Weird Wireless Issues: no IPv6 & unable to ping wireless hosts

I have a TP-Link Archer C7 V7 acting as a 'dumb AP' with LEDE 17.01.2, r3435-65eec8bd5f. In addition, the ethernet ports are configured as a switch, so that connecting a device to the ethernet ports is equivalent to connecting them to the main router directly (which is how wireless should work as well in this dump AP setup.) The network is also using 802.1X, a.k.a. WPA2 Enterpise.

I am experiencing two weird issues using wireless, that may or may not be related: IPv6 doesn't work, and wireless hosts are isolated from the rest of the network and themselves.

No IPv6

When I connect a device using a wired connection, either to the C7 or to the main router, I am able to obtain IPv6 addresses using IPv6 address autoconfiguration (that is, using ICMPv6 router advertisements.) However, most of the time devices connected using wireless are unable to get IPv6 addresses the same way. I must say most of the time because sometimes, with very low frequency and seemingly at random, devices do get IPv6 addresses.

I must add that, in addition to the 802.1X WPA2 network, I am running an open guest network. In the guest network, devices have no trouble at all getting IPv6 addresses, but if I were to connect to this exact same VLAN using the 802.1X WPA2 network, then the problem re-appears.

Isolated Wireless Stations

I have some mixed feelings about this one, as I consider this a good thing in general. However, I'd like to get to the bottom of this issue to understand why it happens and how to prevent it if I need to. As far as I could tell, this only happens with IPv4. If I assign wireless devices an IPv6 address manually, apparently it works (except case 3. below, which I didn't test.)

To explain this issue, let's say A is a wireless station, A' is a second wireless station and B and B' are wired devices, all connected to the same VLAN. A* and B* mean either of A or A', or B or B', respectively. There are no firewall rules in place anywhere preventing communication between hosts.

The following works (using ping as an example):

  1. B* -> B*
  2. A* -> B*

The following doesn't work (using ping as an example):

  1. A* -> A*

The following works only if ping is started during situation 2. above, but not otherwise (using ping as an example):

  1. 'B*' -> 'A*'

So, B can only ping A and get a response if it's already being pinged by A. If B pings A at a time when A is not simultaneously pinging B, B won't get a response from A.

Configuration

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '52'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option encryption 'wpa2+ccmp'
	option server 'radius.example.com'
	option wds '1'
	option dynamic_vlan '2'
	option vlan_bridge 'br-vlan'
	option vlan_tagged_interface 'eth0'
	option disabled '0'
	option ssid 'Example'
	option key 'test'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '1'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT40'
	option country 'US'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'wpa2+ccmp'
	option server 'radius.example.com'
	option wds '1'
	option dynamic_vlan '2'
	option vlan_bridge 'br-vlan'
	option vlan_tagged_interface 'eth0'
	option ssid 'Example'
	option key 'test'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '6'
	option hwmode '11g'
	option path 'platform/ehci-platform.1/usb2/2-1/2-1:1.0'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface
	option device 'radio2'
	option mode 'ap'
	option encryption 'none'
	option ssid 'openwireless.org'
	option wds '1'
	option network 'vlan4'
	option disabled '0'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd12:3456:79ab::/48'

config interface 'vlan10'
	option proto 'dhcp'
	option ifname 'eth0.10'
	option peerdns '1'

config interface 'vlan610'
	option proto 'dhcpv6'
	option ifname 'eth0.10'
	option peerdns '1'

config interface 'vlan1'
	option proto 'none'
	option stp '1'
	option auto '1'
	option ifname 'eth0.1 eth1.1'
	option type 'bridge'

config interface 'vlan2'
	option proto 'none'
	option stp '1'
	option auto '1'
	option ifname 'eth0.2'
	option type 'bridge'

config interface 'vlan3'
	option proto 'none'
	option stp '1'
	option auto '1'
	option ifname 'eth0.3 eth1.3'
	option type 'bridge'

config interface 'vlan4'
	option proto 'none'
	option stp '1'
	option auto '1'
	option ifname 'eth0.4 eth1.4'
	option type 'bridge'

config interface 'vlan5'
	option proto 'none'
	option stp '1'
	option auto '1'
	option ifname 'eth0.5 eth1.5'
	option type 'bridge'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option mirror_source_port '0'
	option mirror_monitor_port '0'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1t 2t 3t 4t 5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '1t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 1t 2t 3t 4t 5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 1t 2t 3t 4t 5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '5'
	option ports '0t 1t 2t 3t 4t 5t 6t'

option switch_vlan
	option device 'switch0'
	option vlan '10'
	option vid '10'
	option ports '0t 1t 2 6t'

I did some more tests concering the IPv6 (lack of) connectivity, and I found the following:

  1. Using WPA2-PSK instead of WPA2-Enterprise fixes the issue, just like using an open network does. That is, IPv6 addresses are obtained by stations.
  2. When using WPA2-Enterprise, the issue seems to be that the incoming ICMPv6 packages sent to ff02::1 by the router do not reach the station (i.e., I cannot see them using tcpdump), even though the packages sent to ff02::2 by the station do reach the router.
  3. Interestingly enough, if I run airodump-ng, I see the solicitation by the station (sent to 33:33:00:00:00:02) and the router's response (sent to 33:33:00:00:00:01.) Since the values are encrypted, I can not see their contents with Wireshark, but I would think I'm onto something here. I'm reckoning that somehow hostapd is not negotiating the WPA2 keys correctly, and so that station cannot 'see' the response (or rather, it is discarded as invalid.)

Apparently, this issue is now solved, or partially so at least (i.e., the issue at hand is resolved but at an unacceptable performance cost). Both SLAAC for IPv6 and pinging between wireless hosts works, and it could have to do with having the wrong group temporal keys (GTKs) set up.

Because of an ath10k/hostapd issue with dynamic VLANs(*), I was using an older version of hostapd (2015-03-25) that I compiled. It seems like updating to the latest hostapd (2016-12-19-ad02e79d-3) resolved the issue in this thread.

Now, this is the useful bit of information: in order for both this issue and the dynamic VLANs issue to be fixed, I needed to add the option cryptmode=1 to the kernel module ath10k_core (in /etc/modules.d/55-ath10k.) This disables hardware encryption acceleration and enables raw mode (which obviously has negative performance consequences, such as increased CPU usage: my wireless bandwidth is more or less capped to a bit under 35Mbps each way) but allows the dynamic VLANs to work.

Since the wireless performance is now unacceptably poor, I expect to revert to using the old hostapd version while I try to figure out the issue with setting up the GTK. (That is, I'll try to come up with a patched hostapd that fixes both issues without needing to disable hardware acceleration.) Unfortunately, it would seem like the GTK fix is related to the dynamic VLAN issue, so that journey may not be as fruitful as one may hope. I will also try to see if I can fix the dynamic VLAN issue at the ath10k level.


(*) See hostapd discussion & ath10k discussion.