Clients cannot see each other

I just updated my GL-MT300N-V2 to v4.
For some reason my wireless clients cannot see each other.
For instance my phone does not see the chromecast that is connected.
Maybe I am overlooking an option in the Gui but I cannot make sense of it.
In the v2 firmware it works out of the box.
Any ideas or suggestions?

Did you manually change something in luci?

Thanks for asking.
I did not touch luci yet.

Something I omitted is that I have configured the Wireguard client on the device.
With v2 firmware there was an option to allow lan traffic.

I did some further testing and discovered that adding a Wireguard client tunnel disables the local LAN functionality. Even when I disconnect the tunnel or delete it the LAN does not allow devices to see each other anymore.
The only thing I can do is reset the device and the LAN is accessible again.
I would like to protect my internet traffic when I am traveling with a Windscribe VPN but still work with multiple devices on the LAN. With v2 firmware it worked fine but cannot get it to work with v4.
Is there a description somewhere that someone tested for this configuration?

hi,
Sorry for can not understand what you mean by “see each other”. Did you mean can not ping from PC to phone, or cannot see phone online on GUI->clients?
image

Correct. In this example the phone and the pc cannot see (ping) each other on the lan ip addresses.

In my use case I want to be able to stream from a phone to a Chromecast.
Both devices have internet access through the vpn but are not able to see each other.

Have you double check each device match IP lan network? Something like lan network 192.168.8.1-255. Looks like wrong dhcp server in system or adguard home?

It can’t be the problem since DNS is a complete different thing.
I run AdGuard Home myself and can still see all devices.

I agree with @admon .
The issue starts when adding the Wireguard VPN.
In a clean install the devices can ping each other on the addresses listed in the clients section.

Could you do a tracert or traceroute between the devices? So we might know if the default route is not working anymore / all traffic will be redirected to the WG tunnel instead.

I did a tracert from 192.168.8.206 to 192.168.8.234 and the output is below:

Tracing route to Rob.lan [192.168.8.234]
over a maximum of 30 hops:

1 * * * Request timed out.
2 5 ms 4 ms 5 ms Rob.lan [192.168.8.234]

Trace complete.

Hmm just a guess maybe, what is the OpenWrt version in luci?

What i think what might be a issue is that in newer versions of OpenWrt they got a checkbox to threat multicast as unicast but by default this is off, this might be set to on, on the OpenWrt forum some people already had similar issues like this.

You can find this if you go into luci, click tab network, click wireless, your affected wireless network click on edit, and then scroll down in the advanced tab i believe.

And it is not the gl-inet software sees it as the guest wifi you are currently connected to?, for newer gl-inet firmware 4.5+ theres also guest isolation added, perhaps this is on?

I just checked. The setting is called “Isolate Clients” and it is off in my case so that is not a problem.

My openwrt version is 22.03.

1 Like

What I did see in the Luci wireless setting is that of my three clients 2 are not showing information.

I think best is to show configurations i would like to see:

  • firewall
  • network

And maybe some outputs of:

ip rule show
ip route show

it sound to me that the wireguard instance gets seen as default gateway and does not restore functionality after still having a wrong route, i guess also no internet after correct?

This can be fixed either with a priority change or with the default gateway checkbox off for wireguard, but first i want to read the configuration to get a idea :smile:

I am not sure what I need to share about firewall and network.
Are you requesting screenshots from luci? If so let me know which pages.

Internet is working fine through the Wireguard tunnel

root@GL-MT300N-V2:~# ip rule show
0: from all lookup local
51: from all fwmark 0x100000/0x100000 lookup 51
52: from all fwmark 0x80000/0x80000 lookup 52
53: from all fwmark 0x60000/0x60000 lookup 53
1002: from all iif apcli0 lookup 2
2002: from all fwmark 0x200/0x3f00 lookup 2
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@GL-MT300N-V2:~# ip route show
0.0.0.0/1 dev wgclient scope link
default via 192.168.2.254 dev apcli0 proto static src 192.168.2.62 metric 20
128.0.0.0/1 dev wgclient scope link
192.168.2.0/24 dev apcli0 proto static scope link metric 20
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

the configuration files, you could use winscp and connect to your router like a ftp client then I need /etc/config/firewall and /etc/config/network for your wireguard contents you can secure these things.

so far on your ip rule and ip route I cannot find super strange things the only thing what popped out a little is this:

it says default gateway for that src ip, default gateway is actually only supposed for wan but okay I don’t think that creates the issue since the src ip is there, but maybe it could be some sort of metric issue and instead of restoring to wan device apcli0 gets priority over wan, well if this device is not used for wan purposes it maybe tries to restore to a dead ip route.

the network configuration can show more insight how the metrics are there for other interfaces.

Here are the requested settings:
Network
config interface ‘loopback’
option device ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’

config globals ‘globals’
option ula_prefix ‘fdbb:dad4:d17a::/48’

config device
option name ‘br-lan’
option type ‘bridge’
list ports ‘eth0.1’

config interface ‘lan’
option device ‘br-lan’
option proto ‘static’
option ipaddr ‘192.168.8.1’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option isolate ‘0’

config interface ‘wan’
option device ‘eth0.2’
option proto ‘dhcp’
option force_link ‘0’
option ipv6 ‘0’

config interface ‘wan6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@wan

config switch
option name ‘switch0’
option reset ‘1’
option enable_vlan ‘1’

config switch_vlan ‘vlan_lan’
option device ‘switch0’
option vlan ‘1’
option ports ‘1 6t’

config switch_vlan ‘vlan_wan’
option device ‘switch0’
option vlan ‘2’
option ports ‘0 6t’

config interface ‘tethering6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@tethering

config interface ‘wwan6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@wwan

config interface ‘guest’
option force_link ‘1’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘192.168.9.1’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option multicast_querier ‘1’
option igmp_snooping ‘0’
option isolate ‘0’
option bridge_empty ‘1’
option disabled ‘1’

config interface ‘wwan’
option proto ‘dhcp’
option metric ‘20’

config interface ‘modem_1_1_2_6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@modem_1_1_2

config rule ‘policy_bypass_vpn’
option mark ‘0x60000/0x60000’
option lookup ‘53’
option priority ‘53’

config rule ‘policy_via_vpn’
option mark ‘0x80000/0x80000’
option lookup ‘52’
option priority ‘52’

config rule ‘policy_dns’
option mark ‘0x100000/0x100000’
option lookup ‘51’
option priority ‘51’

config interface ‘wgclient’
option proto ‘wgclient’
option config ‘peer_1440’
option disabled ‘0’

Firewall:
config defaults
option syn_flood ‘1’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’

config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’

config zone
option name ‘wan’
list network ‘wan’
list network ‘wan6’
list network ‘wwan’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option input ‘DROP’

config forwarding
option src ‘lan’
option dest ‘wan’
option enabled ‘0’

config rule
option name ‘Allow-DHCP-Renew’
option src ‘wan’
option proto ‘udp’
option dest_port ‘68’
option target ‘ACCEPT’
option family ‘ipv4’

config rule
option name ‘Allow-IGMP’
option src ‘wan’
option proto ‘igmp’
option family ‘ipv4’
option target ‘ACCEPT’

config rule
option name ‘Allow-DHCPv6’
option src ‘wan’
option proto ‘udp’
option dest_port ‘546’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-MLD’
option src ‘wan’
option proto ‘icmp’
option src_ip ‘fe80::/10’
list icmp_type ‘130/0’
list icmp_type ‘131/0’
list icmp_type ‘132/0’
list icmp_type ‘143/0’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Input’
option src ‘wan’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
list icmp_type ‘router-solicitation’
list icmp_type ‘neighbour-solicitation’
list icmp_type ‘router-advertisement’
list icmp_type ‘neighbour-advertisement’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Forward’
option src ‘wan’
option dest ‘*’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-IPSec-ESP’
option src ‘wan’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’

config rule
option name ‘Allow-ISAKMP’
option src ‘wan’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’

config include ‘nat6’
option path ‘/etc/firewall.nat6’
option reload ‘1’

config rule ‘block_dns’
option name ‘block_dns’
option src ‘
option dest_port ‘53’
option target ‘REJECT’
option device 'br-

option enabled ‘0’

config include ‘gls2s’
option type ‘script’
option path ‘/var/etc/gls2s.include’
option reload ‘1’

config include ‘glblock’
option type ‘script’
option path ‘/usr/bin/gl_block.sh’
option reload ‘1’

config zone
option name ‘guest’
option network ‘guest’
option forward ‘REJECT’
option output ‘ACCEPT’
option input ‘REJECT’

config forwarding
option src ‘guest’
option dest ‘wan’
option enabled ‘0’

config rule
option name ‘Allow-DHCP’
option src ‘guest’
option target ‘ACCEPT’
option proto ‘udp’
option dest_port ‘67-68’

config rule
option name ‘Allow-DNS’
option src ‘guest’
option target ‘ACCEPT’
option proto ‘tcp udp’
option dest_port ‘53’

config include ‘vpn_server_policy’
option type ‘script’
option path ‘/etc/firewall.vpn_server_policy.sh’
option reload ‘1’
option enabled ‘1’

config zone ‘wgclient’
option name ‘wgclient’
option forward ‘DROP’
option output ‘ACCEPT’
option mtu_fix ‘1’
option network ‘wgclient’
option input ‘DROP’
option masq ‘1’
option masq6 ‘1’
option enabled ‘1’

config forwarding ‘wgclient2wan’
option src ‘wgclient’
option dest ‘wan’
option enabled ‘1’

config forwarding ‘lan2wgclient’
option src ‘lan’
option dest ‘wgclient’
option enabled ‘1’

config forwarding ‘guest2wgclient’
option src ‘guest’
option dest ‘wgclient’
option enabled ‘1’

You also need a zone for lan to wan:

config forwarding ‘lan2wan’
option src ‘lan’
option dest ‘wan’
option enabled ‘1’

Now if vpn goes down by setting it off you fail over to wan, if the vpn failed to make connection the kill switch should block it.

If not, then it might be a priority issue then you should modify the metric value for wan to be higher or lower than the wireguard one.

Also if communication between clients from wgclient to lan doesn’t work you might need to ignore them, PBR a OpenWrt package by Stangri also has this option to use a ignore rule for GL-iNets I think it should work, this allows you to use local network ips outside the tunnel.

Thanks @xize11 for the effort of checking the config.

The suggestions are not pointing me in the right direction.
I use the repeater mode so WWAN and not WAN.

Your hint about how to get to the config files did point me somewhere.
What I found out is that the lan functionality stops working as soon as the following line gets into /etc/config/repeater
option disabled ‘0’

As soon as the line is present (‘0’ or ‘1’) a ping request to a lan device gives ‘Destination host unreachable.’

I realize that the Wireguard is just mixed into the equasion and it is really an issue that starts once I ‘activate’ the repeater mode.

1 Like