Cannot access LAN ports from Wifi on dumb AP

as379052 · November 15, 2025, 2:37pm

I set up a dumb AP with OpenWRT 24.10, having a standard wifi, guest wifi and Wireguard VPN. Everthing works fine, but I noticed that I cannot acces my NAS that is wired to the AP when I am connected to the dumb AP wifi. Works fine when using wireless or wired connection from the main router. Wifi

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

The wireless network is linked to lan:

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID'
	option encryption 'psk2'
	option key '***'

Any ideas how to create the missing links appreciated.

AlanDias17 · November 15, 2025, 2:47pm

doesn't look like "Client Isolation" is enabled from your settings. Did you confirm? It needs to be disabled (Default)

as379052 · November 15, 2025, 3:09pm

Client isolation i disabled on both radios (same SSID on the 2.4 ghz band).

AlanDias17 · November 15, 2025, 3:28pm

Show firewall rules. In config zone section for lan option forward must be set to accept

as379052 · November 15, 2025, 4:22pm

It is:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'
	option mtu_fix '1'

AlanDias17 · November 16, 2025, 7:27am

Remove the option masq '1' & option mtu_fix '1' lines. Restart firewall.
Also make sure DHCP Server is disabled for dumb AP

psherman · November 16, 2025, 7:33am

Let's see the complete config (rather than just selected sections):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

as379052 · November 16, 2025, 9:51am

Thanks for all suggestions. After some research on VLAN’s, I decided do configure the dumb AP with VLAN. Lot easier to set up standard, guest and VPN devices and only have to configure the primary router.

I think my earlier problem is related to adding the WAN port to the switch. This seems to constantly give problems on the Nightgear R7800.

egc · November 16, 2025, 11:46am

Exactly!
See:

github.com/openwrt/openwrt

Bridged AP not working on Netgear R7800 (IPQ806X) with wan port added to bridge in release 24.10

opened 11:30AM - 07 Feb 25 UTC

egc112

target/ipq806x bug Self Built Image release/24.10

### Describe the bug Setup as a [Dumb/Bridged AP](https://openwrt.org/docs/gui…de-user/network/wifi/wifiextenders/bridgedap) WAN port added to the br-lan bridge. No access from LAN ports to the router only from the WAN port ### OpenWrt version r28433-8cd50a6aec ### OpenWrt release 24.10-SNAPSHOT ### OpenWrt target/subtarget ipq806x/generic ### Device Netgear Nighthawk X4S R7800 ### Image kind Self-built image ### Steps to reproduce Setup as a [Dumb/Bridged AP](https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap) I did a quick test, my router was on its own subnet 192.168.5.0/24 But I now have made it a Dumb AP, deleted everything from the wan and added the wan port to br-lan, set the IP address in the main lan (192.168.0.1/24) and added gateway and dns and disabled the firewall: ``` config device option name 'br-lan' option type 'bridge' list ports 'lan1' list ports 'lan2' list ports 'lan3' list ports 'lan4' list ports 'wan' option ip6assign '64' option ip6hint '5' config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.0.5' option netmask '255.255.255.0' option ip6assign '63' option gateway '192.168.0.1' list dns '192.168.0.1' ``` ### Actual behaviour Rebooted the router and my workstation which is on LAN port 3 had internet. The WAN port still had the cable to the main router. What is not working is that from the LAN ports I cannot connect/ping the router at 192.168.0.5, but I can from the WAN port https://forum.openwrt.org/t/openwrt-24-10-0-first-stable-release/223845/85?u=egc ### Expected behaviour Both WAN and LAN ports would work as if on the same switch, from LAN ports I can connect to the router ### Additional info Not sure what to make of this, I know this router has a dual CPU port to the switch but not sure how to debug this, I know my way around swconfig but how to do this for DSA? https://forum.openwrt.org/t/openwrt-24-10-0-first-stable-release/223845/85?u=egc ### Diffconfig ```text egc@egc-VirtualBox:/linuxdata/openwrt$ ./scripts/diffconfig.sh CONFIG_TARGET_ipq806x=y CONFIG_TARGET_ipq806x_generic=y CONFIG_TARGET_ipq806x_generic_DEVICE_netgear_r7800=y CONFIG_DEVEL=y CONFIG_BUSYBOX_CUSTOM=y CONFIG_ATH10K_LEDS=y # CONFIG_BPF_TOOLCHAIN_BUILD_LLVM is not set CONFIG_BPF_TOOLCHAIN_NONE=y CONFIG_BUILD_LOG=y CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVEHISTORY=y CONFIG_BUSYBOX_CONFIG_FEATURE_EDITING_SAVE_ON_EXIT=y CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_FLAGS=y CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_REGEXP=y CONFIG_BUSYBOX_CONFIG_FEATURE_LESS_WINCH=y CONFIG_DEBUG=y CONFIG_DROPBEAR_ECC=y CONFIG_DROPBEAR_ECDSA_SK=y CONFIG_HTOP_LMSENSORS=y CONFIG_IMAGEOPT=y CONFIG_INCLUDE_CONFIG=y CONFIG_LIBCURL_COOKIES=y CONFIG_LIBCURL_FILE=y CONFIG_LIBCURL_FTP=y CONFIG_LIBCURL_HTTP=y CONFIG_LIBCURL_NGHTTP2=y CONFIG_LIBCURL_NO_SMB="!" CONFIG_LIBCURL_OPENSSL=y CONFIG_LIBCURL_PROXY=y CONFIG_LIBCURL_UNIX_SOCKETS=y # CONFIG_LUCI_JSMIN is not set CONFIG_OPENSSL_ENGINE=y CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y CONFIG_OPENSSL_WITH_ASM=y CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y CONFIG_OPENSSL_WITH_CMS=y CONFIG_OPENSSL_WITH_DEPRECATED=y CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y CONFIG_OPENSSL_WITH_IDEA=y CONFIG_OPENSSL_WITH_MDC2=y CONFIG_OPENSSL_WITH_PSK=y CONFIG_OPENSSL_WITH_SEED=y CONFIG_OPENSSL_WITH_SRP=y CONFIG_OPENSSL_WITH_TLS13=y CONFIG_OPENSSL_WITH_WHIRLPOOL=y CONFIG_OPENVPN_openssl_ENABLE_FRAGMENT=y CONFIG_OPENVPN_openssl_ENABLE_LZ4=y CONFIG_OPENVPN_openssl_ENABLE_LZO=y CONFIG_OPENVPN_openssl_ENABLE_PORT_SHARE=y CONFIG_OPENVPN_openssl_ENABLE_SMALL=y CONFIG_PACKAGE_6in4=y CONFIG_PACKAGE_6rd=y CONFIG_PACKAGE_6to4=y CONFIG_PACKAGE_adblock=y CONFIG_PACKAGE_ath10k-firmware-qca9984=y # CONFIG_PACKAGE_ath10k-firmware-qca9984-ct is not set CONFIG_PACKAGE_attendedsysupgrade-common=y CONFIG_PACKAGE_banip=y CONFIG_PACKAGE_bcp38=y CONFIG_PACKAGE_block-mount=y CONFIG_PACKAGE_ca-certificates=y CONFIG_PACKAGE_ccrypt=y CONFIG_PACKAGE_cgi-io=y CONFIG_PACKAGE_collectd=y CONFIG_PACKAGE_collectd-mod-conntrack=y CONFIG_PACKAGE_collectd-mod-cpu=y CONFIG_PACKAGE_collectd-mod-cpufreq=y CONFIG_PACKAGE_collectd-mod-dhcpleases=y CONFIG_PACKAGE_collectd-mod-entropy=y CONFIG_PACKAGE_collectd-mod-exec=y CONFIG_PACKAGE_collectd-mod-interface=y CONFIG_PACKAGE_collectd-mod-iwinfo=y CONFIG_PACKAGE_collectd-mod-load=y CONFIG_PACKAGE_collectd-mod-memory=y CONFIG_PACKAGE_collectd-mod-network=y CONFIG_PACKAGE_collectd-mod-ping=y CONFIG_PACKAGE_collectd-mod-rrdtool=y CONFIG_PACKAGE_collectd-mod-sqm=y CONFIG_PACKAGE_collectd-mod-thermal=y CONFIG_PACKAGE_collectd-mod-uptime=y CONFIG_PACKAGE_coreutils=y CONFIG_PACKAGE_coreutils-sort=y CONFIG_PACKAGE_curl=y CONFIG_PACKAGE_ddns-scripts=y CONFIG_PACKAGE_ddns-scripts-services=y CONFIG_PACKAGE_diffutils=y # CONFIG_PACKAGE_dnsmasq is not set CONFIG_PACKAGE_dnsmasq-full=y CONFIG_PACKAGE_dnsmasq_full_auth=y CONFIG_PACKAGE_dnsmasq_full_conntrack=y CONFIG_PACKAGE_dnsmasq_full_dhcp=y CONFIG_PACKAGE_dnsmasq_full_dhcpv6=y CONFIG_PACKAGE_dnsmasq_full_dnssec=y CONFIG_PACKAGE_dnsmasq_full_nftset=y CONFIG_PACKAGE_dnsmasq_full_noid=y CONFIG_PACKAGE_dnsmasq_full_tftp=y CONFIG_PACKAGE_etherwake=y CONFIG_PACKAGE_ethtool-full=y CONFIG_PACKAGE_gawk=y CONFIG_PACKAGE_gdbserver=y CONFIG_PACKAGE_gre=y CONFIG_PACKAGE_hostapd-utils=y CONFIG_PACKAGE_htop=y CONFIG_PACKAGE_https-dns-proxy=y CONFIG_PACKAGE_ip-bridge=y CONFIG_PACKAGE_ip-full=y CONFIG_PACKAGE_ip6tables-nft=y CONFIG_PACKAGE_ipset=y CONFIG_PACKAGE_iptables-mod-ipopt=y CONFIG_PACKAGE_iptables-mod-ipsec=y CONFIG_PACKAGE_iptables-nft=y CONFIG_PACKAGE_irqbalance=y CONFIG_PACKAGE_kmod-asn1-decoder=y CONFIG_PACKAGE_kmod-ath10k=y # CONFIG_PACKAGE_kmod-ath10k-ct is not set CONFIG_PACKAGE_kmod-cdrom=y CONFIG_PACKAGE_kmod-crypto-arc4=y CONFIG_PACKAGE_kmod-crypto-des=y CONFIG_PACKAGE_kmod-crypto-ecb=y CONFIG_PACKAGE_kmod-crypto-kpp=y CONFIG_PACKAGE_kmod-crypto-lib-chacha20=y CONFIG_PACKAGE_kmod-crypto-lib-chacha20poly1305=y CONFIG_PACKAGE_kmod-crypto-lib-curve25519=y CONFIG_PACKAGE_kmod-crypto-lib-poly1305=y CONFIG_PACKAGE_kmod-crypto-md4=y CONFIG_PACKAGE_kmod-crypto-md5=y CONFIG_PACKAGE_kmod-crypto-sha1=y CONFIG_PACKAGE_kmod-crypto-sha256=y CONFIG_PACKAGE_kmod-crypto-user=y CONFIG_PACKAGE_kmod-dnsresolver=y CONFIG_PACKAGE_kmod-fs-cifs=y CONFIG_PACKAGE_kmod-fs-exfat=y CONFIG_PACKAGE_kmod-fs-ext4=y CONFIG_PACKAGE_kmod-fs-hfsplus=y CONFIG_PACKAGE_kmod-fs-ksmbd=y CONFIG_PACKAGE_kmod-fs-msdos=y CONFIG_PACKAGE_kmod-fs-netfs=y CONFIG_PACKAGE_kmod-fs-ntfs3=y CONFIG_PACKAGE_kmod-fs-smbfs-common=y CONFIG_PACKAGE_kmod-fs-vfat=y CONFIG_PACKAGE_kmod-gre=y CONFIG_PACKAGE_kmod-gre6=y # CONFIG_PACKAGE_kmod-hwmon-core is not set CONFIG_PACKAGE_kmod-ifb=y CONFIG_PACKAGE_kmod-ip6-tunnel=y CONFIG_PACKAGE_kmod-ip6tables=y CONFIG_PACKAGE_kmod-ipt-core=y CONFIG_PACKAGE_kmod-ipt-ipopt=y CONFIG_PACKAGE_kmod-ipt-ipsec=y CONFIG_PACKAGE_kmod-ipt-ipset=y CONFIG_PACKAGE_kmod-iptunnel=y CONFIG_PACKAGE_kmod-iptunnel4=y CONFIG_PACKAGE_kmod-iptunnel6=y CONFIG_PACKAGE_kmod-lib-crc16=y CONFIG_PACKAGE_kmod-mppe=y CONFIG_PACKAGE_kmod-nf-conntrack-netlink=y CONFIG_PACKAGE_kmod-nf-ipt=y CONFIG_PACKAGE_kmod-nf-ipt6=y CONFIG_PACKAGE_kmod-nft-compat=y CONFIG_PACKAGE_kmod-nls-cp1250=y CONFIG_PACKAGE_kmod-nls-cp437=y CONFIG_PACKAGE_kmod-nls-cp850=y CONFIG_PACKAGE_kmod-nls-iso8859-1=y CONFIG_PACKAGE_kmod-nls-iso8859-15=y CONFIG_PACKAGE_kmod-nls-ucs2-utils=y CONFIG_PACKAGE_kmod-nls-utf8=y CONFIG_PACKAGE_kmod-oid-registry=y CONFIG_PACKAGE_kmod-pptp=y CONFIG_PACKAGE_kmod-sched-bpf=y CONFIG_PACKAGE_kmod-sched-cake=y CONFIG_PACKAGE_kmod-sched-core=y CONFIG_PACKAGE_kmod-sit=y CONFIG_PACKAGE_kmod-tun=y CONFIG_PACKAGE_kmod-udptunnel4=y CONFIG_PACKAGE_kmod-udptunnel6=y CONFIG_PACKAGE_kmod-usb-storage=y CONFIG_PACKAGE_kmod-vxlan=y CONFIG_PACKAGE_kmod-wireguard=y CONFIG_PACKAGE_ksmbd-server=y CONFIG_PACKAGE_libatomic=y CONFIG_PACKAGE_libblkid=y CONFIG_PACKAGE_libbpf=y CONFIG_PACKAGE_libcap-ng=y CONFIG_PACKAGE_libcares=y CONFIG_PACKAGE_libcurl=y CONFIG_PACKAGE_libelf=y CONFIG_PACKAGE_libev=y CONFIG_PACKAGE_libgmp=y CONFIG_PACKAGE_libipset=y CONFIG_PACKAGE_libiptext=y CONFIG_PACKAGE_libiptext-nft=y CONFIG_PACKAGE_libiptext6=y CONFIG_PACKAGE_libltdl=y CONFIG_PACKAGE_liblua=y CONFIG_PACKAGE_liblucihttp=y CONFIG_PACKAGE_liblucihttp-lua=y CONFIG_PACKAGE_liblucihttp-ucode=y CONFIG_PACKAGE_liblz4=y CONFIG_PACKAGE_liblzo=y # CONFIG_PACKAGE_libmbedtls is not set CONFIG_PACKAGE_libncurses=y CONFIG_PACKAGE_libnetfilter-conntrack=y CONFIG_PACKAGE_libnettle=y CONFIG_PACKAGE_libnfnetlink=y CONFIG_PACKAGE_libnghttp2=y CONFIG_PACKAGE_libnl-core=y CONFIG_PACKAGE_libnl-genl=y CONFIG_PACKAGE_libopenssl=y CONFIG_PACKAGE_libopenssl-conf=y CONFIG_PACKAGE_libopenssl-legacy=y CONFIG_PACKAGE_liboping=y CONFIG_PACKAGE_libowipcalc=y CONFIG_PACKAGE_libpcap=y CONFIG_PACKAGE_libpcre2=y CONFIG_PACKAGE_libreadline=y CONFIG_PACKAGE_librrd1=y CONFIG_PACKAGE_librt=y CONFIG_PACKAGE_libubus-lua=y # CONFIG_PACKAGE_libustream-mbedtls is not set CONFIG_PACKAGE_libustream-openssl=y CONFIG_PACKAGE_libuuid=y CONFIG_PACKAGE_libxtables=y CONFIG_PACKAGE_lua=y CONFIG_PACKAGE_luci=y CONFIG_PACKAGE_luci-app-adblock=y CONFIG_PACKAGE_luci-app-attendedsysupgrade=y CONFIG_PACKAGE_luci-app-banip=y CONFIG_PACKAGE_luci-app-bcp38=y CONFIG_PACKAGE_luci-app-commands=y CONFIG_PACKAGE_luci-app-ddns=y CONFIG_PACKAGE_luci-app-firewall=y CONFIG_PACKAGE_luci-app-https-dns-proxy=y CONFIG_PACKAGE_luci-app-ksmbd=y CONFIG_PACKAGE_luci-app-openvpn=y CONFIG_PACKAGE_luci-app-package-manager=y CONFIG_PACKAGE_luci-app-pbr=y CONFIG_PACKAGE_luci-app-smartdns=y CONFIG_PACKAGE_luci-app-sqm=y CONFIG_PACKAGE_luci-app-statistics=y CONFIG_PACKAGE_luci-app-uhttpd=y CONFIG_PACKAGE_luci-app-upnp=y CONFIG_PACKAGE_luci-app-wol=y CONFIG_PACKAGE_luci-base=y CONFIG_PACKAGE_luci-compat=y CONFIG_PACKAGE_luci-lib-base=y CONFIG_PACKAGE_luci-lib-ip=y CONFIG_PACKAGE_luci-lib-jsonc=y CONFIG_PACKAGE_luci-lib-nixio=y CONFIG_PACKAGE_luci-lib-uqr=y CONFIG_PACKAGE_luci-light=y CONFIG_PACKAGE_luci-lua-runtime=y CONFIG_PACKAGE_luci-mod-admin-full=y CONFIG_PACKAGE_luci-mod-network=y CONFIG_PACKAGE_luci-mod-status=y CONFIG_PACKAGE_luci-mod-system=y CONFIG_PACKAGE_luci-proto-ipv6=y CONFIG_PACKAGE_luci-proto-ppp=y CONFIG_PACKAGE_luci-proto-unet=y CONFIG_PACKAGE_luci-proto-vxlan=y CONFIG_PACKAGE_luci-proto-wireguard=y CONFIG_PACKAGE_luci-ssl-openssl=y CONFIG_PACKAGE_luci-theme-bootstrap=y CONFIG_PACKAGE_luci-theme-openwrt-2020=y CONFIG_PACKAGE_miniupnpd-nftables=y CONFIG_PACKAGE_mtr-nojson=y CONFIG_PACKAGE_nano-full=y CONFIG_PACKAGE_openssh-sftp-server=y CONFIG_PACKAGE_openssl-util=y CONFIG_PACKAGE_openvpn-openssl=y CONFIG_PACKAGE_owipcalc=y CONFIG_PACKAGE_patch=y CONFIG_PACKAGE_pbr=y CONFIG_PACKAGE_ppp-mod-pptp=y CONFIG_PACKAGE_resolveip=y CONFIG_PACKAGE_rpcd=y CONFIG_PACKAGE_rpcd-mod-file=y CONFIG_PACKAGE_rpcd-mod-iwinfo=y CONFIG_PACKAGE_rpcd-mod-luci=y CONFIG_PACKAGE_rpcd-mod-rpcsys=y CONFIG_PACKAGE_rpcd-mod-rrdns=y CONFIG_PACKAGE_rpcd-mod-ucode=y CONFIG_PACKAGE_rrdtool1=y CONFIG_PACKAGE_smartdns=y CONFIG_PACKAGE_sqm-scripts=y CONFIG_PACKAGE_tc-tiny=y CONFIG_PACKAGE_tcpdump-mini=y CONFIG_PACKAGE_terminfo=y CONFIG_PACKAGE_tree=y CONFIG_PACKAGE_ucode-mod-html=y CONFIG_PACKAGE_ucode-mod-lua=y CONFIG_PACKAGE_ucode-mod-math=y CONFIG_PACKAGE_uhttpd=y CONFIG_PACKAGE_uhttpd-mod-ubus=y CONFIG_PACKAGE_unet-cli=y CONFIG_PACKAGE_unetd=y CONFIG_PACKAGE_vxlan=y CONFIG_PACKAGE_wg-installer-client=y CONFIG_PACKAGE_wget-ssl=y CONFIG_PACKAGE_wireguard-companion=y CONFIG_PACKAGE_wireguard-tools=y CONFIG_PACKAGE_wireguard-watchdog=y # CONFIG_PACKAGE_wpad-basic-mbedtls is not set CONFIG_PACKAGE_wpad-openssl=y CONFIG_PACKAGE_wsdd2=y CONFIG_PACKAGE_xtables-nft=y CONFIG_PACKAGE_zlib=y CONFIG_PCRE2_JIT_ENABLED=y CONFIG_PREINITOPT=y CONFIG_TARGET_PREINIT_TIMEOUT=5 egc@egc-VirtualBox:/linuxdata/openwrt$ ``` ### Terms - [x] I am reporting an issue for OpenWrt, not an unsupported fork.