R7800 bridgedAP: no access to GUI from LAN

I updated the R7800 to 24.10 and I had to reconfigure everything.

I followed the guide https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap except for adding WAN to br-lan, and it worked as expected.

Then I wanted to add WAN to the br-lan (as I had on 23.05) so that no CPU is involved in data transfer, hoping for better (full gigabit) performances and, in fact, as a matter of principle since it seems the WAN is in fact just another port in the internal switch

Once I did, data traffic works as expected with performances as expected, but I can reach the router (both Luci and SSH) only from the WAN! I have to move to another part of the house so that the laptop/smartphone will reach the router via the WAN port.

Here the network configuration:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd86:361c:642f::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.250'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.3.254'
	option dns '192.168.3.254'

config interface 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

the firewall settings (I thought it might be relevant, but it's all default)

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

To be clear, I didn't modify dropbear and httpd. I checked the configs and uhttpd shows

list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'

and

Dropbear has no useful settings at all.

In 23.05 I followed the instructions and it worked just fine, this time it doesn't. No idea what happened.

Any help is appreciated.
More config settings upon request.

It is a bug see: https://github.com/openwrt/openwrt/issues/17891

Unfortunately without target release for correction, but luckily it's not breaking anything besides GUI and SSH access.

If I'll need to set up the router further, I'll switch cables WAN/LAN1 and use my desktop as I did before.

Actually I was wrong: not only I cannot reach the router from LAN, I also cannot reach the other devices on the wifi.

My desktop is on LAN, and when I tried to reach two devices connected to the wifi of the same router, there was no response.

Reaching the same devices from WAN (from another router in the house) works just fine.

I have to investigate what I would lose by putting WAN back into the zone "wan", instead of joining it. Maybe I have to add a firewall filter "pass everything both ways"?

Maybe there is a possible work around with bridged VLANS, but I simply do not use the WAN port and leave it on its own zone then everything connected to the LAN ports works fine.

If you need all the 5 ports then you have a problem

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.