New OpenWRT install, can't connect from wifi to wired PC

Hi All,

I'm new to OpenWRT so pretty vanilla config. The device is an Archer AX23, and I'm running the latest OpenWRT version.

I have the router setup with DHCP, and I have a wired and wireless device each with a valid address (192.168.2.100 wired, 192.168.2.219 wireless -- samsung Phone if it matters).

Both devices can access the internet just fine, and the PC can ping the phone, but the phone cannot ping nor access anything on the PC. I connected another windows PC on the same wifi, same symptoms -- it can access the internet, but cannot access the wired PC (I'm just trying to access a service running on port 8100).

The two wifi devices can ping each other, so I thought maybe AP/client isolation, so I confirmed that is turned off. I have interfaces for lan/wan/wan6 (I assume that's default) and far as I can tell the wireless radios are in the lan group, so should be bridged? (new to this stuff, so I think it's bridged, but not sure how to confirm that).

I've setup a wireless network on both radios (2.4 and 5ghz), both have the same symptoms.

Any ideas? Where do I start to figure this one out? Any sort of logging I can activate to see what's going on?

Any help is appreciated. I'm sure I missed something stupid, but I can't think of anything.

Thx

Generally speaking, this is not a function of the router itself unless you have setup multiple subnets. It may be your windows firewall -- check that (disable it as a test).

But if that doesn't solve the problem, do you have any other devices on your network that you can try? Ideally a linux or mac device, even a rapsberry pi. Even better if the device has wifi and ethernet connectivity (a USB-ethernet dongle is fine).

Let's see the complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for helping me with this.

I've pasted those all below. I do happen to have a Rpi (I think v3, it's wired and wireless).

Windows firewall is disabled on the PC, and just prior to putting in this router (it replaces another Archer that doesn't support OpenWRT, which is why I replaced it -- the ultimate goal is to add OpenVPN support for when I'm traveling), all was working fine -- same SSIDs and passwords, same devices on the LAN and WLAN, able to connect to the service on the desktop PC no problem. I only have 4 ethernet devices so they're all plugged into the 4 ports on the Archer, and then the 5th (WAN) port goes to my cable modem which is bridged, in case that makes any difference.

The only thing that's changed in the setup that was working is the new router -- everything else far as I can tell is identical.

Here's the setup -- for reference the devices with static leases are the Desktop PC (Wired, trying to connect TO), my phone (Wireless, one client), my laptop (wireless, another client) and the RPi (wired and wireless).

Let me know what else I can provide/try.

Thx again -- really appreciate any insight.
`

``
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer AX23 v1",
        "board_name": "tplink,archer-ax23-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix <snipped>
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<snip>'
        option encryption 'sae-mixed'
        option key '<snip>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'wan'
        option mode 'ap'
        option ssid '<snip>'
        option encryption 'sae-mixed'
        option key '<snip>'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<snip>'
        option encryption 'sae-mixed'
        option key '<snip>'
        option network 'lan'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '<snip>'
        option encryption 'sae-mixed'
        option key '<snip>'
        option network 'lan'
        option ieee80211w '0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '192.168.2.100'
        list mac '<snip>'
        list tag '<my desktop PC>'

config host
        option ip '192.168.2.108'
        list mac '<snip>'
        list tag '<My Rpi>'

config host
        option ip '192.168.2.101'
        list mac '<snip>'
        list tag '<my laptop>'

config host
        option ip '192.168.2.102'
        list mac '<snip>'
        list tag '<my phone>'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'ovpn_1194_rule'
        option name 'Allow-OpenVPN-1194'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

config include 'ovpn_1194'
        option path '/etc/openvpn/firewall.ovpn_1194'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'


type or paste code here

Remove the bridge line from below:

Avoid using sae-mixed. Use either WPA2 or WPA3, but not mixed mode operation. There are many devices that don't work well with mixed mode.

Aside from that, I don't see anything that would impact local connectivity. Restart and test again after making those changes.

Try all permutations of the connectivity testing between these devices and then make a matrix of what you find.

Thanks for the suggestions. I'll give them a shot and see if that fixes my issue.

Really appreciate the help!

Restarted and seems it's working now. Thanks again for the help.