Devices connected to Wi-Fi via Dumb Access Point can't ping each other

jakep · January 12, 2024, 12:28pm

I have a primary router downstairs, and an access point upstairs. The access point is connected with a network cable to the primary router. Both devices run OpenWrt 22.03.5 and the access point has been configured following the wiki article here.

Devices that are connected to Wi-Fi via the access point cannot communicate with each other but can access the internet. I do not have Client Isolation enabled. These same devices can however communicate with any device connected to Wi-Fi via the downstairs primary router.

I'm not sure what is going on. I've configured everything using LuCI, but can provide configuration file contents if you tell me which files I need to provide.

Thanks in advance for any help.

frollic · January 12, 2024, 12:32pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

jakep · January 12, 2024, 12:38pm

Thanks @frollic I've pasted these below.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.19.90.10'
        option delegate '0'
        option gateway '10.19.90.1'
        list dns '10.19.90.1'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option country 'GB'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'GB'
        option channel 'auto'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'PPN-Main'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

F4FXL · January 12, 2024, 1:40pm

Is this from the PA or the router?

jakep · January 12, 2024, 2:00pm

This is from the access point. Haven't included the router config. I can do if required.

pavelgl · January 12, 2024, 2:03pm

Please run the following on AP and post the result:

head -v /sys/devices/virtual/net/br*/lower*/brport/hairpin_mode

jakep · January 12, 2024, 2:04pm

Here you go:

==> /sys/devices/virtual/net/br-lan/lower_lan1/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan2/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan3/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan4/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_wlan1/brport/hairpin_mode <==
1

pavelgl · January 12, 2024, 2:08pm

Looks fine. Sorry, no other ideas...

F4FXL · January 12, 2024, 2:12pm

All your config on the AP looks ok to me.
I additionnaly disabled dsnmasq, odhcp and firewall services.

jakep · January 12, 2024, 2:16pm

Thanks for looking @pavelgl and @F4FXL.

Yeah I have those services disabled.

frollic · January 12, 2024, 2:18pm

if you'd reset the settings, and double NAT for a while, can the clients on the "ex-AP" communicate with each other ?

just make sure the LAN subnets of the two openwrt devices don't overlap.

jakep · January 12, 2024, 2:25pm

I'm not all that deep with networking I'm afraid @frollic, so not quite sure I understand what you mean by double NAT in this context? I can reset the AP though, I was thinking it might be worth doing that but wanted to hold off in case it was an easy mistake I'd made somewhere, but seems like it's potentially a bit more complex.

frollic · January 12, 2024, 2:28pm

resetting it would only be to check if it's a config error, or a sw error.

double NAT makes things slower, but it's the default mode for a router, so we got no choice.

you can always export your config before you perform the reset.

jakep · January 12, 2024, 3:52pm

So, I reset the access point, performed the steps in the Dumb Access Point article again, then added my Wi-Fi network back, and it's all working now. So not sure what the issue was, but I presume I must have misconfigured something when I initially set things up in the summer and it's just taken me this long to realise.

I backed up the access point before I reset it to compare it to the configuration I have now. There's a fair few differences, but nothing that stands out as fundamentally different to how I had it configured before.

I would have liked to have posted a solution with a little more on what actually happened, but "reset your access point" isn't that bad an option, and has worked in this case!

system · January 22, 2024, 3:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.