[arch-general] hostapd + ap_isolate

Fri Oct 22 22:12:17 UTC 2021

Erich Eckner via arch-general <arch-general at lists.archlinux.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi fellow-archers,
> 
> I'm running a software accesspoint with hostapd for several years now. 
> Since some weeks, clients cannot talk to each other directly anymore, also 
> IPv6 broke (the latter might be related, but I'm currently trying to solve 
> the former issue). Unfortunately, I cannot assure, that both happened at 
> the same time. Also, I cannot correlate it to any updates or config 
> changes.
> 
> The tech stack is:
> + hostapd (spans two wifi: a normal and a guest net)
> + dhcpd (for ipv4)
> + radvd (for ipv6)
> + iptables (for routing)
> 
> /etc/hostapd.conf:
> - ---8<---8<---8<---
> bssid=bd:fe:0d:7e:80:37
> driver=nl80211
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> ctrl_interface=/run/hostapd
> ctrl_interface_group=0
> ssid=VzEbpU-wwrtw8f
> country_code=DE
> hw_mode=g
> channel=6
> beacon_int=100
> dtim_period=2
> macaddr_acl=1
> accept_mac_file=/etc/hostapd/accept
> auth_algs=3
> ignore_broadcast_ssid=0
> wpa=2
> wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437
> wpa_pairwise=CCMP
> bss=wlp0s12_0
> ssid=RmH
> bssid=29:9a:f9:b2:d9:02
> wpa=2
> wpa_passphrase=K6VHcvEy
> wpa_pairwise=CCMP
> macaddr_acl=0
> - --->8--->8--->8---
> 
> ipv4 works fine in the following directions:
> + from access point to any client and vice versa
> + from any client to any permitted target beyond the access point
> 
> but it fails between wifi clients directly.
> 
> The only config change, which I did within the last 6 months, is adding 
> the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6 
> was not immediately broken.
> 
> Ipv4-routes and -addresses on the clients look fine, tcpdump shows no 
> packages when trying to ping other wifi clients (is it normal to not see 
> outgoing packages in case of failure? - seems strange, but was the same, 
> when pinging some bogus address from the access point).
> 

Does the following quote, copied from 
https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?

    they can only see outbound packets the firewall passes through: 
[https://superuser.com/questions/925286/does-tcpdump-bypass-iptables]

Perhaps you should disable the firewall, or loosen it, while debugging.

--
u34

> Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate 
> guest wifi clients from each other - and I'm pretty sure, I did test it, 
> and it did work (and did not break connectivity between wlp0s12 clients). 
> However, during testing now, I even removed that directive without 
> success.
> 
> Does anyone have an idea, where else I could look?
> 
> regards,
> Erich
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzIM0ACgkQCu7JB1Xa
> e1ozRhAAoXDEs1qUVCDQvP7o5XZlpGRi59imJH7ZhLABxiuKFZ2YhUoTHTX061lX
> lgbRSZMVAFEjD6x8Hz/uu0NvB+dYf/+W+cF6r2bRN8JXQ7UOb5qzN3CG9pt2H4gg
> reYYdwS7VH4U7WrdLZvshqRselcZ+x6c0vrpIiX8ni1c3w+hzEgsZ/1m9QMoy7DR
> 58xeAtkw879AxltjMyJyhYJT3CSjXzZ330sTpukpS7l9v8shs8JQteGckv0WH4q0
> KAXW+H0MtXfDIJIwYDVxWV+5CzMeLLLZ5HTYz+U8mC4HZ6iNQ8FRKqJ6GZGZ/t7W
> MTNMt9V0qx2ewkAPll+u0JJKoVOOiMqqLPeuGwSTS4Vo5oc9tI7zmYC4GOi9Slsp
> 6WPoF1OT109KDvoWZS8dEadpMb9Pmv3HlWEo/0k5lydqTW3Ef/+8Etcf0YEoI5sf
> 1HCkntkeqLIUf6EAH0zqm+reebXXuOt5saWbmRUxGRvQijQOm6M5Q9QvoEqOMeQw
> fpVVH+2IAzN/m0DPvkiA/kUev2Gho2WRWCe0DvyZ15t4VzngXmvPIjO40Dh8w/Z1
> N5sgRVDFATC+ciIestfKGe8anC9X3NO7xrQ+AhLIg2PXcZSkuYbpOJKWvMfCtJ91
> 2+gyoPqgh/6CXhR1tLa5Ttun9FbCSRVitVDmHg5JHUbhe4Zmz+4=
> =UNVM
> -----END PGP SIGNATURE-----