[SOLVED] Client Isolation appears to be happening even though feature is disabled

Installing and Using OpenWrt Network and Wireless Configuration
1

After I recently upgraded my Linksys WRT1900ACS from 21.02.3 to 22.03.2. I noticed that mobile devices could no longer see my Chromecast Device. I factory reset the Chromecast device, and setup completed successfully, but wireless devices still could not see it. I found that I could ping the Chromecast from a wired device, but not from a wireless device. Upon further inspection, it appears that all wireless devices cannot ping other wireless devices, but can ping wired devices.

This behavior sounds like client isolation is enabled, but the feature remains disabled in Wireless -> Interface -> Advanced Settings.

image
image872×633 30.4 KB 

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbe:969c:056f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        list dns '208.67.220.220'
        list dns '208.67.222.222'

config device
        option name 'wan'
        option macaddr '{removed}'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.220.220'
        list dns '208.67.222.222'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option country 'US'
        option cell_density '0'
        option channel 'auto'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option macaddr '{removed}'
        option ssid '{removed}'
        option hidden '1'
        option key '{removed}'
        option wmm '0'
        option encryption 'psk2'
        option ieee80211w '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option country 'US'
        option cell_density '0'
        option htmode 'HT40'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr '{removed}'
        option ssid '{removed}'
        option hidden '1'
        option key '{removed}'
        option wmm '0'
        option encryption 'psk2'
        option ieee80211w '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option limit '100'
        option leasetime '24h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

root@OpenWrt:~#
2

What is the output of

head -v /sys/devices/virtual/net/br*/lower*/brport/hairpin_mode
3 
head -v /sys/devices/virtual/net/br*/lower*/brport/hairpin_mode
==> /sys/devices/virtual/net/br-lan/lower_lan1/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan2/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan3/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_lan4/brport/hairpin_mode <==
0

==> /sys/devices/virtual/net/br-lan/lower_wlan0/brport/hairpin_mode <==
1

==> /sys/devices/virtual/net/br-lan/lower_wlan1/brport/hairpin_mode <==
1
4

Is there only a single AP in the network? If you have multiple APs, you'll need to verify the settings on the second (+) one.

5

There is a single, dual band AP on the network.

6

Whatever the problem is, it's not caused by client isolation.

1 Like
7

Try turning this off on all of your radios.

1 Like
8

Not sure if you mean this?

option wmm '0'

image
image773×388 9.48 KB

Once I changed this from the default ("Optional") to Disabled, I could then ping other wireless hosts.

Thanks!

1 Like
9

802.11w Management Frame Protection is specifically what I was targeting. WMM is something different (it is supposed to prioritize multimedia packets to reduce issues with streaming media).

10

Weird. I did not see where the GUI change made a change in the CLI

11

My guess is that it removed the line entirely, rather than just setting it to 0.

12

Ahh... At first I didn't see that line in the original output of /etc/config/wireless. Upon further review, I now see where I missed it.

13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.