable, what VLAN ID and 802.1P settings?

The VLAN ID and 802.1P settings saved by fiber router. PI-400 used PPPoE to fiber router.

You would think with my PC being on 192.168.254.200 (Modem/Router WIFI) and my RPi-400 being on 192.168.254.2 (static IP Modem/Router LAN port via Ethernet same subnet) I would be able to access it, this is not the case. I checked the Subnet Mask (255.255.255.0) it cannot be pinged. If I get on to the WIFI that the RPi-400 exposes though I can ping it. I suspect there is something going on that is isolating the LAN ports of my fiber modem/router from the WIFI.

The fiber modem/router is unaware that there is a wifi AP on the Pi. From the perspective of the router, the Pi is just another (ethernet) device on the network, and even the wifi device appear as ethernet from the router's view point (that's how they're ultimately connected to the router).

It is certainly possible (although very unusual) that there is some port isolation on the router's ports, but that would be consistent across any two (or more) ethernet devices directly connected to the ports on the router. That is to say, if you replace the Pi with another ethernet device, try connecting form your PC to that other ethernet device -- if it doesn't connect, the issue is something with your router's configuration, not OpenWrt.

Looking at your OpenWrt config, though, there is literally zero distinction between the wifi and ethernet connectivity in terms of connecting to the Pi itself. That is because both ethernet and wifi are connected to the same network interface (lan) via the bridge (br-lan). In the case of a bridge, it is the equivalent of an unmanaged switch except handled in software.

Meanwhile, it would be great if you could answer this question:

In my opinion (and i’m not the only one who thinks so) is a RaspberryPi the least useful device for a router or even an bridged AP. The wi-fi is mediocre (to express it politely).

But a RPi 400 with its keyboard deems me an unnecessary risk. Just add a screen, and everybody could hack into your network.

If you don’t have any better use for your RPi, sell it and buy some recent used plastic router to use them as an AP.

The purpose of the RPi-400 is a guest access point but I eventually wish to run opennds on it.

I have a laptop plugged into one of the LAN ports on my Modem/Router with an Ethernet Cable. I have internet access on that laptop which has a static ip address of 192.168.254.2

I have another PC on the WIFI who's address is 192.168.254.200. This is the output

youngie@youngie-OptiPlex-7050:~$ ping 192.168.254.2
PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
From 192.168.254.200 icmp_seq=1 Destination Host Unreachable

Maybe the problem is in your fiber modem/router has it reserved the 192.168.254.2 address already for something else?
Or does you RPi need an IP address within the pool (which is unusual but software of ISP routers is usually crap)

I have tried 192.168.254.2, 3, 10, 98,99 (outside the DHCP pool) and 100, 199 inside. No luck. I think there is some king of Port Isolation going on.

This clearly suggests that the problem is not with OpenWrt, but with your upstream device.

However... building on what others have said, the Pi400 (and for that matter, all Raspberry Pi devices) makes a terrible choice for use as an AP. Even a 10 year old cheap "plastic" all-in-one wifi router will outperform the Pi's on-board wifi in essentially every way. The Pi's contain a very low end wifi chipset and antenna that is extremely limited in range, bandwidth, and multi-client connectivity. It also only supports single-band operation (i.e. 2.4G XOR 5G) and cannot support multiple SSIDs (if you wanted to have a guest or iot network, for example). Don't expect that to improve significantly with USB-wifi dongles -- those also don't typically perform well, and you may run into other issues. On top of that, using a Pi400 specifically is just a bit of a strange form factor.

You will be much better served by getting a "plastic" AiO wifi router (that has OpenWrt support) with a built in switch. Then you can connect your upstream via one port and all of your other lan devices (ethernet + wifi) to your OpenWrt AiO device -- this will simultaneously fix your connectivity issue (you won't be dealing with the port isolation that seems to be happening on your fiber modem/router) and you'll get better overall wifi performance.

That said, as stated above, this is not an OpenWrt related problem, so I would suggest that this thread can be resolved while you look into the reason for the port isolation on the upstream device and/or acquire equipment that is better suited to the job.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

SOLVED. This is came down to a GLOBE FIBER modem issue. The HG6245D has highly strangled firmware (RP2786) not letting you do an awful lot. There is a setting called "Port Isolation" or "AP Isolation" which isn't accessible to mere mortals

You cannot access devices connected via Ethernet to the LAN ports if you are on the WIFI even though they are in the same address space. I will be getting rid of this POS.