-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 22 Oct 2021, u34--- via arch-general wrote:
Erich Eckner via arch-general <arch-general@lists.archlinux.org> wrote:
Hi fellow-archers,
I'm running a software accesspoint with hostapd for several years now. Since some weeks, clients cannot talk to each other directly anymore, also IPv6 broke (the latter might be related, but I'm currently trying to solve the former issue). Unfortunately, I cannot assure, that both happened at the same time. Also, I cannot correlate it to any updates or config changes.
The tech stack is: + hostapd (spans two wifi: a normal and a guest net) + dhcpd (for ipv4) + radvd (for ipv6) + iptables (for routing)
/etc/hostapd.conf: - ---8<---8<---8<--- bssid=bd:fe:0d:7e:80:37 driver=nl80211 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 ctrl_interface=/run/hostapd ctrl_interface_group=0 ssid=VzEbpU-wwrtw8f country_code=DE hw_mode=g channel=6 beacon_int=100 dtim_period=2 macaddr_acl=1 accept_mac_file=/etc/hostapd/accept auth_algs=3 ignore_broadcast_ssid=0 wpa=2 wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437 wpa_pairwise=CCMP bss=wlp0s12_0 ssid=RmH bssid=29:9a:f9:b2:d9:02 wpa=2 wpa_passphrase=K6VHcvEy wpa_pairwise=CCMP macaddr_acl=0 - --->8--->8--->8---
ipv4 works fine in the following directions: + from access point to any client and vice versa + from any client to any permitted target beyond the access point
but it fails between wifi clients directly.
The only config change, which I did within the last 6 months, is adding the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6 was not immediately broken.
Ipv4-routes and -addresses on the clients look fine, tcpdump shows no packages when trying to ping other wifi clients (is it normal to not see outgoing packages in case of failure? - seems strange, but was the same, when pinging some bogus address from the access point).
Does the following quote, copied from https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?
they can only see outbound packets the firewall passes through: [https://superuser.com/questions/925286/does-tcpdump-bypass-iptables]
Perhaps you should disable the firewall, or loosen it, while debugging.
Thanks for the hint, but it does not apply: (one of) the clients doesn't even have a firewall enabled and I still cannot see the packages. To me, it looks, like it doesn't even try to send the pings, because it maybe thinks, the target is not reachable anyways ...
-- u34
regards, Erich
Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate guest wifi clients from each other - and I'm pretty sure, I did test it, and it did work (and did not break connectivity between wlp0s12 clients). However, during testing now, I even removed that directive without success.
Does anyone have an idea, where else I could look?
regards, Erich
-----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzpRMACgkQCu7JB1Xa e1rFNQ/9Fpa9lRESX9K1H5oGTxwycoDjBDbcK/6XM/ZZLLhSaq7amxItOPwHGFc4 7qc2Xm1gMfkNLKH4eaM1wLy65i3XbYbJrn2zXhLIK31YOxQkIBu4KmRZEdUfWBCq 3vyMLFU+xSY1vobQ6f407QEggdo5gQ+OVToRklvdDk7uDhyEL/Z7KFdXAl3DIvxq aDsWiFu87tLVYwddeeoa57pw33vLk2nJEcXeerDErCHzbOsCEGsR724BARbGVUlq WI682aVkdNKn6SSvEKZeSQ4jV7eZ1nn38ShL3gpYgMvX+ZzOYMPSMEGe7UIdFbJG Wy/v77ZG6luXSD9N+cjVZp2k9iHj0keZWqzldFjDG9UMqPugTVjdvx5F6ghrKcZL 3neZ5cVaiqHNHVIRMy2HvGo1aDglheFkYx5h0YvZ89TrIGdThEkrH5FDUNyCIhIl izcuUF/RFxfim6dBf3z+U9PgmEFkbl9IlkvFjykPrm8zMX9tfB47Ea+FeNUJ2Iev 4kVTRdnwxb37teG0kydFqKAA1qOlPbFOyV4dEERj3nHNFa6R/0E4FFEcLVLrnaaR Eh3eqFxdpZCT2ckVmh2Y6eEil5iryWmClwTPBm4/VAuqZiaALniE0eTggtnr/4E+ +4NynsYNo6XvHA8qqwZGEDHAX3ahD4jGwrZR0rHWMkMFncxxmBc= =1JhH -----END PGP SIGNATURE-----