-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 22 Oct 2021, u34--- via arch-general wrote:
Erich Eckner via arch-general <arch-general@xxxxxxxxxxxxxxxxxxx> wrote:
Hi fellow-archers,
I'm running a software accesspoint with hostapd for several years now.
Since some weeks, clients cannot talk to each other directly anymore, also
IPv6 broke (the latter might be related, but I'm currently trying to solve
the former issue). Unfortunately, I cannot assure, that both happened at
the same time. Also, I cannot correlate it to any updates or config
changes.
The tech stack is:
+ hostapd (spans two wifi: a normal and a guest net)
+ dhcpd (for ipv4)
+ radvd (for ipv6)
+ iptables (for routing)
/etc/hostapd.conf:
- ---8<---8<---8<---
bssid=bd:fe:0d:7e:80:37
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/run/hostapd
ctrl_interface_group=0
ssid=VzEbpU-wwrtw8f
country_code=DE
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
macaddr_acl=1
accept_mac_file=/etc/hostapd/accept
auth_algs=3
ignore_broadcast_ssid=0
wpa=2
wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437
wpa_pairwise=CCMP
bss=wlp0s12_0
ssid=RmH
bssid=29:9a:f9:b2:d9:02
wpa=2
wpa_passphrase=K6VHcvEy
wpa_pairwise=CCMP
macaddr_acl=0
- --->8--->8--->8---
ipv4 works fine in the following directions:
+ from access point to any client and vice versa
+ from any client to any permitted target beyond the access point
but it fails between wifi clients directly.
The only config change, which I did within the last 6 months, is adding
the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6
was not immediately broken.
Ipv4-routes and -addresses on the clients look fine, tcpdump shows no
packages when trying to ping other wifi clients (is it normal to not see
outgoing packages in case of failure? - seems strange, but was the same,
when pinging some bogus address from the access point).
Does the following quote, copied from
https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?
they can only see outbound packets the firewall passes through:
[https://superuser.com/questions/925286/does-tcpdump-bypass-iptables]
Perhaps you should disable the firewall, or loosen it, while debugging.
Thanks for the hint, but it does not apply: (one of) the clients doesn't
even have a firewall enabled and I still cannot see the packages. To me,
it looks, like it doesn't even try to send the pings, because it maybe
thinks, the target is not reachable anyways ...
--
u34
regards,
Erich
Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate
guest wifi clients from each other - and I'm pretty sure, I did test it,
and it did work (and did not break connectivity between wlp0s12 clients).
However, during testing now, I even removed that directive without
success.
Does anyone have an idea, where else I could look?
regards,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzpRMACgkQCu7JB1Xa
e1rFNQ/9Fpa9lRESX9K1H5oGTxwycoDjBDbcK/6XM/ZZLLhSaq7amxItOPwHGFc4
7qc2Xm1gMfkNLKH4eaM1wLy65i3XbYbJrn2zXhLIK31YOxQkIBu4KmRZEdUfWBCq
3vyMLFU+xSY1vobQ6f407QEggdo5gQ+OVToRklvdDk7uDhyEL/Z7KFdXAl3DIvxq
aDsWiFu87tLVYwddeeoa57pw33vLk2nJEcXeerDErCHzbOsCEGsR724BARbGVUlq
WI682aVkdNKn6SSvEKZeSQ4jV7eZ1nn38ShL3gpYgMvX+ZzOYMPSMEGe7UIdFbJG
Wy/v77ZG6luXSD9N+cjVZp2k9iHj0keZWqzldFjDG9UMqPugTVjdvx5F6ghrKcZL
3neZ5cVaiqHNHVIRMy2HvGo1aDglheFkYx5h0YvZ89TrIGdThEkrH5FDUNyCIhIl
izcuUF/RFxfim6dBf3z+U9PgmEFkbl9IlkvFjykPrm8zMX9tfB47Ea+FeNUJ2Iev
4kVTRdnwxb37teG0kydFqKAA1qOlPbFOyV4dEERj3nHNFa6R/0E4FFEcLVLrnaaR
Eh3eqFxdpZCT2ckVmh2Y6eEil5iryWmClwTPBm4/VAuqZiaALniE0eTggtnr/4E+
+4NynsYNo6XvHA8qqwZGEDHAX3ahD4jGwrZR0rHWMkMFncxxmBc=
=1JhH
-----END PGP SIGNATURE-----
