One client on dumb AP cannot access local network

farfade · November 13, 2023, 8:14pm

Hello,

I'm stuck.

I have a "main router + AP" and a "dumb wifi AP".

Since I've updated to 23.05 (from the latest 22 stable), one of my wifi clients :

can access the local network from the "main router + AP"
can NOT access the local network ('network unreachable') from the "dumb wifi AP", but can access internet, and gets a correct IP on the local network

From all of my other wifi clients, everything is fine (meaning they can access the local network when they are connected to the dumb AP). I've not setup firewall rules based on IP for managing network access.

I don't know how I can troubleshoot that... logread does not say anything on both the router and the dump AP.

Pico · November 13, 2023, 8:18pm

could you list the device names?

farfade · November 13, 2023, 8:23pm

Thanks @Pico for your interest.

The main router is "newifi D2" and the dumb AP is "Cudy WR2100".

The client that cannot access the local network is an Android device with MIUI 14.0.2.

The clients that can access the local network are an Android device with MIUI 14.0.5, and a debian bookworm device.

Pico · November 13, 2023, 8:26pm

(bullsh.. deleted)

do you have any customized networks, firewall zones, firewall rules that may affect that one device?

farfade · November 13, 2023, 8:36pm

I have a lot of customized things :

3 vLANs between the main router and the dumb AP (merged on bridges with wired client devices)
with firewall zones and rules set accordingly (only on the main router, obviously)

but I have no IP-based rules involving the ones of the client devices (192.168.2.x). And, as a test, when I've set manually the IP of a device that can connect on the device that can't, I doesn't work neither.

I have no MAC-based rules, and anyway the devices use random MAC adresses.

ncompact · November 13, 2023, 8:48pm

Please connect to yours OpenWrt devices ("main router + AP" and a "dumb wifi AP") using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

farfade · November 13, 2023, 9:05pm

Main router :

{
	"kernel": "5.15.134",
	"hostname": "cerbere",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR2100",
	"board_name": "cudy,wr2100",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde0:b941:d24e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'BR_HOME'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-lan.1'
	option ipaddr '192.168.2.1'

config interface 'BR_GUEST'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'

config interface 'WAN'
	option proto 'static'
	option device 'wan'
	option netmask '255.255.255.0'
	list dns '192.168.2.4'
	list dns '192.168.2.6'
	option ipaddr '192.168.1.10'
	option gateway '192.168.1.254'

config interface 'BR_IOT'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option name 'br-lan.4'

config interface 'BR_ENTERTAIN'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan4:t'


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option channel 'auto'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option cell_density '0'
	option htmode 'VHT80'
	option channel '40'
	option log_level '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'RM'
	option encryption 'psk2+ccmp'
	option key 'LALA'
	option network 'BR_HOME'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Nous'
	option encryption 'psk2+ccmp'
	option key 'LALA'
	option network 'BR_GUEST'
	option wpa_disable_eapol_key_retries '1'
	option ieee80211w '1'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'RM-5G'
	option encryption 'wpa2+ccmp'
	option auth_server '192.168.2.4'
	option network 'BR_HOME'
	option auth_secret 'LALA'
	option nasid 'F4A454810FAA'
	option ieee80211w '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Nous-5G'
	option encryption 'psk2+ccmp'
	option key 'LALA'
	option network 'BR_GUEST'
	option isolate '1'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.2.4'
	list server '192.168.2.6'
	option authoritative '1'
	option domain 'MYDOMAIN'
	option rebind_protection '0'
	option boguspriv '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'BR_GUEST'
	option interface 'BR_GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'BR_ENTERTAIN'
	option interface 'BR_ENTERTAIN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,9.9.9.9,149.112.112.112'

config dhcp 'BR_IOT'
	option interface 'BR_IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,9.9.9.9,149.112.112.112'

config host
	option name 'Karpett'
	option dns '1'
	option mac '34:CE:00:E7:24:1D'
	option ip '192.168.100.10'

config host
	option mac 'D0:C5:D3:9C:C5:5F'
	option ip '192.168.100.20'
	option name 'ClimSalon'
	option dns '1'

config host
	option name 'ClimChambre'
	option dns '1'
	option mac 'D0:C5:D3:9C:C5:4C'
	option ip '192.168.100.21'

config host
	option name 'BoilerEbusd'
	option dns '1'
	option mac '64:E8:33:09:91:7C'
	option ip '192.168.100.30'

config dhcp 'BR_HOME'
	option interface 'BR_HOME'
	option limit '150'
	option leasetime '12h'
	option start '100'

config host
	option name 'sok'
	option dns '1'
	option mac '00:00:24:C9:2A:48'
	option ip '192.168.2.2'

config host
	option name 'delroro'
	option dns '1'
	option ip '192.168.2.10'
	option mac 'D4:BE:D9:8F:9A:68'

config host
	option name 'heyroger'
	option dns '1'
	option mac '2C:4D:54:BE:8F:9B'
	option ip '192.168.2.11'

config host
	option name 'phaeton'
	option dns '1'
	option mac '44:8A:5B:C9:20:42'
	option ip '192.168.2.12'

config host
	option name 'muh'
	option dns '1'
	option mac '00:E0:4C:68:30:1A'
	option ip '192.168.2.4'

config host
	option name 'chimaera'
	option dns '1'
	option mac 'E8:FC:AF:E5:FC:55'
	option ip '192.168.2.3'

config host
	option name 'seshat'
	option dns '1'
	option mac '00:21:B7:0D:83:F8'
	option ip '192.168.2.8'

config host
	option name 'sniberryWifi'
	option dns '1'
	option mac 'B8:27:EB:C7:53:D7'
	option ip '192.168.2.6'

config host
	option name 'sniberryEth'
	option dns '1'
	option mac 'b8:27:eb:92:06:82'
	option ip '192.168.2.7'

config host
	option name 'Gestapo'
	option dns '1'
	option mac '00:24:e4:3b:23:16'
	option ip '192.168.100.11'


config defaults
	option output 'ACCEPT'
	option synflood_protect '1'
	option input 'REJECT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option output 'ACCEPT'
	option input 'ACCEPT'
	option name 'BR_HOME_FW'
	option forward 'REJECT'
	list network 'BR_HOME'

config zone
	option name 'BR_GUEST_FW'
	option output 'ACCEPT'
	list network 'BR_GUEST'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'WAN'
	option name 'WAN_FW'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'BR_HOME_FW'
	option dest 'WAN_FW'

config rule
	option src '*'
	option dest_port '53'
	option target 'ACCEPT'
	option name '[Cerbere] Allow DNS queries'

config rule
	option src 'BR_HOME_FW'
	option dest 'BR_IOT_FW'
	list dest_ip '192.168.100.30'
	option target 'ACCEPT'
	list src_ip '192.168.2.4'
	option name '[Boiler] Allow muh traffic'
	list proto 'all'

config rule
	list dest_ip '192.168.100.30'
	option target 'REJECT'
	option dest 'BR_IOT_FW'
	option src 'BR_HOME_FW'
	option name '[Boiler] Reject traffic (not secured device - not any zone else allow from muh does not work)'
	list proto 'all'

config rule
	option src 'BR_IOT_FW'
	list src_ip '192.168.100.10'
	option dest 'WAN_FW'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '123'
	option name '[Karpett] Allow NTP over UDP'

config rule
	option src 'BR_IOT_FW'
	list src_ip '192.168.100.10'
	option dest 'WAN_FW'
	option dest_port '53'
	option target 'ACCEPT'
	option name '[Karpett] Allow internet DNS queries'

config rule
	option name '[Gestapo] Allow Internet traffic'
	option src 'BR_IOT_FW'
	list src_ip '192.168.100.11'
	option target 'ACCEPT'
	option dest 'WAN_FW'

config rule
	option name '[Cerbere] Open_DHCP_Server_Home'
	list proto 'udp'
	option src 'BR_HOME_FW'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	list proto 'udp'
	option src 'BR_IOT_FW'
	option dest_port '67'
	option target 'ACCEPT'
	option name '[Cerbere] Open_DHCP_Server_IoT'

config rule
	list proto 'udp'
	option src 'BR_ENTAI_FW'
	option dest_port '67'
	option target 'ACCEPT'
	option name '[Cerbere] Open_DHCP_Server_ENTAI'

config rule
	list proto 'udp'
	option src 'BR_GUEST_FW'
	option target 'ACCEPT'
	option dest_port '67'
	option name '[Cerbere] Open_DHCP_Server_Guest'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'WAN_FW'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-IGMP'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'WAN_FW'

config rule
	option name 'Allow-IPSec-ESP'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'BR_HOME_FW'
	option src 'WAN_FW'

config rule
	option name 'Allow-ISAKMP'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'BR_HOME_FW'
	option src 'WAN_FW'

config rule
	option name 'Support-UDP-Traceroute'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option src 'WAN_FW'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'BR_GUEST_FW'
	option dest 'WAN_FW'

config redirect
	option target 'DNAT'
	list proto 'udp'
	option src 'WAN_FW'
	option src_dport '4500'
	option dest_ip '192.168.2.4'
	option dest_port '4500'
	option name 'VPN_to_muh'

config redirect
	option target 'DNAT'
	list proto 'udp'
	option src 'WAN_FW'
	option src_dport '500'
	option dest_ip '192.168.2.4'
	option dest_port '500'
	option name 'VPN_DATA_to_muh'

config redirect
	option target 'DNAT'
	option name 'HTTPS_to_muh'
	list proto 'tcp'
	option src 'WAN_FW'
	option src_dport '443'
	option dest_ip '192.168.2.4'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'SSH_to_muh'
	list proto 'tcp'
	option src 'WAN_FW'
	option src_dport '22'
	option dest_ip '192.168.2.4'
	option dest_port '22'

config redirect
	option target 'DNAT'
	option name 'SSH_to_chimaera'
	list proto 'tcp'
	option src 'WAN_FW'
	option src_dport '2222'
	option dest_ip '192.168.2.3'
	option dest_port '22'

config zone
	option name 'BR_IOT_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'BR_IOT'
	option forward 'REJECT'

config zone
	option name 'BR_ENTAI_FW'
	option output 'ACCEPT'
	list network 'BR_ENTERTAIN'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'BR_ENTAI_FW'
	option dest 'WAN_FW'

config rule

config forwarding
	option src 'BR_HOME_FW'
	option dest 'BR_IOT_FW'

config nat
	option name 'Masquerade muh to karpett'
	option dest_ip '192.168.100.10'
	option target 'MASQUERADE'
	list proto 'all'
	option src '*'

farfade · November 13, 2023, 9:08pm

Dumb AP

{
	"kernel": "5.15.134",
	"hostname": "neuneu",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Team Newifi D2",
	"board_name": "d-team,newifi-d2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdf5:d699:9542::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'

config interface 'BR_GUEST'
	option proto 'none'
	option device 'br-lan.3'

config interface 'BR_HOME'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '192.168.2.5'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	list dns '192.168.2.4'
	list dns '192.168.2.6'

config interface 'BR_IOT'
	option proto 'none'
	option device 'br-lan.2'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option name 'br-lan.4'

config interface 'BR_ENTERTAIN'
	option proto 'none'
	option device 'br-lan.4'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option cell_density '0'
	option htmode 'HT20'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option channel '48'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option network 'BR_IOT'
	option ssid 'iot'
	option isolate '1'
	option wpa_psk_file '/etc/config/wireless.iot.wpa_psk'
	option key 'LALA'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'infra5G-2'
	option encryption 'psk2+ccmp'
	option key 'LALA'
	option network 'BR_HOME'
	option disabled '1'

config wifi-iface 'home_net_radius'
	option device 'radio1'
	option mode 'ap'
	option auth_secret 'LALA'
	option auth_server '192.168.2.4'
	option ssid 'RM-5G'
	option network 'BR_HOME'
	option encryption 'wpa2+ccmp'
	option nasid '2276934FAF18'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Nous-5G'
	option network 'BR_GUEST'
	option encryption 'psk2+ccmp'
	option key 'LALA'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Nous'
	option key 'LALA'
	option ieee80211w '2'
	option wpa_disable_eapol_key_retries '1'
	option network 'BR_GUEST'
	option disabled '1'
	option encryption 'psk2+ccmp'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'MYDOMAIN'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'BR_IOT'
	option interface 'BR_IOT'
	option ignore '1'


config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'REJECT'
	option drop_invalid '1'

config include
	option path '/etc/firewall.user'

config zone
	option name 'BR_HOME_FW'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'BR_HOME'

farfade · November 13, 2023, 9:10pm

The SSID involved is RM-5G on the network BR_HOME

ncompact · November 13, 2023, 9:13pm

network diagram with indication of your trunk ports

farfade · November 13, 2023, 9:19pm

The router and the dumb AP are wired on LAN1

ncompact · November 13, 2023, 9:20pm

the firewall file and the dns file of your "AP Dump" should be empty as the firewall and dns management should be your "main router"

please exec:

cp /etc/config/firewall /root
cp /etc/config/dhcp /root
echo " " > /etc/config/firewall
echo " " > /etc/config/dhcp
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop

ncompact · November 13, 2023, 9:22pm

what does he do "lan4" on MAIN ROUTER ?

farfade · November 13, 2023, 9:22pm

ncompact:

cp /etc/config/firewall /root
cp /etc/config/dhcp /root
echo " " > /etc/config/firewall
echo " " > /etc/config/dhcp
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop

You are perfectly right, it's always good to cleanup. Done, but nothing changes

farfade · November 13, 2023, 9:25pm

Another branch of the network, to a wired switch, VLAN aware, only.

ncompact · November 13, 2023, 9:27pm

Is the client on this switch?

I correct myself, the client is connected to your "DUMP AP", however if it is a VLAN compatible switch you should map all the VLANs to this switch

farfade · November 13, 2023, 9:33pm

Even if I don't want to distribute some VLANs on this branch of the network ?

ncompact · November 13, 2023, 9:34pm

they are choices I prefer to have all the VLANs available if you don't want it you don't have to...

ncompact · November 13, 2023, 9:41pm

you can post the current configuration (ip, netmask, dns) operating system of the client that has problems

and some tests with ping/traceroute towards your ap dump, main router, google ip

farfade · November 14, 2023, 8:08pm

IP (from DHCP : 192.168.2.207 but it does the same with whatever IP I give, including the one of other devices that can reach correctly the local network), netmask (24) and dns (192.168.2.1 which is the main router) are the same regardless of where the device is connected.

There are also IPv6 addresses but I don't know why it would work from the main router and not from the dumb AP.

The client device can access the router through the dumb AP because I can query the DNS server on it. It can also go to the internet, but trying to reach any 192.168.2.x address excepting the router gives "network unreachable".