Wireless clients connected to another dumb AP is not reachable from wired clients in multiple AP setup

UN8899 · November 27, 2025, 2:33am

Hi folks,

I've noticed a strange problem with my network setup, please find the diagram below.

The problem is that all WiFi clients (IoT devices, Laptops and Printer, etc.) are not pingable from wired clients if they are not connected to the same router, but they are reachable from wireless clients even if they are connected to different routers, and it is possible to ping those devices from the routers themselves.

For instance, Wired Client A cannot connect to Laptop B, IoT A and Printer A, it can connect to Laptop A, NAS A, NAS B, all the routers and the Internet.

But Laptop A which is also connected to Router A can ping all wireless clients connected to other routers.

If I connect Printer A or Laptop B to Router A, then they become pingable from Wired Client A.

All the wireless clients are reachable from NAS A and B.

I'm running OpenWRT 24.10.4, all the configs on the 3 routers are almost the same, only IP addresses are different. Please find configs from one of the routers below. DHCP is only enabled on the Internet Gateway and all devices are in the same subnet.


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd95:1212:2663::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'
	option bridge_empty '1'
	option igmp_snooping '1'
	option promisc '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.1.0.101'
	option netmask '255.0.0.0'
	option ip6assign '60'
	option gateway '10.0.0.1'
	list dns '10.0.0.1'


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel 'auto'
	option band '2g'
	option htmode 'HE40'
	option cell_density '0'
	option mu_beamformer '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid ''
	option encryption 'sae-mixed'
	option key ''
	option ieee80211r '1'
	option mobility_domain '333f'
	option ft_over_ds '1'
	option wpa_disable_eapol_key_retries '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option ocv '0'
	option reassociation_deadline '20000'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel 'auto'
	option band '5g'
	option htmode 'HE160'
	option cell_density '0'
	option mu_beamformer '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid ''
	option encryption 'sae-mixed'
	option key ''
	option ieee80211r '1'
	option mobility_domain '333f'
	option ft_over_ds '1'
	option wpa_disable_eapol_key_retries '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option reassociation_deadline '20000'
	option ocv '0'

I've spent several weeks to find an answer on the Internet but still couldn't figure it out, I would appreciate it if someone could help check and advise.

Thank you in advance.

DBAA · November 27, 2025, 3:33am

Some reason there isn’t a lan1 in the br-lan bridge device? Common to see 4 LAN + 1 WAN combined as that is a very standard hardware configuration on low end routers - one Ethernet port (WAN) off the CPU and a four port Ethernet switch chip giving four LAN ports.

UN8899 · November 27, 2025, 4:06am

Network interfaces

The default network configuration is:

Interface Name Description Default configuration

br-lan LAN & WiFi 192.168.1.1/24

lanX (eth0) LAN ports (2 to 4) None

wan (eth0) WAN port DHCP

phy0-ap0 WiFi 2.4G Disabled

phy1-ap0 WiFi 5G Disabled

Switch Ports (for VLANs)

Numbers 2-4 are Ports 1-3 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.

Port Switch port

Internet (WAN) 1

LAN 2 2

LAN 3 3

LAN 4 4

This is from the Wiki https://openwrt.org/inbox/toh/xiaomi/ax3000t, seems for some reason they decided to name the ports from 2 to 4.

psherman · November 27, 2025, 4:13am

Remove this from all of the devices. Reboot and test again.

Other things of note:

802.11r and 802.11k often cause more issues than they solve. Consider removing these from all of your APs.
sae-mixed likewise can cause issues. Stick to wpa2 or wpa3. Not mixed mode.

UN8899 · November 27, 2025, 7:52am

Thank you, Peter. I've tried to remove those two lines but it doesn't work.

I have also tried to capture on Wired Client A, Router A and Router B with IoT A as destination, ARP requests can be seen on all interfaces, ARP replies are not visible to Router A but they are received by Wired Client A possibly because it's done on hardware level, ICMP or HTTP requests are received from lan2 on Router A but it seems the packets have never been forwarded to other interfaces, and all the packets except ARP requests are not received by Router B. If I understand correctly, those packets to IoT A shouldn't be received by Router A's CPU but they should be forwarded to Router B on hardware level. When I tried to ping Router B from Wired Client A, none of the packets was received by Router A's CPU.

egc · November 27, 2025, 6:44pm

If everything else fails remove the wan port from the lan bridge and do not use it, some routers do not play nice with that e.g R7800.
Might be related to wan port on a second cpu port and/or switch configuration and/or dsa drivers.

UN8899 · December 4, 2025, 1:58am

It seems the issue is caused by incorrect FDB entries and can be fixed by enabling vlan_filtering.

github.com/freifunk-berlin/bbb-configs

templates: resolve roaming and FDB entry issues

main ← fix-dsa-roaming-config

opened 10:59PM - 29 Jan 25 UTC

PolynomialDivision

+13 -1

We previously experienced roaming issues where FDB entries would become incorre…ct when a client switched between APs, causing connectivity issues until the erroneous FDB entry expired after 5 minutes [0-3]. Initially, this was thought to be a bug, but after discussions between @spolack and @f00b4r0, it became clear that the configuration was likely incorrect [4]. To fix this, we now explicitly define all ports and set the VLAN filtering to enabled on the bridge device. Additionally, each device's VLAN type is set to '8021q' with the corresponding VID, and the ":u*" syntax is used for untagged ports. This configuration update should eliminate or at least work around the FDB entry errors and fix roaming behavior. Before: ``` config device option type 'bridge' option name 'switch0' config bridge-vlan 'vlan_40' option device 'switch0' option vlan '40' option ports 'internet:t ethernet:t' config bridge-vlan 'vlan_50' option device 'switch0' option vlan '50' option ports 'internet ethernet' ``` After: ``` config device option type 'bridge' option name 'switch0' option vlan_filtering '1' option ports 'internet ethernet' config device option type '8021q' option ifname 'switch0' option vid '40' option name 'switch0.40' config bridge-vlan 'vlan_40' option device 'switch0' option vlan '40' option ports 'internet:t ethernet:t' config device option type '8021q' option ifname 'switch0' option vid '50' option name 'switch0.50' config bridge-vlan 'vlan_50' option device 'switch0' option vlan '50' option ports 'internet:u* ethernet:u*' ``` [0] - https://github.com/openwrt/openwrt/issues/11650 [1] - https://github.com/openwrt/openwrt/issues/11218 [2] - https://github.com/openwrt/openwrt/issues/11277 [3] - https://github.com/openwrt/openwrt/issues/11029 [4] - https://oftc.irclog.whitequark.org/openwrt-devel/2025-01-28

github.com/openwrt/openwrt

Regression: DSA breaks roaming to WLAN bridged to VLAN

opened 06:07PM - 30 Dec 22 UTC

dahopem

bug

### Describe the bug Subject: Regression: DSA breaks roaming to WLAN bridged to… VLAN # Summary When bridging a WLAN with a VLAN on DSA-enabled OpenWRT versions, an erroneous FDB entry creates 100% packet loss for 300 seconds. # Summary analysis When a VLAN-tagged packet is received by the device from the an Ethernet (LAN) port side, 2 FDB entries for the source MAC address of the packet are created in the forwarding database (FDB) of the bridge: 1. one VLAN-tagged FDB entry and 2. one VLAN-untagged FDB entry Both FDB entries tell the switch to forward packets whose destination is that MAC address to that Ethernet port. When then a packet from the same source is received by the device from the WiFi (WLAN) side (e.g. after roaming a client device to that WiFi) and forwarded to the Ethernet (LAN) side (with a VLAN tag), only 1 of these 2 FDB entries are updated (namely the VLAN-tagged FDB entry). The other VLAN-untagged FDB entry remains unchanged, erroneously. When then another VLAN-tagged packet (e.g. an ARP reply packet or a DHCP reply packet) is received by the device from the Ethernet (LAN) side and that packet's destination is the client device's MAC address (=the VLAN-untagged FDB entry's MAC address), then the switch believes that this packet ought to be forwarded to the Ethernet port (even although it is received from exactly this port), while it actually should be forwarded to the CPU of the router (and then further to the WLAN). This packet then gets dropped. This packet loss continues until, after about 300 seconds (5 minutes), the erroneous FDB entry expires. # Impact of this bug This bug affects potentially all DSA-enabled platforms, but at least a sizable subset of all DSA-enabled platforms. It has been verified to exist on: 1. OpenWRT 22.03 on BT HomeHub 5a (hh5a). 2. Turris OS 4.0 on [Turris Omnia](https://forum.turris.cz/t/omnia-vlan-on-dsa-port-breaks-arp-responses-tos-4-0-5/12584/37) already since the year 2020. # How to reproduce ## Steps 1. Ensure that your OpenWRT device A and software supports Distributed Switch Architecture (DSA). 2. Setup your OpenWRT device A to have at least one WiFi interface and at least one ethernet port with VLAN support: 1. Create bridge device "br-switch", with the list of bridge ports only consisting of port "lan2". 2. Enable "VLAN filtering" for that bridge-device and create a VLAN with VLAN ID 31, local enabled and Egress tagged for port "lan2". 3. Create OpenWRT interface "users" with device "br-switch.31". 4. Create a OpenWRT WiFi interface with SSID "test". Ensure (under Interface Configuration/General Setup/Network) that it is connected to network "users". 5. Verify by running "brctl show" on the command line (e.g. using SSH) that there is a bridge called "br-switch" with at least 2 members (one member being "lan2" and the other member being a WiFi interface, for example "wlan1-1"). 6. Reboot the OpenWRT device A. 3. Connect your OpenWRT device A to another WiFi router B 1. Ensure that WiFi router B also support VLANs 2. Connect an Ethernet cable to port "lan2" of OpenWRT device A and a suitable Ethernet port of WiFi router B. 3. Setup WiFi router B such that it has a VLAN with VLAN ID 31 which is available (tagged) at the Ethernet port of WiFi router B. 4. Setup a WiFi interface on WiFi router B with the same SSID "test". Similarly to OpenWRT device A, ensure that that this WiFi interface is bridged to VLAN ID 31. 4. Connect a client device C to OpenWRT device A. 1. Run "ping" from the client device C to the IP address of WiFi router B. 2. Observe that client device C receives ping replies. 5. Roam to WiFi router B. 1. Change the physical position of client device C to be close to WiFi router B and away from OpenWRT device A. (You may need to reduce the output power of OpenWRT device A if the devices are close to each other.) 2. Wait 15 seconds. 3. Verify that client device C is now associated with WiFi router B. (You may verify this looking at the UI of WiFi router B or looking at the output of running "iw dev wlan0 link" on client device C.) 4. Observe that client device C still receives ping replies although its WLAN association has changed. 6. Roam to OpenWRT device A again. 1. Change the physical position of client device C to be close to OpenWRT device A and away from WiFi router B . (You may need to reduce the output power of WiFi router B if the devices are close to each other.) 2. Wait 15 seconds. 3. Verify that client device C is now associated with OpenWRT device A. (You may verify this looking at the UI of WiFi router B or looking at the output of running "iw dev wlan0 link" on client device C.) ## Expected result It is expected that client device C still receives ping replies although its WLAN association has changed again. ## Observed result It can be observed that client device C does not receive ping replies once its WLAN association has changed again. # How to analyze 1. Install OpenWRT packages "ip-bridge" on your OpenWRT device A. 2. Re-run the reproduction steps 4, 5, and 6. Assume that the MAC address of client device C is "02:ff:04:05:06:07". 3. Run "bridge fdb show | grep 02:03:04:05:06:07" after step 3 but before step 4. Observe that the output is empty. 4. Run "bridge fdb show | grep 02:03:04:05:06:07" after step 4 but before step 5. Observe that the output is akin ``` 02:ff:04:05:06:07 dev wlan1-1 vlan 31 master br-switch ``` This shows that there is one FDB entry which says that if there is a packet which is tagged with VLAN 31 and which has the destination MAC address 02:03:04:05:06:07, then it should be forwarded through device "wlan1-1". 5. Run "bridge -statistics fdb show | grep 02:03:04:05:06:07" after step 5 but before step 6. Observe that the output is akin ``` 02:ff:04:05:06:07 dev lan2 vlan 31 master br-switch 02:ff:04:05:06:07 dev lan2 self ``` This shows that there is one FDB entry which says that if there is a packet which is tagged with VLAN 31 and which has the destination MAC address 02:03:04:05:06:07, then it should be forwarded through device "lan2", and another FDB entry which says that if there is a packet which has the destination MAC address 02:03:04:05:06:07, then it should be forwarded through device "lan2". 6. Run "bridge -statistics fdb show | grep 02:03:04:05:06:07" after step 6. Observe that the output is akin ``` 02:ff:04:05:06:07 dev lan2 self 02:ff:04:05:06:07 dev wlan1-1 vlan 31 master br-switch ``` This shows that there is one FDB entry which says that if there is a packet which is tagged with VLAN 31 and which has the destination MAC address 02:03:04:05:06:07, then it should be forwarded through device "wlan1-1", and another FDB entry which says that if there is a packet which has the destination MAC address 02:03:04:05:06:07, then it should be forwarded through device "lan2". # Working workarounds ## Wait 5 minutes After 5 minutes, the erroneous FDB entry expires automatically. ## Delete the erroneous FDB entry explicitly once Run "bridge fdb del 02:ff:04:05:06:07 dev lan2". Once you do this, you will observe immediately that the packets are not dropped anymore. ## Delete the erroneous FDB entry explicitly automatically This bug is so pervasive that [somehone has created a workaround](https://forum.turris.cz/t/omnia-vlan-on-dsa-port-breaks-arp-responses-tos-4-0-5/12584/44) which deletes the erroneous FDB entries automatically. ## Downgrade to swconfig-enabled-OpenWRT versions (instead of DSA-enabled OpenWRT versions) This is possible and works perfectly. However, not upgrading is not viable in the long run. # Non-working workarounds ## Enabling learning_sync Running ``` bridge link set dev lan2 learning_sync on ``` has no effect on the bug, it still occurs. ## Disabling learning Running ``` bridge link set dev lan2 learning off ``` fails with ``` RTNETLINK answers: Not supported ``` # Analysis The root cause seems to be the confusion between whether VLAN-untagged FDB entries should also apply to VLAN-tagged packets. This confusion results in unequal treatment for VLAN-tagged packets incoming through the Ethernet port and forwarded to the CPU on the one hand and VLAN-tagged packets outgoing from the CPU through the Ethernet port on the other hand: 1. When a VLAN-tagged packet is incoming, 2 FDB entries are created (or updated) 2. When a VLAN-tagged packet is outgoing, only 1 FDB entry is created (or updated) ## Solution 1: VLAN-untagged FDB entries should not apply to VLAN-tagged packets In this case, 1. when a VLAN-tagged packet is incoming, only 1 FDB entries should be created (or updated), 2. when a VLAN-tagged packet is outgoing, only 1 FDB entry should be created (or updated). ## Solution 2: VLAN-untagged FDB entries should also apply to VLAN-tagged packets In this case, 1. when a VLAN-tagged packet is incoming, 2 FDB entries should be created (or updated), 2. when a VLAN-tagged packet is outgoing, 2 FDB entry should be created (or updated). This confusion is evidently software-based, as non-DSA versions of OpenWRT do not exhibit this bug. The exact location of this confusion is (currently) unknown. ### OpenWrt version r19803-9a599fee93 ### OpenWrt target/subtarget lantiq/xrx200 ### Device hh5a (BT HomeHub 5a) ### Image kind Official downloaded image ### Steps to reproduce 1. Ensure that your OpenWRT device A and software supports Distributed Switch Architecture (DSA). 2. Setup your OpenWRT device A to have at least one WiFi interface and at least one ethernet port with VLAN support: 1. Create bridge device "br-switch", with the list of bridge ports only consisting of port "lan2". 2. Enable "VLAN filtering" for that bridge-device and create a VLAN with VLAN ID 31, local enabled and Egress tagged for port "lan2". 3. Create OpenWRT interface "users" with device "br-switch.31". 4. Create a OpenWRT WiFi interface with SSID "test". Ensure (under Interface Configuration/General Setup/Network) that it is connected to network "users". 5. Verify by running "brctl show" on the command line (e.g. using SSH) that there is a bridge called "br-switch" with at least 2 members (one member being "lan2" and the other member being a WiFi interface, for example "wlan1-1"). 6. Reboot the OpenWRT device A. 3. Connect your OpenWRT device A to another WiFi router B 1. Ensure that WiFi router B also support VLANs 2. Connect an Ethernet cable to port "lan2" of OpenWRT device A and a suitable Ethernet port of WiFi router B. 3. Setup WiFi router B such that it has a VLAN with VLAN ID 31 which is available (tagged) at the Ethernet port of WiFi router B. 4. Setup a WiFi interface on WiFi router B with the same SSID "test". Similarly to OpenWRT device A, ensure that that this WiFi interface is bridged to VLAN ID 31. 4. Connect a client device C to OpenWRT device A. 1. Run "ping" from the client device C to the IP address of WiFi router B. 2. Observe that client device C receives ping replies. 5. Roam to WiFi router B. 1. Change the physical position of client device C to be close to WiFi router B and away from OpenWRT device A. (You may need to reduce the output power of OpenWRT device A if the devices are close to each other.) 2. Wait 15 seconds. 3. Verify that client device C is now associated with WiFi router B. (You may verify this looking at the UI of WiFi router B or looking at the output of running "iw dev wlan0 link" on client device C.) 4. Observe that client device C still receives ping replies although its WLAN association has changed. 6. Roam to OpenWRT device A again. 1. Change the physical position of client device C to be close to OpenWRT device A and away from WiFi router B . (You may need to reduce the output power of WiFi router B if the devices are close to each other.) 2. Wait 15 seconds. 3. Verify that client device C is now associated with OpenWRT device A. (You may verify this looking at the UI of WiFi router B or looking at the output of running "iw dev wlan0 link" on client device C.) ### Actual behaviour It can be observed that client device C does not receive ping replies once its WLAN association has changed again. ### Expected behaviour It is expected that client device C still receives ping replies although its WLAN association has changed again. ### Additional info _No response_ ### Diffconfig _No response_ ### Terms - [X] I am reporting an issue for OpenWrt, not an unsupported fork.

UN8899 · December 8, 2025, 1:28am

I was still seeing packet loss after enabling vlan_filtering, so I finally moved to snapshot. The issue didn't occur again in last two days. Hope it's really gone.

Interface Name	Description	Default configuration
br-lan	LAN & WiFi	192.168.1.1/24
lanX (eth0)	LAN ports (2 to 4)	None
wan (eth0)	WAN port	DHCP
phy0-ap0	WiFi 2.4G	Disabled
phy1-ap0	WiFi 5G	Disabled