No traffic in AP mode on Rasberry Pi4

I'm setting up an access point using external LTE modem (Huawei E3372h-320) and externalk WiFi COMFAST CF-WU782AC

Both devices work independently:

• LTE modem in cdc_ether mode connects to the internet and curl works from CLI just fine
• WiFi scans the network and is discoverable/connectable when in AP mode

The problem is that no traffic flows in-between, nor AP has DHCP working despite LTE modem provides it (well, even with static IPs of WiFi clients it didn't work)
I'm puzzled why

cat /etc/config/network
........

config rule
        option name 'Allow-HiLink'
        option src 'lan'
        option proto 'tcp'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest 'wan'
        list dest_ip '192.168.8.8'

config interface 'lte'
        option proto 'static'
        option device 'eth1'
        option type 'bridge'
        list ipaddr '192.168.8.10/24'
        option gateway '192.168.8.1'
        list dns '192.168.8.1'

WiFi setup:

cat /etc/config/wireless
........

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'scb/fd500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/usb1/1-1/1-1.3/1-1.3:1.0'
        option cell_density '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt-demo'
        option encryption 'psk2'
        option key 'xxxxxxxxx'
        option network 'lte'

post rest of /etc/config/network, include /etc/config/firewall

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4e:1650:d0c0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'

config interface 'mywwan'
        option proto 'dhcp'

config rule
        option name 'Allow-HiLink'
        option src 'lan'
        option proto 'tcp'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest 'wan'
        list dest_ip '192.168.8.8'

config interface 'lte'
        option proto 'static'
        option device 'eth1'
        option type 'bridge'
        list ipaddr '192.168.8.10/24'
        option gateway '192.168.8.1'
        list dns '192.168.8.1'

Firewall:

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'mywwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I don't see anything suspicious

I tried disabling firewall service altogether but it had no effect

interface LTE modem doesn't appear to be in the wan firewall zone, is that how you want it ?

This doesn't belong in the network file -- delete it:

In your lte interface, there are two things:

The option type bridge line should not be in a network interface stanza. Remove that line.
And Do you have USB ethernet adapter? Have you installed the driver packages for it? Is it safe to assume that the LTE modem is connected by ethernet to that USB ethernet adapter?

LTE modem is dongle plugged via USB

As mentioned, it works from within the router's prompt, but there seem to be no routing between the modem/USB adapter and the rest of the network, despite routes being defined:

root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=117 time=29.897 ms
64 bytes from 8.8.8.8: seq=1 ttl=117 time=24.687 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 24.687/27.292/29.897 ms



root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.8.1     0.0.0.0         UG    0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

Additionally, when my laptop is plugged to Raspberry's eth0 interface via cable to run the shell, I can open WRT's admin panel in browser on eth1 interface's IP too 192.168.8.10, but at the same time I can't open LTE mode's admin page from laptop browser on 192.168.8.1 despite it being accessible from router's shell via curl

photo_2024-02-20_00-49-001080×1236 190 KB

let's see the full configuration as it is right now:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

If I may ask:
Why does it look like the Pi case is covered, inside, with aluminum foil?

Even before we get the cat calls, The LTE modem should either be on top of the ethernet (eth1) dongle or (and best) on a 3' USBA male to female extension cord for much better reception.

Since the Pi has already given USB addresses the cord would be best as it does not change the port.

But:
The aluminum???

Why does it look like the Pi case is covered, inside, with aluminum foil?

It's been in storage in dusty place so that foil works as a kinda temporary barrier. It'll be removed once device is configured.

Dongle is on extension already, what you see is the cord you've mentioned.

LTE modem is in HiLink mode and OS sees it as eth1 device (driver cdc_ether), not as PPP device (driver huawei_cdc_ncm)

are you using the modem as DHCP and router, or is the RPi ?

Well, it is affecting the internal radio.

OP is using an external USB radio.

So I now see.

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

This is the output:

Uploaded to pastebin to make this thread more readable

config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option network 'mywwan'
option ssid 'My_other_home_WiFi'
option encryption 'psk2'
option key 'xxxxxxxxxxxxxx'

This is set up as an AP. Why is it a client?

config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-demo'
option encryption 'psk2'
option key 'yyyyyyyyyy'
option network 'lte'

This is the proper mode for AP

I get that it is the lte modem but does the modem need a password?

External radio which is used as AP is radio1, while radio0 is internal Raspberry's WiFi card that was used initially to connect to home WiFi and download necessary kernel modules and other packages.
It will be disabled completely, but just to make things clear, no internet traffic flows through radio0 anyways because My_other_home_WiFi is turned off.
All the internet connectivity is happening via LTE

I get that it is the lte modem but does the modem need a password?

No, the password/APN was configured inside the modem itself via its web interface and it's stored there permanently. In HiLink mode the modem acts as a router and doesn't require extra configuration

it's going to be hard to assist you, when you're not answering the questions asked.

Which one did I miss?

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'

config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option network 'mywwan'
option ssid 'My_other_home_WiFi'
option encryption 'psk2'
option key 'xxxxxxxxxxxxxx'

Something is crossed: as you say radio0 is the internal Pi radio (and it is)but how are you getting another device on radio0?

You missed this from @frollic

and.......