OpenWRT dumb AP: devices on the same subnet cannot ping

Hi everyone!

I experience weird issue I've never had before. I recently moved to a new place and recreated the setup I used for years without any problems, but facing the networking issue this time.

My setup is the following: Pfsense router (VLANS enabled) + OpenWRT Dummy Access Point (VLANS enabled). The devices are connected LAN-to-LAN and the DHCP provides the correct addresses from the defined scope. Internet Access is working.

VLANS: IOT, LAN, GUEST, DMZ. Wifi for each vlan. The issue is that the clients on LAN (192.168.20.0/24) have Internet access, but cannot discover each other, so my MacBookPro (192.168.20.20) cannot ping neither my MacPro (192.168.20.10) nor my Android phone (192.168.20.21)... And vice versa...

They seem to be isolated, but the "Isolate Clients" checkbox is not ticked:

The Firewall is disabled on the OpenWRT.

The Pfsense firewall at this point should not even matter as the traffic on the same subnet should not even touch the router, but in case you ask - it has "Allow all traffic" rule on LAN vlan.

The firewall on MacOS clients is Disabled too.

❯ sudo pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf not enabled

Routing table on my laptop:

❯ ip r
default via 192.168.20.254 dev en0
127.0.0.0/8 via 127.0.0.1 dev lo0
127.0.0.1/32 via 127.0.0.1 dev lo0
169.254.0.0/16 dev en0  scope link
192.168.20.0/24 dev en0  scope link
192.168.20.20/32 dev en0  scope link
192.168.20.254/32 dev en0  scope link
224.0.0.0/4 dev en0  scope link
255.255.255.255/32 dev en0  scope link

So I guess 192.168.20.0/24 dev en0 scope link - is the route that must work in case of current inter-subnet communication.

Again, ICMP is not blocked, as client firewalls are disabled. I'm not a networking guy, so I thought, maybe it's some weird ICMP issue, so tried to check the TCP... I've enabled VNC and SSH on my Desktop(192.168.20.10) and scanned ports from this same machine on its LAN interface and all seems good:

❯ nmap -Pn -p5900,22 192.168.20.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-25 17:22 PST
Nmap scan report for desktop.home.lan (192.168.20.10)
Host is up (0.00040s latency).

PORT     STATE    SERVICE
22/tcp   open ssh
5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

But when scanning same Desktop's ports from my Laptop (192.168.20.20):

❯ nmap -Pn -p5900,22 192.168.20.10
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 17:53 PST
Nmap scan report for desktop.home.lan (192.168.20.10)
Host is up.

PORT     STATE    SERVICE
22/tcp   filtered ssh
5900/tcp filtered vnc

Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds

And my Android device (192.168.20.21) cannot ping both 192.168.20.20 and 192.168.20.10... At this point I am out of ideas, but I am almost sure there is something to do with the wireless connection on my OpenWRT AP... Just have not clue how to troubleshoot this... Please help. Thank you.

Do you have multiple APs, or just one? If you have more than one, you need to check the other(s) for client isolation -- best to only have one connected while debugging this, so you might unplug the others (from power/PoE) to force that situation.

Meanwhile, let's look at the following files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

@psherman, thank you very much for quick response. I have only one Access Point.

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<IPv6>::/48'

config rule 'policy_bypass_vpn'
        option mark '0x60000/0x60000'
        option lookup '53'
        option priority '53'

config rule 'policy_via_vpn'
        option mark '0x80000/0x80000'
        option lookup '52'
        option priority '52'

config rule 'policy_dns'
        option mark '0x100000/0x100000'
        option lookup '51'
        option priority '51'

config device
        option name 'eth0'
        option macaddr '<ETH0_MAC_ADDRESS>'
        list ports 'eth1'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr '<ETH1_MAC_ADDRESS>'

config device
        option name 'eth2'
        option macaddr '<ETH1_MAC_ADDRESS>'

config device
        option name 'wlan0'

config device
        option name 'wlan0-1'

config device
        option name 'wlan1'

config device
        option name 'wlan1-1'

config device
        option name 'eth0_2-99'
        option type '8021q'
        option ifname 'eth0'
        option vid '99'

config device
        option name 'eth1_2-30'
        option type '8021q'
        option ifname 'eth1'
        option vid '30'

config device
        option name 'eth2-10'
        option type '8021q'
        option ifname 'eth2'
        option vid '10'

config device
        option name 'eth2-20'
        option type '8021q'
        option ifname 'eth2'
        option vid '20'

config device
        option name 'eth1_2-30'
        option type '8021q'
        option ifname 'eth2'
        option vid '30'

config device
        option name 'eth2-90'
        option type '8021q'
        option ifname 'eth2'
        option vid '90'

config device
        option name 'eth0_2-99'
        option type '8021q'
        option ifname 'eth2'
        option vid '99'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '0'
        option vid '99'
        option description 'vlan 99 - MGMT'
        option ports '1 3t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '10'
        option description 'vlan 10 - IOT'
        option ports '3t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option description 'vlan 20 - LAN'
        option ports '3t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '30'
        option description 'vlan 30 - DMZ'
        option ports '2 3t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '90'
        option description 'vlan 90 - GUEST'
        option ports '3t 5t'

config device
        option name 'br-dmz'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth1_2-30'
        list ports 'wlan1-1'

config interface 'dmz'
        option device 'br-dmz'
        option proto 'static'
        option netmask '255.255.255.0'
        option broadcast '192.168.30.255'
        option ipaddr '192.168.30.1'
        option gateway '192.168.30.254'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth2-90'
        list ports 'wlan0-1'
        option igmp_snooping '0'

config interface 'guest'
        option device 'br-guest'
        option proto 'none'
        option multicast_querier '0'
        option isolate '0'
        option bridge_empty '1'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth2-10'
        list ports 'wlan1'

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth2-20'
        list ports 'wlan0'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

config device
        option name 'br-mgmt'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth0_2-99'

config interface 'mgmt'
        option device 'br-mgmt'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.99.1'
        option gateway '192.168.99.254'
        option broadcast '192.168.99.255'
        option ip6assign '60'
        list dns '192.168.99.254'
        list dns_search 'home.lan'

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option band '5g'
        option htmode 'HE80'
        option country 'US'
        option channel 'auto'
        option channels '36 40 44 48 149 153 157 161 165'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option wds '1'
        option ssid 'home_5G'
        option encryption 'sae'
        option key '<LAN_KEY>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option band '2g'
        option country 'US'
        option channel 'auto'
        option htmode 'HE40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option wds '1'
        option key '<IOT_KEY>'
        option ssid 'home_iot'
        option encryption 'sae'
        option network 'IOT iot'

config wifi-iface 'guest5g'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option guest '1'
        option wds '1'
        option isolate '1'
        option key '<GUEST_KEY>'
        option encryption 'sae'
        option ssid 'home_guest_5G'

config wifi-iface 'guest2g'
        option device 'radio1'
        option mode 'ap'
        option guest '1'
        option wds '1'
        option isolate '1'
        option ssid 'home_dmz'
        option key '<DMZ_KEY>'
        option encryption 'sae'
        option network 'dmz'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'
        list ra_flags 'none'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
        option dhcpv6 'disabled'
        option ra 'disabled'

config domain
        option name 'console.gl-inet.com'
        option ip '192.168.8.1'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

But again, it's a dumb AP, so dhcp and firewall are disabled:

Are you running the GL-Inet stock firmware? What is the output of the following:

ubus call system board

Yes.. But all configuration I did via Luci (they provide it as an advanced config option built-in).

root@OpenWrt:~# ubus call system board
{
        "kernel": "4.4.60",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 4 (v7l)",
        "model": "GL Technologies, Inc. AXT1800",
        "board_name": "glinet,axt1800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r16273+114-378769b555",
                "target": "ipq807x/ipq60xx",
                "description": "OpenWrt 21.02-SNAPSHOT r16273+114-378769b555",
                "tip-revision": "OpenWrt 21.02-SNAPSHOT r16273+114-378769b555 / TIP-devel-349ddbc4",
                "tip-version": "devel"
        }
}

So there is a lot that might be wrong with the config, but the problem is that GL-inet heavily customizes OpenWrt and it does not behave the same way that the official OpenWrt firmware would.

That said, I do not see this device listed as supported by OpenWrt directly. Normally, I'd suggest that you install the pure OpenWrt firmware, but since that isn't an option, the best we can really do is to say that you should ask on the GL-Inet support channels/forums for assistance.

A quick search does reveal that there may be some working happening to support this, but it doesn't appear to have been merged into anything from the official project itself. See this thread:

2 Likes

Ok, I have asked the question on https://forum.gl-inet.com/t/access-lan-resource-from-wifi/11777 but nobody answered... Finally I have updated the firmware to the new version and it fixed it somehow... So weird.