Erich Eckner via arch-general <arch-general@xxxxxxxxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi fellow-archers, > > I'm running a software accesspoint with hostapd for several years now. > Since some weeks, clients cannot talk to each other directly anymore, also > IPv6 broke (the latter might be related, but I'm currently trying to solve > the former issue). Unfortunately, I cannot assure, that both happened at > the same time. Also, I cannot correlate it to any updates or config > changes. > > The tech stack is: > + hostapd (spans two wifi: a normal and a guest net) > + dhcpd (for ipv4) > + radvd (for ipv6) > + iptables (for routing) > > /etc/hostapd.conf: > - ---8<---8<---8<--- > bssid=bd:fe:0d:7e:80:37 > driver=nl80211 > logger_syslog=-1 > logger_syslog_level=2 > logger_stdout=-1 > logger_stdout_level=2 > ctrl_interface=/run/hostapd > ctrl_interface_group=0 > ssid=VzEbpU-wwrtw8f > country_code=DE > hw_mode=g > channel=6 > beacon_int=100 > dtim_period=2 > macaddr_acl=1 > accept_mac_file=/etc/hostapd/accept > auth_algs=3 > ignore_broadcast_ssid=0 > wpa=2 > wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437 > wpa_pairwise=CCMP > bss=wlp0s12_0 > ssid=RmH > bssid=29:9a:f9:b2:d9:02 > wpa=2 > wpa_passphrase=K6VHcvEy > wpa_pairwise=CCMP > macaddr_acl=0 > - --->8--->8--->8--- > > ipv4 works fine in the following directions: > + from access point to any client and vice versa > + from any client to any permitted target beyond the access point > > but it fails between wifi clients directly. > > The only config change, which I did within the last 6 months, is adding > the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6 > was not immediately broken. > > Ipv4-routes and -addresses on the clients look fine, tcpdump shows no > packages when trying to ping other wifi clients (is it normal to not see > outgoing packages in case of failure? - seems strange, but was the same, > when pinging some bogus address from the access point). > Does the following quote, copied from https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant? they can only see outbound packets the firewall passes through: [https://superuser.com/questions/925286/does-tcpdump-bypass-iptables] Perhaps you should disable the firewall, or loosen it, while debugging. -- u34 > Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate > guest wifi clients from each other - and I'm pretty sure, I did test it, > and it did work (and did not break connectivity between wlp0s12 clients). > However, during testing now, I even removed that directive without > success. > > Does anyone have an idea, where else I could look? > > regards, > Erich > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzIM0ACgkQCu7JB1Xa > e1ozRhAAoXDEs1qUVCDQvP7o5XZlpGRi59imJH7ZhLABxiuKFZ2YhUoTHTX061lX > lgbRSZMVAFEjD6x8Hz/uu0NvB+dYf/+W+cF6r2bRN8JXQ7UOb5qzN3CG9pt2H4gg > reYYdwS7VH4U7WrdLZvshqRselcZ+x6c0vrpIiX8ni1c3w+hzEgsZ/1m9QMoy7DR > 58xeAtkw879AxltjMyJyhYJT3CSjXzZ330sTpukpS7l9v8shs8JQteGckv0WH4q0 > KAXW+H0MtXfDIJIwYDVxWV+5CzMeLLLZ5HTYz+U8mC4HZ6iNQ8FRKqJ6GZGZ/t7W > MTNMt9V0qx2ewkAPll+u0JJKoVOOiMqqLPeuGwSTS4Vo5oc9tI7zmYC4GOi9Slsp > 6WPoF1OT109KDvoWZS8dEadpMb9Pmv3HlWEo/0k5lydqTW3Ef/+8Etcf0YEoI5sf > 1HCkntkeqLIUf6EAH0zqm+reebXXuOt5saWbmRUxGRvQijQOm6M5Q9QvoEqOMeQw > fpVVH+2IAzN/m0DPvkiA/kUev2Gho2WRWCe0DvyZ15t4VzngXmvPIjO40Dh8w/Z1 > N5sgRVDFATC+ciIestfKGe8anC9X3NO7xrQ+AhLIg2PXcZSkuYbpOJKWvMfCtJ91 > 2+gyoPqgh/6CXhR1tLa5Ttun9FbCSRVitVDmHg5JHUbhe4Zmz+4= > =UNVM > -----END PGP SIGNATURE-----
