[arch-general] hostapd + ap_isolate
arch at eckner.net
Sat Oct 23 06:00:44 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 22 Oct 2021, u34--- via arch-general wrote:
> Erich Eckner via arch-general <arch-general at lists.archlinux.org> wrote:
>> Hi fellow-archers,
>> I'm running a software accesspoint with hostapd for several years now.
>> Since some weeks, clients cannot talk to each other directly anymore, also
>> IPv6 broke (the latter might be related, but I'm currently trying to solve
>> the former issue). Unfortunately, I cannot assure, that both happened at
>> the same time. Also, I cannot correlate it to any updates or config
>> The tech stack is:
>> + hostapd (spans two wifi: a normal and a guest net)
>> + dhcpd (for ipv4)
>> + radvd (for ipv6)
>> + iptables (for routing)
>> - ---8<---8<---8<---
>> - --->8--->8--->8---
>> ipv4 works fine in the following directions:
>> + from access point to any client and vice versa
>> + from any client to any permitted target beyond the access point
>> but it fails between wifi clients directly.
>> The only config change, which I did within the last 6 months, is adding
>> the second wifi on wlp0s12_0. However, I'm pretty sure, that at least IPv6
>> was not immediately broken.
>> Ipv4-routes and -addresses on the clients look fine, tcpdump shows no
>> packages when trying to ping other wifi clients (is it normal to not see
>> outgoing packages in case of failure? - seems strange, but was the same,
>> when pinging some bogus address from the access point).
> Does the following quote, copied from
> https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?
> they can only see outbound packets the firewall passes through:
> Perhaps you should disable the firewall, or loosen it, while debugging.
Thanks for the hint, but it does not apply: (one of) the clients doesn't
even have a firewall enabled and I still cannot see the packages. To me,
it looks, like it doesn't even try to send the pings, because it maybe
thinks, the target is not reachable anyways ...
>> Originally, I added "ap_isolate=1" to the config of wlp0s12_0 to isolate
>> guest wifi clients from each other - and I'm pretty sure, I did test it,
>> and it did work (and did not break connectivity between wlp0s12 clients).
>> However, during testing now, I even removed that directive without
>> Does anyone have an idea, where else I could look?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the arch-general