-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi fellow-archers, I'm running a software accesspoint with hostapd for several years now. Since some weeks, clients cannot talk to each other directly anymore, also IPv6 broke (the latter might be related, but I'm currently trying to solve the former issue). Unfortunately, I cannot assure, that both happened at the same time. Also, I cannot correlate it to any updates or config changes. The tech stack is: + hostapd (spans two wifi: a normal and a guest net) + dhcpd (for ipv4) + radvd (for ipv6) + iptables (for routing) /etc/hostapd.conf: - ---8<---8<---8<--- bssid=bd:fe:0d:7e:80:37 driver=nl80211 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 ctrl_interface=/run/hostapd ctrl_interface_group=0 ssid=VzEbpU-wwrtw8f country_code=DE hw_mode=g channel=6 beacon_int=100 dtim_period=2 macaddr_acl=1 accept_mac_file=/etc/hostapd/accept auth_algs=3 ignore_broadcast_ssid=0 wpa=2 wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437 wpa_pairwise=CCMP bss=wlp0s12_0 ssid=RmH bssid=29:9a:f9:b2:d9:02 wpa=2 wpa_passphrase=K6VHcvEy wpa_pairwise=CCMP macaddr_acl=0 - --->8--->8--->8--- ipv4 works fine in the following directions: + from access point to any client and vice versa + from any client to any permitted target beyond the access point but it fails between wifi clients directly. The only config change, which I did within the last 6 months, is adding the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6 was not immediately broken. Ipv4-routes and -addresses on the clients look fine, tcpdump shows no packages when trying to ping other wifi clients (is it normal to not see outgoing packages in case of failure? - seems strange, but was the same, when pinging some bogus address from the access point). Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate guest wifi clients from each other - and I'm pretty sure, I did test it, and it did work (and did not break connectivity between wlp0s12 clients). However, during testing now, I even removed that directive without success. Does anyone have an idea, where else I could look? regards, Erich -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzIM0ACgkQCu7JB1Xa e1ozRhAAoXDEs1qUVCDQvP7o5XZlpGRi59imJH7ZhLABxiuKFZ2YhUoTHTX061lX lgbRSZMVAFEjD6x8Hz/uu0NvB+dYf/+W+cF6r2bRN8JXQ7UOb5qzN3CG9pt2H4gg reYYdwS7VH4U7WrdLZvshqRselcZ+x6c0vrpIiX8ni1c3w+hzEgsZ/1m9QMoy7DR 58xeAtkw879AxltjMyJyhYJT3CSjXzZ330sTpukpS7l9v8shs8JQteGckv0WH4q0 KAXW+H0MtXfDIJIwYDVxWV+5CzMeLLLZ5HTYz+U8mC4HZ6iNQ8FRKqJ6GZGZ/t7W MTNMt9V0qx2ewkAPll+u0JJKoVOOiMqqLPeuGwSTS4Vo5oc9tI7zmYC4GOi9Slsp 6WPoF1OT109KDvoWZS8dEadpMb9Pmv3HlWEo/0k5lydqTW3Ef/+8Etcf0YEoI5sf 1HCkntkeqLIUf6EAH0zqm+reebXXuOt5saWbmRUxGRvQijQOm6M5Q9QvoEqOMeQw fpVVH+2IAzN/m0DPvkiA/kUev2Gho2WRWCe0DvyZ15t4VzngXmvPIjO40Dh8w/Z1 N5sgRVDFATC+ciIestfKGe8anC9X3NO7xrQ+AhLIg2PXcZSkuYbpOJKWvMfCtJ91 2+gyoPqgh/6CXhR1tLa5Ttun9FbCSRVitVDmHg5JHUbhe4Zmz+4= =UNVM -----END PGP SIGNATURE-----