Help troubleshoot WiFi/VLAN issue

I have a weird issue I can't figure out, and I'm sure it's something trivial but I'm at the end of my ability to troubleshoot

I have a WRX36 as my main router, managing 2 lans (vlan 1=lan, vlan101=iot and vlan102=camera). I have an additional 2 routers set as dumb access points, passing the vlans to the main router

The main lan can reach devices on iot and camera, iot (vlan101) devices cannot access devices on the main network but have full internet access, camera devices (vlan102) cannot access main lan nor internet. It all works as expected in most cases.

When I connect a camera via wifi to the WRX36 on a SSID called Escam (2.4GHz), on vlan102, though, devices on the main lan cannot communicate with it. The weird thing is that the router itself can ping the camera, and if I use Wireguard to connect to the router (from outside my lan), I can use the camera just fine.

It's only when a device is connected to one of the SSIDs on the main lan, that I cannot connect.

For what is worth, the camera has a static DHCP lease (but doesn't seem to make a difference), at 192.168.20.161

here are my config files, hoping someone can see what's wrong

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '(removed)'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan4:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'iot'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'camera'
	option device 'br-lan.102'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '(removed)'
	option listen_port '51820'
	list addresses '192.168.99.1/24'

config wireguard_vpn 'wgclient'
	option public_key '(removed)'
	option preshared_key '(removed)'
	list allowed_ips '192.168.99.2/32'
	option route_allowed_ips '1'
	option private_key '(removed)'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option band '5g'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'
	option channel '112'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID51'
	option encryption 'sae-mixed'
	option key '(removed)'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option channel 'auto'
	option band '2g'
	option htmode 'HE20'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID24'
	option encryption 'sae-mixed'
	option key '(removed)'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SSID52'
	option encryption 'sae-mixed'
	option key '(removed)'
	option network 'iot'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SSID53'
	option encryption 'sae-mixed'
	option key '(removed)'
	option network 'camera'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Escam'
	option encryption 'sae-mixed'
	option key '(removed)'
	option network 'camera'

firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'camera'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'camera'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IoT_DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IoT_DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-mDNS'
	list proto 'udp'
	option src 'iot'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Camera_DHCP'
	list proto 'udp'
	option src 'camera'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Camera_DNS'
	option src 'camera'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'camera'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option serversfile '/var/run/adblock-fast/dnsmasq.servers'
	option logfacility '/tmp/log/dnsmasq.log'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'iot'
	option interface 'iot'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'camera'
	option interface 'camera'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Besder_WiFi'
	list mac '(removed)'
	option ip '192.168.20.161'
	option leasetime '12h'

Can you clarify this... when you say "when a device is connected..." do you mean any device or a specific device?

I do see that you're using sae-mixed for your encryption mode... I would highly recommend using either WPA2 or WPA3, and avoiding mixed mode. WPA2/WPA3 mixed mode causes problems with some client devices, and it's best to not use it at all.

Sorry, I meant to say "any device": windows laptop, android phone, etc. I can reach that camera only from the router (or Wireguard tunnel using those same devices connected to a public network)

EDIT: I changed encryption mode to psk2, thanks for the suggestion, but it doesn't make any difference wrt the original problem

Can you draw a system topology diagram?

One thing I'd like to know -- if this is physically possible...

• If you unplug both dumb APs (form power so they aren't active at all) and connect your camera to the main router via either ethernet port lan4 or the escam SISD, and then connect your computer or phone to the lan (via on port lan1 or the SSID51 network), are you able to reach the camera?

I'll find a way to draw a diagram, but in your scenario (camera connected to Escam wirelessly and PC connected to SSID51, with nothing else connected (I disconnected the APs from port4 of the WRX36), I can ping the camera from the router, but cannot ping it from the Windows client or an Android client

Actually, while testing I discovered that the Android and Windows client connected to SSID51 cannot ping each other, but the router can. Both devices can ping the router, though

Interesting.

I am going to guess that windows is treating this network as an untrusted/public network. Check the windows firewall -- it may be blocking the connections.

If you connect either the phone or the laptop to the camera network, are you able to ping the camera successfully?

You can do this with a photo of a sketch on paper... just upload the image to the forum directly (there's an 'upload' button in the toolbar at the top of the text entry box).

Yes. I can ping the camera from the router, from Wireguard, or from any device on the Escam network. I cannot ping it when the PC or Android phone is connected to a wireless SSID on "lan" or even from a PC connected via ethernet to the WRX36.

Even weirder: I can ping the Android phone while on Escam from the PC on SSID51. So it looks as if there's something super-weird with that camera, where it responds to a ping from the router or from the same vlan, but not from across vlans. And it's not just ping, the camera has a web UI that I can access only when using Wireguard or the browser and camera are on the same SSID/network.

Is it possible that the camera is using additional protocols not routed across networks? mDNS is enabled (for another set of devices on iot, I tried adding also camera, but makes no difference)

I removed all other APs, so at this point the topology is a single WR36 router with various SSID and vlans.

And, yes, the Windows/Android pinging each other was just a random problem, not sure what caused it, but it's gone now

This had occurred to me as a possible limitation of the camera -- some devices do not respond to, or do not know how to respond to requests from different networks. However, the reason why this doesn't seem to fully describe the situation is that the Wireguard VPN connection works, and this is necessarily a different network than the camera VLAN.

And what is even more puzzling is that the lan and wireguard networks are both in the same firewall zone (lan) which means they are subject to the same firewall rules -- I'm at a bit of a loss as to why the wireguard network is fine but the lan is not.

You could try changing the lan subnet to see if that resolves the issue... Maybe 192.168.5.1 for the lan address (make sure you force-renew dhcp leases to get onto the new network)... Again, not sure that this would be a solution unless maybe the camera has a firewall and is blocking 192.168.1.0/24, but could be worth trying.

I'm marking your reply as "solution", even if I'm still puzzled. I'll try to do some more tests when I have time, but for now I'll use Wireguard or connect on the same SSID.

If I have time I might want to use Wireshark and see if there's some weirdness when connecting to the camera from different networks. Appreciate your time!

Does this mean it is actually solved, or just 'stuff to look at' when you get some time?

Well, it means it clearly is not an OpenWRT issue, my router seems to be configured properly and the issue is due to the non-standard camera behavior. So I'm not sure that the OpenWRT forum can help with the next steps. Also, this is not the highest priority for me now, so I'll put it on the back burner for now.
If/when I have time to figure this our I'll post a follow-up if I find anything of interest for the community here.

After a lot more tests, it turns out it's a problem with the camera settings. These cameras can use a (super-unsafe) cloud service by punching a hole in the NAT. Since I have the cameras on a vlan with no internet access, I assumed that turning off the service in the camera UI makes no difference. Well, for some reason, when the camera is connected via ethernet cable, it works just fine with the cloud service disabled. On wifi, if the cloud service is disabled, after a while it stops responding to network access.

If I re-enable the cloud service, even if that is prevented from reaching the servers, the camera still works.

Anyway, as I suspected (and thanks to @psherman for the troubleshooting help), nothing to do with OpenWRT which works well for everything. I even managed to enable NTP for those cameras using the built-in OpenWRT NTP server and a firewall rule for port 123/UDP.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.