No reply to ping from attached devices

Hello team, struggling to understand why I cannot reach some IP addresses from my PC.
Here is a schematic of my setup.

image1034×692 43.5 KB

Main router is my ASUS running 24.10.5 (192.168.10.1), connected via LAN to my PC (192.168.10.100), other devices like a dumb AP (192.168.10.5) and a TPlink router with proprietary firmware (192.168.10.2).

From my PC I can ping the ASUS, the AP, any host on Internet but cannot ping the TP-link.
From TP-link I can ping any host on Internet, the ASUS but cannot ping my PC and the AP.
From ASUS, I can ping AP, any host on Internet but not my PC (very strange) and not the TP-link, despite the ARP table shows the relative MAC addresses.

image735×490 37 KB

Tried all I could with no joy. The aim is to reach the TP-link from the PC at 192.168.10.2.
Firewall does not show any message in the log of ASUS.
Any idea or suggestion what to look for next?

This is the network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:9f6a:ecc7::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        option bridge_empty '1'
        option priority '1000'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option defaultroute '0'
        option delegate '0'
        option force_link '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'lan2'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config device
        option name 'phy0-ap0'

config device
        option name 'phy1-ap0'

config device
        option name 'wan'
        option ipv6 '0'
        option macaddr '50:EB:F6:83:1C:A7'

(...)
config device
        option type '8021q'
        option ifname 'wan'
        option vid '10'
        option name 'wan.10'
        option ipv6 '0'
        option macaddr '50:EB:F6:83:1C:A6'

config interface 'Internet'
        option proto 'dhcp'
        option device 'wan.10'
        option hostname 'Internet'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option delegate '0'

config interface 'Gestione'
        option proto 'dhcp'
        option device 'wan'
        option hostname 'Gestione'
        option defaultroute '0'
        option peerdns '0'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-VoIP'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'lan3.20'
        list ports 'wan.20'

config device
        option type '8021q'
        option ifname 'lan3'
        option vid '20'
        option name 'lan3.20'
        option ipv6 '0'
        option isolate '1'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '20'
        option name 'wan.20'
        option ipv6 '0'

config interface 'VoiPtunnel'
        option proto 'none'
        option device 'br-VoIP'
        option defaultroute '0'
        option delegate '0'

config route
        option interface 'lan'
        option target '192.168.11.0/24'
        option gateway '192.168.10.2'

This is the firewall config:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        option mtu_fix '1'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'Gestione'
        list network 'Internet'

config forwarding
        option src 'lan'
        option dest 'wan'

(...)
config rule  <<<<< this was an attempt to solve the problem, but no joy
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config zone  <<< This is to forward voice traffic
        option name 'VoIP'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option family 'ipv4'
        list network 'VoiPtunnel'

config forwarding
        option src 'lan'
        option dest 'VoIP'

Any further info, just let me know.
Thanks for any idea / suggestion.

This is expected behavior since the TP-Link device is connected via its wan port. The firewall (and possibly NAT) will prevent access to the TP-Link router itself and the devices behind it.

This may depend on the configuration of the TP-Link device and/or the PC (and maybe also the AP).

The TP-Link issue, as I said earlier, is expected.

The PC is not, but that might be a function of the local PC configuration (i.e. the host level firewall).

Your configuration has many errors as well.

Let's start simple... what is the purpose of the TP-Link device? And what firmware is it running?

TPlink is the box implementing voice (a single POTS line). It's running proprietary firmware by my ISP. Voice is using VLAN 20 on TPlink, so I used the same VLAN on LAN3 and WAN of the ASUS (in a bridge name br-VoIP) -- it works
TPlink has no other function, though I configured its DHCP in case I need to connect directly my PC. Its LAN subnet is 192.168.11.0/24. TPlink reaches ASUS via ipoe_0_0_d (no VLAN, see figure below) and, from there, Internet -- this is used mainly for NTP access.
Firewall on TPlink is disabled, and no NAT is configured on WAN interface.

image423×145 1.68 KB

image661×804 23 KB

I know for sure the TPlink cannot be reached on its LAN from an IP outside its LAN network (this is a security rule implemented in the special firmware), but you might be right.. even ping to the WAN interface may be blocked someway though not visible in the config.
Eventually I will reach the TPlink connecting the PC to its LAN or WiFi.

The dumb AP is OpenWRT 24.10.5 as well, and 192.168.10.5 is the IP address of its LAN.
I cannot ping my PC from that AP as well, so I will look into the Windows firewall.

I'd be more than happy to work on my config if you are so kind to point out the errors.

Access from the wan is almost always prohibited in essentially every router firmware. Some routers allow you to enable such access, others do not. But I have never seen a single device that, by default, allows access on the wan because that would be a massive security vulnerability.

There are many major issues -- starting with the entire VLAN configuration which is entirely invalid.

You should consider resetting to defaults and then building from a clean slate. We can help you do that if you provide a description of your goals.

So the OP is aware, ping is allowed [to the WAN interface] by default on WAN in OpenWrt firewalls. They would have been able to ping 192.168.10.2.

I was gonna suggest just fixing the firewall, until I noticed the network config has a lot of fixes to be made as well.

Good clarification. I was referring to administrative UI access (web, ssh, etc.).

Yeah, too many fixes, IMO, to be practical. Easiest to start over.

I found the way to enable ping on the WAN interface of the TPlink, so now it works either from ASUS or from PC. So at least I know it is up & running Thanks!
EDIT:

image413×114 3.02 KB

https access to the WAN can be enabled as well, specifying source address -- did some testing, just to prove routing is OK, but I will leave it disabled.
So the TPlink will only be managed via local ethernet connection of my PC.

EDIT: TPlink firewall has been re-enabled of course.

image338×142 4.2 KB

As for my Windows PC: onboard firewall is the culprit -- disabling it for a second makes the ping from ASUS to PC work ok, so again you did hit the point!

DSA is not my favorite playground indeed, so I configured it "the Cisco way"
But the offer is very kind, so tomorrow I should be able to better specify my goals and see what a correct config will be (VLAN filtering for a bridged LAN is something I could not figure out given my goals.. but never too late to learn OpenWRT!! )

Good night and thanks again!

Glad that most of the issues are resolved.

Yeah, unfortunately that is not the way to do DSA.

Sounds good.

Changed the OP title to better reflect the issue, now solved.
Will post the goals and ask for support in the configuration in another thread, since it would be OT in this one.
Thanks all!

This is the post with goal description.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.