[arch-general] hostapd + ap_isolate

Fri Oct 22 20:36:11 UTC 2021

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi fellow-archers,

I'm running a software accesspoint with hostapd for several years now. 
Since some weeks, clients cannot talk to each other directly anymore, also 
IPv6 broke (the latter might be related, but I'm currently trying to solve 
the former issue). Unfortunately, I cannot assure, that both happened at 
the same time. Also, I cannot correlate it to any updates or config 
changes.

The tech stack is:
+ hostapd (spans two wifi: a normal and a guest net)
+ dhcpd (for ipv4)
+ radvd (for ipv6)
+ iptables (for routing)

/etc/hostapd.conf:
- ---8<---8<---8<---
bssid=bd:fe:0d:7e:80:37
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/run/hostapd
ctrl_interface_group=0
ssid=VzEbpU-wwrtw8f
country_code=DE
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
macaddr_acl=1
accept_mac_file=/etc/hostapd/accept
auth_algs=3
ignore_broadcast_ssid=0
wpa=2
wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437
wpa_pairwise=CCMP
bss=wlp0s12_0
ssid=RmH
bssid=29:9a:f9:b2:d9:02
wpa=2
wpa_passphrase=K6VHcvEy
wpa_pairwise=CCMP
macaddr_acl=0
- --->8--->8--->8---

ipv4 works fine in the following directions:
+ from access point to any client and vice versa
+ from any client to any permitted target beyond the access point

but it fails between wifi clients directly.

The only config change, which I did within the last 6 months, is adding 
the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6 
was not immediately broken.

Ipv4-routes and -addresses on the clients look fine, tcpdump shows no 
packages when trying to ping other wifi clients (is it normal to not see 
outgoing packages in case of failure? - seems strange, but was the same, 
when pinging some bogus address from the access point).

Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate 
guest wifi clients from each other - and I'm pretty sure, I did test it, 
and it did work (and did not break connectivity between wlp0s12 clients). 
However, during testing now, I even removed that directive without 
success.

Does anyone have an idea, where else I could look?

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzIM0ACgkQCu7JB1Xa
e1ozRhAAoXDEs1qUVCDQvP7o5XZlpGRi59imJH7ZhLABxiuKFZ2YhUoTHTX061lX
lgbRSZMVAFEjD6x8Hz/uu0NvB+dYf/+W+cF6r2bRN8JXQ7UOb5qzN3CG9pt2H4gg
reYYdwS7VH4U7WrdLZvshqRselcZ+x6c0vrpIiX8ni1c3w+hzEgsZ/1m9QMoy7DR
58xeAtkw879AxltjMyJyhYJT3CSjXzZ330sTpukpS7l9v8shs8JQteGckv0WH4q0
KAXW+H0MtXfDIJIwYDVxWV+5CzMeLLLZ5HTYz+U8mC4HZ6iNQ8FRKqJ6GZGZ/t7W
MTNMt9V0qx2ewkAPll+u0JJKoVOOiMqqLPeuGwSTS4Vo5oc9tI7zmYC4GOi9Slsp
6WPoF1OT109KDvoWZS8dEadpMb9Pmv3HlWEo/0k5lydqTW3Ef/+8Etcf0YEoI5sf
1HCkntkeqLIUf6EAH0zqm+reebXXuOt5saWbmRUxGRvQijQOm6M5Q9QvoEqOMeQw
fpVVH+2IAzN/m0DPvkiA/kUev2Gho2WRWCe0DvyZ15t4VzngXmvPIjO40Dh8w/Z1
N5sgRVDFATC+ciIestfKGe8anC9X3NO7xrQ+AhLIg2PXcZSkuYbpOJKWvMfCtJ91
2+gyoPqgh/6CXhR1tLa5Ttun9FbCSRVitVDmHg5JHUbhe4Zmz+4=
=UNVM
-----END PGP SIGNATURE-----