Wireless clients cannot see eachother from same ssid and same access point

mark.nelson · ‎10-09-2012

I have a cisco 871w wireless router/switch. I have an ssid set up and clients can connect and access network/internet resources EXCEPT for anything other wireless device on the access point.

From a wireless client (ipad, iphone, or laptop) i can ping the bvi interface.

I can ping the gateway

I can ping anything outside of the 871w.

From outside the access point...i can ping the wireless device.

However...i cannot ping from 1 wireless device to another on the same access point.

I know there are no firewalls or access lists involved. I saw some references to making sure the bridge-group subscriber-loop-control is configured (is by default).

I have the same problem on an 881w device as well...so i figure it must be something i am not doing.

Any suggestions?

Here is the config:

871w#sh run

Building configuration...

Current configuration : 5658 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 871w

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable password

!

no aaa new-model

!

dot11 ssid INTERNAL

vlan 1

authentication open

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.30.200 192.168.30.254

!

ip dhcp pool INTERNAL

network 192.168.30.0 255.255.255.0

dns-server 10.1.5.11 10.1.5.33

domain-name stoops.com

default-router 10.1.4.102

!

no ip domain lookup

ip domain name yourdomain.com

!

vtp mode transparent

!

archive

log config

hidekeys

!

bridge irb

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 10.1.4.102 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode wep optional

!

ssid INTERNAL

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$

no ip address

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface BVI1

ip address 192.168.30.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.1.4.253

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 23 permit 10.10.10.0 0.0.0.7

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

password

login

transport input telnet ssh

!

scheduler max-task-time 5000

end

871w#

Ton V Engelen · ‎10-10-2012

Hi,

i m not very familiar with the wifi command set of the 871W.

Yet this seems like p2p blocking on a wism blade or like ap isolation on a wifi home router.

Both of these settings will prevent clients to communicate directly with each other.

So the question is how to disable this on the 871W, if at all possible.

i will try and check for a solution, i have an 871W here to test with.

Ton V Engelen · ‎10-11-2012

Hi,

i have build a test network (with an 871W) with the same config as yours. i had no issues connecting a client to another client directly. So its not a matter of p2p- blocking or ap isolation. Some routing issue maybe?

Could it be that on the other box, there is no route back?

mark.nelson · ‎10-11-2012

thanks for following up. You are able to have 2 devices connected to the same ap connecting to eachother? Could you upload the test config that you used?

Their is a route back....the clients are able to get to other subnets and the other subnets can connect to the wireless clients.

Mark

Ton V Engelen · ‎10-12-2012

Ouch

i did not save the config and shut the 871 down yesterday when i left.

I dont have much time upcoming weeks, but i will try to rebuild.

Anyway, what we learned its not a p2p blocking issue or ap isolation issue.

mark.nelson · ‎10-12-2012

That okay...i will tear it down and rebuild it again. It has to be something i have done then.

I really appreciate your looking at it though.

Thanks

Ton V Engelen · ‎10-16-2012

Hi

back again.

I rebuild your setup exaclty as you posted and again the wifi clients could ping eachother. So there s no need for me to upload the config i guess, as it is the same.

Btw, i run c870-advipservicesk9-mz.124-24.T7.bin (upgraded the boxes 3 weeks ago to this fw).

Maybe do can try an upgrade of the fw?

Good luck!

Ton V Engelen · ‎10-16-2012

Btw, also check if the client firewalls are off for a test or at least allow traffic from one to another on the client firewalls.

In our test we turned them off.

denmendoza · ‎01-13-2020

Also check that Public Secure Packet Forwarding is DISABLED for the radio interface in play