The bridge on the LAN ports does not work

I have router Netgear WAX202 and OpenWrt 22.03.3 r20028-43d71ad93e
the router has three lan ports and tcpdump shows me interfaces lan1, lan2, lan3 and br_lan

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr '34:98:b5:0f:d2:0f'

config device
	option name 'lan2'
	option macaddr '34:98:b5:0f:d2:0f'

config device
	option name 'lan3'
	option macaddr '34:98:b5:0f:d2:0f'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.192'
	option ipaddr '172.21.163.126'

I have one machine on one LAN2 port and another machine on another LAN port and I can't ping between them
when I ping the machine on the Internet, tcpdump captures the packets:

root@www:~# tcpdump -n -i lan2 icmp
listening on lan2, link-type EN10MB (Ethernet), capture size 262144 bytes
21:13:14.554204 IP 172.21.163.80 > 178.238.38.116: ICMP echo request, id 1, seq 325, length 40
21:13:14.556885 IP 178.238.38.116 > 172.21.163.80: ICMP echo reply, id 1, seq 325, length 40
21:13:15.566727 IP 172.21.163.80 > 178.238.38.116: ICMP echo request, id 1, seq 326, length 40

however, when I ping the other machine in the other LAN port, tcpdump does not capture any packet not even mine request.

Where could be the problem?

What do you mean other lan? You only have one network shown in your config.

in the configuration, I have lan1, lan2 and lan3 connected to the br_lan bridge, which then creates a lan interface

I see that. You mentioned another network? Did you mean another port?

What are the ip addresses of the machines involved in the ping test?

I mentioned that ping the Internet via the WAN interface is captured (on lan2 port) by tcpdump, but the ping from 172.21.163.80 (port lan2) to 172.21.163.94 (port lan1) is not captured by tcpdump

This is expected. The traffic is switched, so it doesn’t reach the cpu.

But the ping does not go from lan2 to lan1 and windows sharing on port 445 does not go through either

Can you ping each machine from the router CLI? Note that by default, Windows will not answer pings.

Are you sure they are in the same subnet?

And building on what @mk24 said --

Can you ping the router (172.21.163.126) from each of the windows machines? Can both reach the interent normally?

ping from CLI:

root@www:~# ping mirek-pc
PING mirek-pc (172.21.163.80): 56 data bytes
ping: sendto: Operation not permitted
root@www:~# ping jitka-pc
PING jitka-pc (172.21.163.94): 56 data bytes
ping: sendto: Operation not permitted

ping from Windows to internet it works, the machines are on the same network, see the LAN configuration above and the IP addresses of the machines above

let's see the complete config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@www:~# ubus call system board
{
        "kernel": "5.10.161",
        "hostname": "www",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4a:882a:2f8a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'

config device
	option name 'lan2'

config device
	option name 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.192'
	option ipaddr '172.21.163.126'

config device
	option name 'wan'
	option macaddr 'de:11:3c:55:94:ff'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'I_WIFI2'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '172.21.164.254'
	option netmask '255.255.255.0'

config interface 'I_WIFI5'
	option proto 'static'
	option device 'wlan1'
	option ipaddr '172.21.165.254'
	option netmask '255.255.255.0'

wireless

config wifi-device 'radio0'
	option country 'CZ'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option cell_density '0'
	option htmode 'HE40'
	option txpower '20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'tablet2'
	option encryption 'sae-mixed'
	option key
	option network 'I_WIFI2'
	option macfilter 'allow'

config wifi-device 'radio1'
	option country 'CZ'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option cell_density '0'
	option htmode 'HE80'
	option channel '36'
	option txpower '23'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'tablet5'
	option key 
	option network 'I_WIFI5'
	option macfilter 'allow'
	option encryption 'sae-mixed'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'cvrcci.klfree.czf'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '10.102.0.252'
	list server '10.102.0.253'

config dhcp 'lan'
	option interface 'lan'
	option start '65'
	option limit '14'
	option leasetime '2m'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'I_WIFI2'
	option interface 'I_WIFI2'
	option start '240'
	option leasetime '2m'
	option limit '14'

config dhcp 'I_WIFI5'
	option interface 'I_WIFI5'
	option start '240'
	option leasetime '2m'
	option limit '14'

firewall

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'Z_WIFI2'
	list network 'I_WIFI2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'Z_WIFI2'
	option dest 'wan'

config zone
	option name 'Z_WIFI5'
	list network 'I_WIFI5'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'Z_WIFI5'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option icmp_type 'echo-request'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'icmp'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'igmp'

config rule
	option enabled '0'
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'esp'

config rule
	option enabled '0'
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'

config rule
	option name 'blokovat z wifi2'
	option src 'Z_WIFI2'
	list src_ip '172.21.164.240/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'blokovat z wifi5'
	option src 'Z_WIFI5'
	list src_ip '172.21.165.240/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'DHCP DNS NTP'
	option src '*'
	option dest_port '67 53 123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'management'
	option src 'lan'
	list src_ip '172.21.163.80'
	option dest_port '22 80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp'

config rule
	option name 'NTP'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'NTP'
	option src '*'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'DHCP DNS NTP'
	option src '*'
	option dest_port '67 53 123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'Ping do wan'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'icmp'

config rule
	option name 'blokovano lan DHCP'
	option src 'lan'
	list src_ip '172.21.163.64/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'vse lan'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list src_ip '172.21.163.96/28'
	option family 'ipv4'

config rule
	option name 'http https'
	option src 'lan'
	list src_ip '172.21.163.80/28'
	option dest 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'smtps imaps pop3s'
	option src 'lan'
	list src_ip '172.21.163.80/30'
	option dest 'wan'
	option dest_port '465 993 995'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'ftp'
	option src 'lan'
	list src_ip '172.21.163.80/29'
	option dest 'wan'
	option dest_port '21'
	option helper 'ftp'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	option enabled '0'

config rule
	option name 'licence.winduo64.cz'
	option src 'lan'
	list src_ip '172.21.163.94'
	option dest 'wan'
	option dest_port '9000'
	list dest_ip '90.182.56.154'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'sims vyssi porty 1'
	option src 'lan'
	option dest 'wan'
	option dest_port '8995 12020'
	list dest_ip '159.153.74.8'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'sims vyssi porty 2'
	option src 'lan'
	option dest 'wan'
	option dest_port '12000-12028'
	list dest_ip '159.153.79.0/26'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'Sims port 44325'
	option src 'lan'
	option dest 'wan'
	option dest_port '44325'
	list dest_ip '159.153.64.176'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option src 'lan'
	option name 'svrcek.cz'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '93.185.104.14'
	option dest 'wan'
	list proto 'tcp'

config rule
	option src 'lan'
	option dest 'wan'
	list dest_ip '93.185.104.24'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv4'
	option name 'kreteni.eu'

config rule
	option src 'lan'
	option name 'toniczech.cz'
	option dest 'wan'
	list dest_ip '93.185.104.30'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv4'

config rule
	option dest_port '25565'
	option src 'lan'
	option name 'Minecraft'
	option dest 'wan'
	list dest_ip '65.21.94.23'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option family 'ipv4'
	option src 'lan'
	option target 'ACCEPT'
	option name 'Ping z LAN'
	list proto 'icmp'

config rule
	option name 'blokovat vse z lan'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'

This is quite unusual, and typically wrong.

Normally the lan has ACCEPT for all three of these. OUTPUT = ACCEPT is required for the LAN to function properly in general. If INPUT is not ACCEPT, the router will not respond to pings from the connected hosts on the respective network.

Even if I set all three settings to ACCEPT, the ping does not go through

root@www:~# ping mirek-pc
PING mirek-pc (172.21.163.80): 56 data bytes
ping: sendto: Operation not permitted

what about pings to and from the router (from/to the computers)?

Also, remember that @mk24 stated, Windows may not respond to the pings unless you specifically allow it in the windows firewall.

ping from machine to router is OK, ping from router to my machine is bad:
root@www:~# ping mirek-pc
PING mirek-pc (172.21.163.80): 56 data bytes
ping: sendto: Operation not permitted

from the router, ping 8.8.8.8 -- what happens?

root@www:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=116 time=3.039 ms
64 bytes from 8.8.8.8: seq=1 ttl=116 time=2.577 ms
64 bytes from 8.8.8.8: seq=2 ttl=116 time=2.675 ms
64 bytes from 8.8.8.8: seq=3 ttl=116 time=2.597 ms

Ping from internet on the router:

H:\>ping ip2.cvrcci.klfree.net

Pinging ip2.cvrcci.klfree.net [81.201.53.57] with 32 bytes of data:
Reply from 81.201.53.57: bytes=32 time=7ms TTL=50
Reply from 81.201.53.57: bytes=32 time=7ms TTL=50
Reply from 81.201.53.57: bytes=32 time=7ms TTL=50
Reply from 81.201.53.57: bytes=32 time=7ms TTL=50

Ping statistics for 81.201.53.57:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 7ms, Maximum = 7ms, Average = 7ms

ok... so that confirms that the router can ping properly, and that the router is operating as expected.
At this point, it is almost certainly an issue with the Windows firewall.

But it might be worth proving that that lhe lan bridge is working properly (I'm fairly certain it is, but verification is good), Do you have another device such as a Raspberry Pi or anything running Linux, Mac OS, or even another OpenWrt device you can put on your LAN?