Devices can't ping eachother on wifi, firewall issue?

Hi, i'm trying to figure out why devices on wifi cannot ping each other when connected to the main access point on the router, but can ping each other when connected to a different access point or via wired connection.

I thought this was a wifi problem, but disabling the firewall allows devices to communicate. so i'm guessing it's a firewall issue, but I can't spot anything that would block them communicating... can someone take a look please? thanks.

desired setup is:
an ssid "_MEDIA", connecting the IOT network on VLAN 13 devices should be able to communicate within the IOT network (i.e. no client isolation) but not to the router/internet/lan (unless specifically allowed).
There's other acces points/switches trunked in via eth3/4 (VLAN12 is my regular lan) - those works as expected.

ubus call system board:

{
        "kernel": "5.15.150",
        "hostname": "3965U",
        "system": "Intel(R) Celeron(R) CPU 3965U @ 2.20GHz",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd20:0f96:1a4b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan.12'
        option proto 'static'
        option ipaddr '10.0.12.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth5'
        option proto 'static'
        option ipaddr '10.0.0.10'
        option netmask '255.255.255.0'
        option gateway '10.0.0.1'
        list dns '8.8.8.8'
        list dns '9.9.9.9'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3:t'
        list ports 'eth4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '13'
        list ports 'eth3:t'
        list ports 'eth4:t'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.13'
        option ipaddr '10.0.13.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'br-lan.12'
        option type '8021q'
        option ifname 'br-lan'
        option vid '12'
        option ipv6 '0'

config device
        option name 'br-lan.13'
        option type '8021q'
        option ifname 'br-lan'
        option vid '13'
        option ipv6 '0'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option delegate '0'

config device
        option type 'bridge'
        option name 'docker0'
        option ipv6 '0'
        list ports 'veth1de0d5d'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'BE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'iot'
        option mode 'ap'
        option ssid '_MEDIA'
        option encryption 'psk2'
        option disassoc_low_ack '0'
        option key '132456789'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config rule
        option name 'DHCP-IOT'
        option family 'ipv4'
        list proto 'udp'
        option src 'iot'
        option dest_port '67'
        option target 'ACCEPT'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

thanks!

can't figure this out. So for now I've butchered /lib/netifd/netifd-wireless.sh to force ap_isolate to '0' (not set ap_isolate in /var/run/hostapd-phy0.conf )

it's ugly and bypasses the whole bridging/firewall logic if I understand correctly, but at least devices can communicate. (FWIW, hairpin_mode was set correctly to '1')

Let’s see a topology diagram that shows where things can connect and where they cannot. Be sure to label the brand/model of each device, the address in the network, the ports being used, and the firmware on each device.

1 Like

AP4:

{
        "kernel": "5.15.150",
        "hostname": "AP4",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AC85P",
        "board_name": "asus,rt-ac85p",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

AP3

{
        "kernel": "5.15.150",
        "hostname": "AP3",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "ZyXEL NBG6716",
        "board_name": "zyxel,nbg6716",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/nand",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

both TV and android/bubbleupnp can communicate with minidlna instances on router and ap4. router and ap4 can ping any device connected via "_MEDIA". connectivity from speaker is a bit harder to test, but its webinterface is accessible from testing laptop.

Thanks for looking into this.