You are not logged in.

Pages: 1

#1 2018-09-12 01:05:22

chr0mag
Member
From: Vancouver, Canada
Registered: 2017-02-02
Posts: 94

[SOLVED] DIY Wireless Router - wireless clients can't communicate

I've got a PC Engines APU2C4 running Arch. I'm using systemd-networkd (for networking) + nftables (for firewall & routing) + kea (for DHCP) + unbound (for DNS) + hostapd (for wireless AP). This setup is working except that wireless clients cannot see/communicate with each other. More specifically, ARP resolution fails between wireless clients and it seems that broadcast ethernet frames are not being propagated throughout the wireless subnet. Wireless clients can successfully connect to the internet (NAT'd using nftables).

Configuration Details
uname -a

Linux apu2c4 4.14.68-1-lts #1 SMP Wed Sep 5 14:38:31 CEST 2018 x86_64 GNU/Linux

lspci -k (trucated to show only the Compex WLE900VX wireless card info)

04:00.0 Network controller: Qualcomm Atheros QCA986x/988x 802.11ac Wireless Network Adapter
	Kernel driver in use: ath10k_pci
	Kernel modules: ath10k_pci

There is a 2nd, D-link USB wireless adapter (driver rt73usb) used to run a 2nd hostapd AP for clients that only support 2.4GHz (just a wireless printer).

ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:b9:4c:a0:0c brd ff:ff:ff:ff:ff:ff
    inet 192.168.14.202/24 brd 192.168.14.255 scope global dynamic wan0
       valid_lft 33746sec preferred_lft 33746sec
3: lan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 9000 qdisc mq master br0 state DOWN group default qlen 1000
    link/ether 00:0d:b9:4c:a0:0d brd ff:ff:ff:ff:ff:ff
4: lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 9000 qdisc mq master br0 state DOWN group default qlen 1000
    link/ether 00:0d:b9:4c:a0:0e brd ff:ff:ff:ff:ff:ff
5: wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master wbr0 state UP group default qlen 1000
    link/ether 00:17:9a:01:0e:38 brd ff:ff:ff:ff:ff:ff
7: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master wbr0 state UP group default qlen 1000
    link/ether 04:f0:21:3d:93:7e brd ff:ff:ff:ff:ff:ff
8: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 9000 qdisc noqueue state DOWN group default qlen 1000
    link/ether de:13:6f:c3:e4:09 brd ff:ff:ff:ff:ff:ff
9: wbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 46:28:bb:ea:42:d4 brd ff:ff:ff:ff:ff:ff
    inet 10.13.13.1/28 brd 10.13.13.15 scope global wbr0
       valid_lft forever preferred_lft forever

ls -l /etc/systemd/network

total 44
-rw-r--r-- 1 root root  91 Jul 25 17:09 10-lan0.link
-rw-r--r-- 1 root root  91 Jul 25 17:10 10-lan1.link
-rw-r--r-- 1 root root  95 Jul 25 17:07 10-wan0.link
-rw-r--r-- 1 root root  87 Jul 27 21:23 10-wifi0.link
-rw-r--r-- 1 root root 104 Aug 20 18:13 10-wifi1.link
-rw-r--r-- 1 root root  30 Jul 25 18:24 20-br0.netdev
-rw-r--r-- 1 root root 108 Aug 18 19:09 20-br0.network
-rw-r--r-- 1 root root  40 Jul 27 22:41 20-br0-slaves.network
-rw-r--r-- 1 root root 304 Jul 25 17:27 20-wan0.network
-rw-r--r-- 1 root root  31 Aug 20 16:09 30-wbr0.netdev
-rw-r--r-- 1 root root 145 Sep  2 11:56 30-wbr0.network

The .link files exist only to rename interfaces. 2 bridges exist, one wired (br0) and one wireless (wbr0).
cat /etc/systemd/network/30-wbr0.netdev

[NetDev]
Name=wbr0
Kind=bridge

cat /etc/systemd/network/30-wbr0.network

[Match]
Name=wbr0

[Link]
MACAddress=46:28:bb:ea:42:d4

[Network]
Address=10.13.13.1/28

[Route]
Destination=192.168.100.0/24
Gateway=10.13.13.7

cat /etc/hostapd/hostapd-wifi0.conf

# wle900vx hostapd config for apu2c4

interface=wifi0
bridge=wbr0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ssid=xxxxxxxxx
country_code=CA
ieee80211d=1
ieee80211h=1
hw_mode=a
channel=157
preamble=1
auth_algs=1
wmm_enabled=1
uapsd_advertisement_enabled=1
disassoc_low_ack=1
ap_isolate=1
ieee80211n=1
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]
#vht_oper_chwidth=1
#vht_oper_centr_freq_seg0_idx=42
wpa=2
wpa_passphrase=xxxxxxxxxxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
disable_pmksa_caching=1
okc=0

Diagnostics
I have 2 wireless devices connected to the AP: A (10.13.13.7) and B (10.13.13.3). If I ping (or arping) device A from device B I see the following:
tcpdump -ennqti wbr0 \( arp or icmp \) (on the APU2C4 router)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
b8:e8:56:68:94:ff > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has 10.13.13.7 tell 10.13.13.3, length 28
b8:e8:56:68:94:ff > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has 10.13.13.7 tell 10.13.13.3, length 28
b8:e8:56:68:94:ff > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has 10.13.13.7 tell 10.13.13.3, length 28
b8:e8:56:68:94:ff > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has 10.13.13.7 tell 10.13.13.3, length 28
b8:e8:56:68:94:ff > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has 10.13.13.7 tell 10.13.13.3, length 28

tcpdump -ennqti wlp4s0 \( arp or icmp \)  (on device A)                                                                                  

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

No ARP Requests are seen by device A.

The result is the same between all wireless clients. Eg. If I arping device B from device A, I also receive no response:
arping -I wlp4s0 -c 2 10.13.13.3

ARPING 10.13.13.3 from 10.13.13.7 wlp4s0
Sent 2 probes (2 broadcast(s))
Received 0 response(s)

Listing the ARP table on device A shows ARP failure for device B.
ip neigh show

10.13.13.1 dev wlp4s0 lladdr 46:28:bb:ea:42:d4 REACHABLE
10.13.13.3 dev wlp4s0  FAILED

Interestingly, when I connect 2 devices directly to the router using a wire they can communicate just fine. Wired connections use a different bridge (br0 instead of wbr0), but they are both setup similarly using systemd. The difference is hostapd adding the AP to the bridge in the case that doesn't work. Things I've tried (without luck):
*changing wpa_pairwise setting in hostapd config to see if using TKIP as group cipher (for multicast & brodacast frames) instead of CCMP changed anything
*disabling multicast_snooping echo "0" >> /sys/devices/virtual/net/wbr0/bridge/multicast_snooping --> This is disabled on my LEDE/OpenWrt router where wireless clients can communicate with each other.
*connecting clients to the 2.4GHz AP (different wireless card & driver) --> I see the same issue which makes it unlikely that the problem is with my wireless driver or hardware.

Any suggestions?

Last edited by chr0mag (2018-09-13 17:20:49)

Offline

#2 2018-09-12 06:49:06

chr0mag
Member
From: Vancouver, Canada
Registered: 2017-02-02
Posts: 94

Re: [SOLVED] DIY Wireless Router - wireless clients can't communicate

It turns out the offending line in my hostapd configuration is:

ap_isolate=1

I had glossed over this during my initial troubleshooting because I figured (incorrectly it turns out) that AP isolation meant something different from client isolation but after reading the description of this setting it makes sense. Commenting this out (the default is ap_isolate=0) allows my wireless clients to communicate.

So, solved, but what I still don't understand is how wireless clients connected to my LEDE/OpenWrt router can communicate even though it's hostapd configuration has ap_isolate=1? Perhaps its something to do with IPv6 which I don't yet fully understand and I've currently disabled on my DIY setup?

Offline

#3 2018-09-13 17:38:13

chr0mag
Member
From: Vancouver, Canada
Registered: 2017-02-02
Posts: 94

Re: [SOLVED] DIY Wireless Router - wireless clients can't communicate

chr0mag wrote:

... what I still don't understand is how wireless clients connected to my LEDE/OpenWrt router can communicate even though it's hostapd configuration has ap_isolate=1?

There is a hairpin_mode setting, configurable for each port on a bridge, that tells the bridge to send frames back out through the port on which the frame was received. This setting should be enabled for any wireless port on a bridge. eg.

echo "1" > /sys/devices/virtual/net/br0/lower_wifi0/brport/hairpin_mode

For this to work it is required that hostapd have ap_isolate=1, which forces all traffic through the bridge. Setting things up this way has the added benefit of allowing wireless clients attached to different access points (eg. 5GHz & 2.4GHz radios) to talk to each other, again, because all traffic is sent through the bridge.

Lots of good stuff here regarding this: https://forum.openwrt.org/t/clients-in- … other/2501 .

Offline

Pages: 1

Board footer

Powered by FluxBB