[Solved] Can't ping LEDE AP on VLAN3 port but can ping other device

I configured my LEDE Router with 2 VLAN, on VLAN 3 (on port 3) I connect a LEDE AP used as WiFi AP.
Firewall is configured to let VLAN1 talk to VLAN3 (not the opposite).

I can ping any device on VLAN 3 from VLAN 1 but can't ping the LEDE AP configured with a static address.

Router (WDNR3700v2)
WAN - Internet connection
Port 1: Subnet, DHCP server, VLAN1, Firewall ZonePort1
Port 3: Subnet, DHCP server, VLAN3, Firewall ZonePort3
Firewall: ZonePort1 -> WAN, ZonePort3,
ZonePort3 -> WAN

AP (WNDR3700v2) wired to Port 3 of Router
WAN : not used
Port 1: Static IP, no DHCP server, wired to Router on Port 3
Port 2, 3, 4: use as switch port with connected device receiving IP 192.168.3.x

From my computer receiving IP 192.168.1.x I can access Internet and ping any device on 192.168.3.x but I can not ping the AP at (so I can't access the UI either). But if I connect a computer on .3.x subnet then I can ping and access the AP at

What confuse me is the following: when the AP avec running DD-WRT I was able to access it, I then install LEDE and I can't access it anymore.

Could you help, I read so many thing and never figured what is appening.


I have that problem too.
2 Vlans and in one of them I have a dump ap running, which I also can't access from the other vlan. But I worked around this by enabling masquerading on that zone (where the dump ap sits) and restrict the masquerading to routerip/32 (limit destination masquerading)
It works. But I'm also interested in what the real cause is?
The dump ap is an dlink router with stock firmware.

1 Like

Did you set the firewall zone's INPUT rule to ACCEPT on the router?

Hi thanks for your reply.
I am not sure which masquerading you suggest to check ?
And also, how do I restrict the masquerading to routerip/32 (limit destination masquerading) ?
Current setup is below.

As you could see on the image above, yes the zone’s INPUT rule is set to ACCEPT.

1 Like

I only had tho checked the Masquerading as you suggest and it worked.
No need for restriction.
I really don't understand what it does.

But thanks, I spend at least 10 hours trying things and VLAN stuff.
It tooks 10 minutes to describe the problem and voila you suggest something that works.

Thanks shm0

1 Like

With all these private networks...did you all make static routes on each router, to point to the other?

With only masquerading checked.
All packets from your vlan1 to vlan3 will get their ip replaced with the router ip.
So it looks like that all traffic from your vlan1 to vlan3 comes from the router.
With the limitation only packets to the dump ap router will get their ip replaced.

Problem is i can only set routes for the wan interface on that device.
D-Link sucks :frowning:

1 Like