Hello,

I am trying to understand why the EAP615 (192.168.12.1/24, VLAN 12 PVID, 12 untagged, 20/21 tagged on the PoE switch) cannot be pinged from my device on VLAN 19 and IP 192.168.19.1/24 (ie. LAPTOP1). Additionally, the EAP615 cannot ping any device that is not a client of the AP (I connected a client and I got the IP 192.168.12.3/24 ie. LAPTOP2, no VLAN assigned to that SSID). This client can actually ping the EAP615, and the EAP615 can ping this client.

Here is an in-depth debugging findings:

After countless hours of debugging, I have connected to the AP via SSH on the client with IP 192.168.12.3/24 LAPTOP2:

/bin $ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.12.254 0.0.0.0 UG 0 0 0 br0
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

Note: 192.168.12.254 is my gateway.

/bin $ arp -a
? (192.168.12.254) at 98:03:8e:c6:0d:c9 [ether] on br0
? (192.168.12.3) at 32:6c:ca:8a:07:c0 [ether] on br0

It correctly identifies on the local ARP table the gateway's MAC address and my client (from which I am connected via SSH).

When I try to ping the gateway, this happens:

/bin $ cliclientd pingstart '192.168.12.254 -w 1'
/bin $ PING 192.168.12.254 (192.168.12.254): 56 data bytes

--- 192.168.12.254 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

My next strategy was to try pinging a device directly connected to the gateway. I have one in VLAN 19 with IP 192.168.19.1/24 LAPTOP1. My device connected to the AP with IP 192.168.12.3/24 LAPTOP2 can ping 192.168.19.1/24 LAPTOP1, and it also works the other way around. Which means that the routes are correct.

I did this tcpdump for additional surprise:

# ON AP
/bin $ cliclientd tcpdumpstop
/bin $ killall: tcpdump: no process killed
/bin $ cliclientd tcpdumpstart "icmp and host 192.168.12.3"
/bin $ tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:25:35.953313 IP 192.168.12.3 > 17.253.150.10: ICMP 192.168.12.3 udp port 59269 unreachable, length 36
00:25:35.953346 IP 192.168.12.3 > 17.253.150.10: ICMP 192.168.12.3 udp port 59269 unreachable, length 36

# FROM 192.168.12.3/24 LAPTOP2
$ ping 192.168.12.1
PING 192.168.12.1 (192.168.12.1): 56 data bytes
64 bytes from 192.168.12.1: icmp_seq=0 ttl=64 time=6.280 ms
64 bytes from 192.168.12.1: icmp_seq=1 ttl=64 time=6.495 ms

And as a final hint on why I believe the EAP615 is blocking all incoming and outgoing connections of non-direct clients:

/bin $ cliclientd pingstart '192.168.19.1'
/bin $ cliclientd tcpdump 'icmp and host 192.168.19.1'

00:57:14.866363 IP 192.168.12.1 > 192.168.19.1: ICMP echo request, id 61445, seq 1, length 64
00:57:14.868566 IP 192.168.19.1 > 192.168.12.1: ICMP echo reply, id 61445, seq 2, length 64
00:57:15.876386 IP 192.168.12.1 > 192.168.19.1: ICMP echo request, id 61445, seq 3, length 64
00:57:15.878241 IP 192.168.19.1 > 192.168.12.1: ICMP echo reply, id 61445, seq 4, length 64
00:57:16.886388 IP 192.168.12.1 > 192.168.19.1: ICMP echo request, id 61445, seq 5, length 64

And on 192.168.19.1/24 LAPTOP1 I did:

sudo tcpdump -i en6 icmp | grep 192.168.12.1

They appear with a lot of delay in my local machine, but I see the sequences with the correct ID and the correct length. However, despite all packages appearing in both ends with ICMP echo request and reply, I see this on EAP615:

--- 192.168.19.1 ping statistics ---

20 packets transmitted, 0 packets received, 100% packet loss

This also applies the other way around: if the origin of the ping is 192.168.19.1/24 to the EAP615 with IP 192.168.12.1/24, the tcpdump on the EAP615 will show all the requests but no reply.

Why do I need this?

I want to be able to manage my device from ethernet connections, not only when the end device is directly connected to an AP. And honestly, I would also like to ping my device. I cannot dump the iptables because of the environment being super restricted.

If someone has a clue, please let me know. At this point I am completely lost. Thanks a lot!