Can't ping wireless clients on the network!

So I have this openwrt machine with only one lan port that's being "extended" using a spare router that's used in "bridge mode" (no dhcp is running there).

While I can ping (from the openwrt router) the lan clients and the bridge router as well, the wireless clients coming from that router I can't ping from openwrt nor my lan clients.

In netdata graphs, I can see the clients just fine, as well as in the adguardhome's query logs.

Is it an issue relating to how the LAN port is setup by default, since I haven't changed it (I did but only to change ip address, and bridge router also uses the same subnet address).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.201",
	"hostname": "OpenWrt",
	"system": "Intel(R) Core(TM)2 Duo CPU     E7500  @ 2.93GHz",
	"model": "Hewlett-Packard HP Compaq dc7900 Convertible Minitower",
	"board_name": "hewlett-packard-hp-compaq-dc7900-convertible-minitower",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.6",
		"revision": "r20265-f85a79bcb4",
		"target": "x86/64",
		"description": "OpenWrt 22.03.6 r20265-f85a79bcb4"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9a:16d1:f5d3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.10.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '0'
	option cachesize '1000'
	option rebind_protection '0'
	option port '54'
	list server '10.10.10.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,10.10.10.1'
	list dhcp_option '3,10.10.10.1'
	list dns 'fd9a:16d1:f5d3::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

This is already EOL and unsupported. Please upgrade to 23.05.

There is nothing in this configuration that would be responsible for the ping issues you're describing.

What is the AP, what firmware is it running, and what is the topology of your network (a diagram would be great).

Also, can you please clarify the ping success/failures. This could be indicated on the diagram showing how the devices are connected and which two devices are involved in each ping test.

1 Like

Just noticing this... the input rule for the wan zone should be REJECT on any device that is connected to the internet. Please change this immediately for your safety (unless this device's wan is connected to a trusted network and not the internet)

1 Like

I was on the latest version but it has some quircks with the ethernet adapter I'm using, so I downgraded.

The AP is part of a DLINK router, nothing special. it's just two components, openwrt and the dlink router, the lan client is connected through the dlink router's lan ports.

I might be wrong, but I think openwrt is already capable of talking to the wireless clients, is it just the ping requests that're faulty?

Yeah, it's a trusted network, I just did that so that I don't have to be in the subnet (openwrt network) to configure the dlink router.

Please provide concrete illustrations of the pings that are and are not working. It's not entirely clear, and that is important for us to be able to help.

That said, it's almost certainly not an issue with OpenWrt (at least not the x86 device for which we saw the config).

1 Like

There are multiple subnets? Let's see a diagram. This is pretty important.

1 Like

I just ping the clients from openwrt itself.

root@OpenWrt:~# ping 10.10.10.206
PING 10.10.10.206 (10.10.10.206): 56 data bytes
64 bytes from 10.10.10.206: seq=0 ttl=64 time=0.557 ms
64 bytes from 10.10.10.206: seq=1 ttl=64 time=0.645 ms
^C
--- 10.10.10.206 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.557/0.601/0.645 ms
root@OpenWrt:~# ping 10.10.10.197
PING 10.10.10.197 (10.10.10.197): 56 data bytes
^C
--- 10.10.10.197 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

The 1st (10.10.10.206) is a LAN client, the 2nd is wireless.

Have you tried a ping test from 10.10.10.206 to 10.10.10.197? What about the other way?

1 Like

I'll try to draw something, I'm not that good of a networking guy.

I tried from lan to wireless, but haven't tried from wireless to lan.

You may be dealing with a specific device that doesn't return pings. It would be good to prove or disprove it.

That said, a diagram is going to be essential. You can draw it with a pencil and paper and take a photo with your phone... simple is fine.

1 Like


I hope this is not missing lots of info!

I'll try to move my lan client to wireless and ping it from openwrt.

2 Likes

My PC as a wireless device is pingable from openwrt. So the other android phones must just be refusing to respond?

Now I can ping the phone as well from openwrt, but not from the other wireless client PC.
Is it possible that the client is refusing pings only from other clients?

I'm not really sure what we're looking at here. I thought 10.10.10.197 was the PC when it was plugged in via ethernet. Is that plugged in or not.

What is the left pane?

1 Like

197 is a phone. and the left pane is a PC connected through wireless (now). It was wired before, I switch so I can test both scenarios.

I couldn't arp-scan from openwrt using the LAN interface. (some skill issue here)

root@OpenWrt:~# arp-scan --interface=eth1 --localnet --macfile=/etc/arp-scan/mac-vendor.txt --
ouifile=/usr/share/arp-scan/ieee-oui.txt
WARNING: Could not obtain IP address for interface eth1. Using 0.0.0.0 for
the source address, which may not be what you want.
Either configure eth1 with an IP address, or manually specify the address
with the --arpspa option.
Interface: eth1, type: EN10MB, MAC: 00:e0:4c:36:5f:3a, IPv4: (none)
ERROR: Could not obtain interface IP address and netmask
ERROR: pcap_lookupnet: eth1: no IPv4 address assigned

Also nmap couldn't list hosts on network.