Wi-Fi Devices Can’t Reach Other Wi-Fi Device, But Wired Devices Can

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

I'm running OpenWRT and having an odd connectivity issue I can't figure out.

Setup

  • Router: Dynalink DL-WRX36
  • OpenWRT: OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c

I have a mostly vanilla setup with the exception of having set static leases on most of my devices.

Problem

I have a Fedora Linux PC connected via Wi-Fi (192.168.1.217) running an app on port 32400. The goal is to access this app via browser from other devices on the same network.

  • Devices connected via Ethernet can access it:
    :white_check_mark: http://192.168.1.217:32400 works from a wired PC
  • Devices connected via Wi-Fi cannot reach it:
    :cross_mark: Pings fail
    :cross_mark: Web access to http://192.168.1.217:32400 fails

Something I've also noticed is that devices connected via Ethernet can ping wired OR wireless devices on the network.

However, devices connected to WiFi can only ping wired devices, NOT other wireless devices.

What I've Tried

  • Checked for AP isolation / client isolation settings in the OpenWRT interface — I don't think it's enabled, but maybe I'm missing it? I checked by going to Network > Wireless > Edit for each band > Advanced Settings > Isolate Clients

I'm wondering if OpenWRT could be preventing Wi-Fi to Wi-Fi client communication somehow, or if there’s a firewall rule or setting I’m missing.

Any advice on what to check in uci, LuCI, or logs to debug this?

Thanks in advance!

2

Let's start by looking at your configuration.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3

Hey, thanks so much for replying. Below are the results of running the above commands on my router:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:d70b:3c6e::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Tbone5'
        option encryption 'psk2'
        option key 'hunter2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+1'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Tbone24'
        option encryption 'psk2'
        option key 'huner2'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 't14'
        option ip '192.168.1.119'
        list mac '<REDACTED>'

config host
        option name 'botnet'
        option ip '192.168.1.229'
        list mac '<REDACTED>'

config host
        option name 'pi'
        option ip '192.168.1.165'
        list mac '<REDACTED>'

config host
        option name 'omv'
        option ip '192.168.1.111'
        list mac '<REDACTED>'

config host
        option name 'desktop'
        option ip '192.168.1.217'
        list mac '<REDACTED>'

config host
        option name 't14'
        option ip '192.168.1.144'
        list mac '<REDACTED>'

config host
        option name 'DietPi'
        option ip '192.168.1.189'
        list mac '<REDACTED>'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qbittorent'
        option src 'wan'
        option src_dport '60847'
        option dest_ip '192.168.1.229'
        option dest_port '60847'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pi'
        option family 'ipv4'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.165'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'pi'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.165'
        option dest_port '80'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'omv - plex'
        option src 'wan'
        option src_dport '32401'
        option dest_ip '192.168.1.111'
        option dest_port '32400'
4

There's nothing in this configuration that would differentiate Ethernet vs wifi devices. However, your local (host-level) firewalls may be preventing the connections. Specifically, they may have assumed that this is an untrusted network (over wifi) and thus may block inbound and even outbound connections on the same subnet. Windows tends to do this when it detects what it thinks is an unfamiliar wifi network (even when it is actually known and trusted).

So, check your host-level firewalls.

5

Oh.... and just to make sure... are there any other routers/APs on this network, or is this the only one?

6
7

No, no other routers or APs.

The two wireless devices I was trying with are both running Fedora 42 Linux. One of which is a laptop, which I tried connecting via Ethernet, upon it was immediately reachable by my other WiFi device.

My wife has a Windows laptop which I'll attempt using in the morning.

8

OK, interesting update.

So, I was able to ping my wife's Windows laptop from my Fedora PCs (all of these devices are connected wireless). But my wife's laptop still couldn't ping my Fedora PCs.

This had me thinking "OK, must be Fedora's firewall or something."

But then I remembered my wife's laptop is connected to the 2.4GHz band. So I then switched my wireless Fedora PCs to the 2.4GHz band from the 5GHz, band, and voila, I was able to ping them.

So now I have to figure out what's the difference between the bands.

9

Based on the configs, there shouldn't be any difference... they're both running against the same network, so it shouldn't be a factor, at least in theory. But it is a good find.

1 Like