[arch-general] hostapd + ap_isolate

[Erich Eckner]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 22 Oct 2021, u34--- via arch-general wrote:

> Erich Eckner via arch-general <arch-general at lists.archlinux.org> wrote:
>
>> Hi fellow-archers,
>>
>> I'm running a software accesspoint with hostapd for several years now.
>> Since some weeks, clients cannot talk to each other directly anymore, also
>> IPv6 broke (the latter might be related, but I'm currently trying to solve
>> the former issue). Unfortunately, I cannot assure, that both happened at
>> the same time. Also, I cannot correlate it to any updates or config
>> changes.
>>
>> The tech stack is:
>> + hostapd (spans two wifi: a normal and a guest net)
>> + dhcpd (for ipv4)
>> + radvd (for ipv6)
>> + iptables (for routing)
>>
>> /etc/hostapd.conf:
>> - ---8<---8<---8<---
>> bssid=bd:fe:0d:7e:80:37
>> driver=nl80211
>> logger_syslog=-1
>> logger_syslog_level=2
>> logger_stdout=-1
>> logger_stdout_level=2
>> ctrl_interface=/run/hostapd
>> ctrl_interface_group=0
>> ssid=VzEbpU-wwrtw8f
>> country_code=DE
>> hw_mode=g
>> channel=6
>> beacon_int=100
>> dtim_period=2
>> macaddr_acl=1
>> accept_mac_file=/etc/hostapd/accept
>> auth_algs=3
>> ignore_broadcast_ssid=0
>> wpa=2
>> wpa_psk=619f85f482f85d30ac69022edaabce188b4edb82910c1e40f40837e4e6599437
>> wpa_pairwise=CCMP
>> bss=wlp0s12_0
>> ssid=RmH
>> bssid=29:9a:f9:b2:d9:02
>> wpa=2
>> wpa_passphrase=K6VHcvEy
>> wpa_pairwise=CCMP
>> macaddr_acl=0
>> - --->8--->8--->8---
>>
>> ipv4 works fine in the following directions:
>> + from access point to any client and vice versa
>> + from any client to any permitted target beyond the access point
>>
>> but it fails between wifi clients directly.
>>
>> The only config change, which I did within the last 6 months, is adding
>> the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6
>> was not immediately broken.
>>
>> Ipv4-routes and -addresses on the clients look fine, tcpdump shows no
>> packages when trying to ping other wifi clients (is it normal to not see
>> outgoing packages in case of failure? - seems strange, but was the same,
>> when pinging some bogus address from the access point).
>>
>
> Does the following quote, copied from
> https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?
>
>    they can only see outbound packets the firewall passes through:
> [https://superuser.com/questions/925286/does-tcpdump-bypass-iptables]
>
> Perhaps you should disable the firewall, or loosen it, while debugging.

Thanks for the hint, but it does not apply: (one of) the clients doesn't 
even have a firewall enabled and I still cannot see the packages. To me, 
it looks, like it doesn't even try to send the pings, because it maybe 
thinks, the target is not reachable anyways ...

>
> --
> u34

regards,
Erich


>
>> Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate
>> guest wifi clients from each other - and I'm pretty sure, I did test it,
>> and it did work (and did not break connectivity between wlp0s12 clients).
>> However, during testing now, I even removed that directive without
>> success.
>>
>> Does anyone have an idea, where else I could look?
>>
>> regards,
>> Erich
>>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFzpRMACgkQCu7JB1Xa
e1rFNQ/9Fpa9lRESX9K1H5oGTxwycoDjBDbcK/6XM/ZZLLhSaq7amxItOPwHGFc4
7qc2Xm1gMfkNLKH4eaM1wLy65i3XbYbJrn2zXhLIK31YOxQkIBu4KmRZEdUfWBCq
3vyMLFU+xSY1vobQ6f407QEggdo5gQ+OVToRklvdDk7uDhyEL/Z7KFdXAl3DIvxq
aDsWiFu87tLVYwddeeoa57pw33vLk2nJEcXeerDErCHzbOsCEGsR724BARbGVUlq
WI682aVkdNKn6SSvEKZeSQ4jV7eZ1nn38ShL3gpYgMvX+ZzOYMPSMEGe7UIdFbJG
Wy/v77ZG6luXSD9N+cjVZp2k9iHj0keZWqzldFjDG9UMqPugTVjdvx5F6ghrKcZL
3neZ5cVaiqHNHVIRMy2HvGo1aDglheFkYx5h0YvZ89TrIGdThEkrH5FDUNyCIhIl
izcuUF/RFxfim6dBf3z+U9PgmEFkbl9IlkvFjykPrm8zMX9tfB47Ea+FeNUJ2Iev
4kVTRdnwxb37teG0kydFqKAA1qOlPbFOyV4dEERj3nHNFa6R/0E4FFEcLVLrnaaR
Eh3eqFxdpZCT2ckVmh2Y6eEil5iryWmClwTPBm4/VAuqZiaALniE0eTggtnr/4E+
+4NynsYNo6XvHA8qqwZGEDHAX3ahD4jGwrZR0rHWMkMFncxxmBc=
=1JhH
-----END PGP SIGNATURE-----